summaryrefslogtreecommitdiff
path: root/src/charon/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/plugins')
-rw-r--r--src/charon/plugins/eap_aka/eap_aka.c3
-rw-r--r--src/charon/plugins/kernel_klips/Makefile.am10
-rw-r--r--src/charon/plugins/kernel_klips/Makefile.in501
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_ipsec.c2659
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_ipsec.h48
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_plugin.c58
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_plugin.h49
-rw-r--r--src/charon/plugins/kernel_klips/pfkeyv2.h322
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c864
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_net.c269
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_shared.c20
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_shared.h12
-rw-r--r--src/charon/plugins/kernel_pfkey/Makefile.am10
-rw-r--r--src/charon/plugins/kernel_pfkey/Makefile.in501
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c1991
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h48
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c58
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h49
-rw-r--r--src/charon/plugins/load_tester/Makefile.am16
-rw-r--r--src/charon/plugins/load_tester/Makefile.in509
-rw-r--r--src/charon/plugins/load_tester/load_tester_config.c143
-rw-r--r--src/charon/plugins/load_tester/load_tester_config.h53
-rw-r--r--src/charon/plugins/load_tester/load_tester_creds.c236
-rw-r--r--src/charon/plugins/load_tester/load_tester_creds.h53
-rw-r--r--src/charon/plugins/load_tester/load_tester_ipsec.c165
-rw-r--r--src/charon/plugins/load_tester/load_tester_ipsec.h48
-rw-r--r--src/charon/plugins/load_tester/load_tester_listener.c75
-rw-r--r--src/charon/plugins/load_tester/load_tester_listener.h53
-rw-r--r--src/charon/plugins/load_tester/load_tester_plugin.c175
-rw-r--r--src/charon/plugins/load_tester/load_tester_plugin.h51
-rw-r--r--src/charon/plugins/medcli/medcli_listener.c76
-rw-r--r--src/charon/plugins/medcli/medcli_listener.h2
-rw-r--r--src/charon/plugins/nm/Makefile.am2
-rw-r--r--src/charon/plugins/nm/Makefile.in2
-rw-r--r--src/charon/plugins/nm/nm_creds.c38
-rw-r--r--src/charon/plugins/nm/nm_service.c154
-rw-r--r--src/charon/plugins/smp/smp.c18
-rw-r--r--src/charon/plugins/sql/pool.c14
-rw-r--r--src/charon/plugins/sql/sql_attribute.c22
-rw-r--r--src/charon/plugins/sql/sql_logger.c13
-rw-r--r--src/charon/plugins/sql/sql_logger.h2
-rw-r--r--src/charon/plugins/stroke/stroke_ca.c30
-rw-r--r--src/charon/plugins/stroke/stroke_config.c4
-rw-r--r--src/charon/plugins/stroke/stroke_control.c4
-rw-r--r--src/charon/plugins/stroke/stroke_cred.c37
-rw-r--r--src/charon/plugins/stroke/stroke_list.c104
-rw-r--r--src/charon/plugins/stroke/stroke_socket.c36
-rw-r--r--src/charon/plugins/unit_tester/tests/test_pool.c1
-rw-r--r--src/charon/plugins/updown/Makefile.am12
-rw-r--r--src/charon/plugins/updown/Makefile.in501
-rw-r--r--src/charon/plugins/updown/updown_listener.c320
-rw-r--r--src/charon/plugins/updown/updown_listener.h51
-rw-r--r--src/charon/plugins/updown/updown_plugin.c65
-rw-r--r--src/charon/plugins/updown/updown_plugin.h49
54 files changed, 9828 insertions, 778 deletions
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c
index 4c0f76b7f..bb3825d3d 100644
--- a/src/charon/plugins/eap_aka/eap_aka.c
+++ b/src/charon/plugins/eap_aka/eap_aka.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: eap_aka.c 4276 2008-08-22 10:44:51Z martin $
+ * $Id: eap_aka.c 4628 2008-11-11 15:19:13Z martin $
*/
@@ -35,6 +35,7 @@
* - server_initiate_challenge() - Initiation of AKA-Challenge
*/
+#include <limits.h>
#include <string.h>
#include <unistd.h>
#include <sys/time.h>
diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am
new file mode 100644
index 000000000..dc0234775
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+
+libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
+ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+libstrongswan_kernel_klips_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
new file mode 100644
index 000000000..702b38394
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -0,0 +1,501 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/kernel_klips
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_kernel_klips_la_LIBADD =
+am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
+ kernel_klips_ipsec.lo
+libstrongswan_kernel_klips_la_OBJECTS = \
+ $(am_libstrongswan_kernel_klips_la_OBJECTS)
+libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
+libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
+ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+
+libstrongswan_kernel_klips_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+ && exit 0; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_klips/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/kernel_klips/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES)
+ $(libstrongswan_kernel_klips_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
new file mode 100644
index 000000000..91bef0a54
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -0,0 +1,2659 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_ipsec.c 4631 2008-11-11 18:35:10Z martin $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <stdint.h>
+#include "pfkeyv2.h"
+#include <linux/udp.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <errno.h>
+
+#include "kernel_klips_ipsec.h"
+
+#include <daemon.h>
+#include <utils/mutex.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** default timeout for generated SPIs (in seconds) */
+#define SPI_TIMEOUT 30
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 2048
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+ (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+ (ext)->sadb_ext_len <= (len))
+
+/** special SPI values used for policies in KLIPS */
+#define SPI_PASS 256
+#define SPI_DROP 257
+#define SPI_REJECT 258
+#define SPI_HOLD 259
+#define SPI_TRAP 260
+#define SPI_TRAPSUBNET 261
+
+/** the prefix of the name of KLIPS ipsec devices */
+#define IPSEC_DEV_PREFIX "ipsec"
+/** this is the default number of ipsec devices */
+#define DEFAULT_IPSEC_DEV_COUNT 4
+/** TRUE if the given name matches an ipsec device */
+#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
+
+/** the following stuff is from ipsec_tunnel.h */
+struct ipsectunnelconf
+{
+ __u32 cf_cmd;
+ union
+ {
+ char cfu_name[12];
+ } cf_u;
+#define cf_name cf_u.cfu_name
+};
+
+#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
+#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
+#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
+
+typedef struct private_kernel_klips_ipsec_t private_kernel_klips_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_klips class.
+ */
+struct private_kernel_klips_ipsec_t
+{
+ /**
+ * Public part of the kernel_klips_t object.
+ */
+ kernel_klips_ipsec_t public;
+
+ /**
+ * mutex to lock access to various lists
+ */
+ mutex_t *mutex;
+
+ /**
+ * List of installed policies (policy_entry_t)
+ */
+ linked_list_t *policies;
+
+ /**
+ * List of allocated SPIs without installed SA (sa_entry_t)
+ */
+ linked_list_t *allocated_spis;
+
+ /**
+ * List of installed SAs (sa_entry_t)
+ */
+ linked_list_t *installed_sas;
+
+ /**
+ * whether to install routes along policies
+ */
+ bool install_routes;
+
+ /**
+ * List of ipsec devices (ipsec_dev_t)
+ */
+ linked_list_t *ipsec_devices;
+
+ /**
+ * job receiving PF_KEY events
+ */
+ callback_job_t *job;
+
+ /**
+ * mutex to lock access to the PF_KEY socket
+ */
+ mutex_t *mutex_pfkey;
+
+ /**
+ * PF_KEY socket to communicate with the kernel
+ */
+ int socket;
+
+ /**
+ * PF_KEY socket to receive acquire and expire events
+ */
+ int socket_events;
+
+ /**
+ * sequence number for messages sent to the kernel
+ */
+ int seq;
+
+};
+
+
+typedef struct ipsec_dev_t ipsec_dev_t;
+
+/**
+ * ipsec device
+ */
+struct ipsec_dev_t {
+ /** name of the virtual ipsec interface */
+ char name[IFNAMSIZ];
+
+ /** name of the physical interface */
+ char phys_name[IFNAMSIZ];
+
+ /** by how many CHILD_SA's this ipsec device is used */
+ u_int refcount;
+};
+
+/**
+ * compare the given name with the virtual device name
+ */
+static inline bool ipsec_dev_match_byname(ipsec_dev_t *current, char *name)
+{
+ return name && streq(current->name, name);
+}
+
+/**
+ * compare the given name with the physical device name
+ */
+static inline bool ipsec_dev_match_byphys(ipsec_dev_t *current, char *name)
+{
+ return name && streq(current->phys_name, name);
+}
+
+/**
+ * matches free ipsec devices
+ */
+static inline bool ipsec_dev_match_free(ipsec_dev_t *current)
+{
+ return current->refcount == 0;
+}
+
+/**
+ * tries to find an ipsec_dev_t object by name
+ */
+static status_t find_ipsec_dev(private_kernel_klips_ipsec_t *this, char *name,
+ ipsec_dev_t **dev)
+{
+ linked_list_match_t match = (linked_list_match_t)(IS_IPSEC_DEV(name) ?
+ ipsec_dev_match_byname : ipsec_dev_match_byphys);
+ return this->ipsec_devices->find_first(this->ipsec_devices, match,
+ (void**)dev, name);
+}
+
+/**
+ * attach an ipsec device to a physical interface
+ */
+static status_t attach_ipsec_dev(char* name, char *phys_name)
+{
+ int sock;
+ struct ifreq req;
+ struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
+ short phys_flags;
+ int mtu;
+
+ DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
+
+ if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+ {
+ return FAILED;
+ }
+
+ strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+ {
+ close(sock);
+ return FAILED;
+ }
+ phys_flags = req.ifr_flags;
+
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+ {
+ close(sock);
+ return FAILED;
+ }
+
+ if (req.ifr_flags & IFF_UP)
+ {
+ /* if it's already up, it is already attached, detach it first */
+ ioctl(sock, IPSEC_DEL_DEV, &req);
+ }
+
+ /* attach it */
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
+ ioctl(sock, IPSEC_SET_DEV, &req);
+
+ /* copy address from physical to virtual */
+ strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFADDR, &req) == 0)
+ {
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ ioctl(sock, SIOCSIFADDR, &req);
+ }
+
+ /* copy net mask from physical to virtual */
+ strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
+ {
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ ioctl(sock, SIOCSIFNETMASK, &req);
+ }
+
+ /* copy other flags and addresses */
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+ {
+ if (phys_flags & IFF_POINTOPOINT)
+ {
+ req.ifr_flags |= IFF_POINTOPOINT;
+ req.ifr_flags &= ~IFF_BROADCAST;
+ ioctl(sock, SIOCSIFFLAGS, &req);
+
+ strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
+ {
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ ioctl(sock, SIOCSIFDSTADDR, &req);
+ }
+ }
+ else if (phys_flags & IFF_BROADCAST)
+ {
+ req.ifr_flags &= ~IFF_POINTOPOINT;
+ req.ifr_flags |= IFF_BROADCAST;
+ ioctl(sock, SIOCSIFFLAGS, &req);
+
+ strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
+ {
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ ioctl(sock, SIOCSIFBRDADDR, &req);
+ }
+ }
+ else
+ {
+ req.ifr_flags &= ~IFF_POINTOPOINT;
+ req.ifr_flags &= ~IFF_BROADCAST;
+ ioctl(sock, SIOCSIFFLAGS, &req);
+ }
+ }
+
+ mtu = lib->settings->get_int(lib->settings,
+ "charon.plugins.kernel_klips.ipsec_dev_mtu", 0);
+ if (mtu <= 0)
+ {
+ /* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
+ * ESP overhead : 73 bytes
+ * NAT-T overhead : 8 bytes ==> 81 bytes
+ *
+ * assuming tunnel mode with AES encryption and integrity
+ * outer IP header : 20 bytes
+ * (NAT-T UDP header: 8 bytes)
+ * ESP header : 8 bytes
+ * IV : 16 bytes
+ * padding : 15 bytes (worst-case)
+ * pad len / NH : 2 bytes
+ * auth data : 12 bytes
+ */
+ strncpy(req.ifr_name, phys_name, IFNAMSIZ);
+ ioctl(sock, SIOCGIFMTU, &req);
+ mtu = req.ifr_mtu - 81;
+ }
+
+ /* set MTU */
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ req.ifr_mtu = mtu;
+ ioctl(sock, SIOCSIFMTU, &req);
+
+ /* bring ipsec device UP */
+ if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
+ {
+ req.ifr_flags |= IFF_UP;
+ ioctl(sock, SIOCSIFFLAGS, &req);
+ }
+
+ close(sock);
+ return SUCCESS;
+}
+
+/**
+ * detach an ipsec device from a physical interface
+ */
+static status_t detach_ipsec_dev(char* name, char *phys_name)
+{
+ int sock;
+ struct ifreq req;
+
+ DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
+ strlen(phys_name) ? phys_name : "any physical interface");
+
+ if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
+ {
+ return FAILED;
+ }
+
+ strncpy(req.ifr_name, name, IFNAMSIZ);
+ if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
+ {
+ close(sock);
+ return FAILED;
+ }
+
+ /* shutting interface down */
+ if (req.ifr_flags & IFF_UP)
+ {
+ req.ifr_flags &= ~IFF_UP;
+ ioctl(sock, SIOCSIFFLAGS, &req);
+ }
+
+ /* unset address */
+ memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
+ req.ifr_addr.sa_family = AF_INET;
+ ioctl(sock, SIOCSIFADDR, &req);
+
+ /* detach interface */
+ ioctl(sock, IPSEC_DEL_DEV, &req);
+
+ close(sock);
+ return SUCCESS;
+}
+
+/**
+ * destroy an ipsec_dev_t object
+ */
+static void ipsec_dev_destroy(ipsec_dev_t *this)
+{
+ detach_ipsec_dev(this->name, this->phys_name);
+ free(this);
+}
+
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+ /** Name of the interface the route is bound to */
+ char *if_name;
+
+ /** Source ip of the route */
+ host_t *src_ip;
+
+ /** Gateway for this route */
+ host_t *gateway;
+
+ /** Destination net */
+ chunk_t dst_net;
+
+ /** Destination net prefixlen */
+ u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+ free(this->if_name);
+ this->src_ip->destroy(this->src_ip);
+ this->gateway->destroy(this->gateway);
+ chunk_free(&this->dst_net);
+ free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+ /** reqid of this policy, if setup as trap */
+ u_int32_t reqid;
+
+ /** direction of this policy: in, out, forward */
+ u_int8_t direction;
+
+ /** parameters of installed policy */
+ struct {
+ /** subnet and port */
+ host_t *net;
+ /** subnet mask */
+ u_int8_t mask;
+ /** protocol */
+ u_int8_t proto;
+ } src, dst;
+
+ /** associated route installed for this policy */
+ route_entry_t *route;
+
+ /** by how many CHILD_SA's this policy is actively used */
+ u_int activecount;
+
+ /** by how many CHILD_SA's this policy is trapped */
+ u_int trapcount;
+};
+
+/**
+ * convert a numerical netmask to a host_t
+ */
+static host_t *mask2host(int family, u_int8_t mask)
+{
+ static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+ chunk_t chunk = chunk_alloca(family == AF_INET ? 4 : 16);
+ int bytes = mask / 8, bits = mask % 8;
+ memset(chunk.ptr, 0xFF, bytes);
+ memset(chunk.ptr + bytes, 0, chunk.len - bytes);
+ if (bits)
+ {
+ chunk.ptr[bytes] = bitmask[bits];
+ }
+ return host_create_from_chunk(family, chunk, 0);
+}
+
+/**
+ * check if a host is in a subnet (host with netmask in bits)
+ */
+static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask)
+{
+ static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
+ chunk_t host_chunk, net_chunk;
+ int bytes = mask / 8, bits = mask % 8;
+
+ host_chunk = host->get_address(host);
+ net_chunk = net->get_address(net);
+
+ if (host_chunk.len != net_chunk.len)
+ {
+ return FALSE;
+ }
+
+ if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
+ {
+ return (bits == 0) ||
+ (host_chunk.ptr[bytes] & bitmask[bits]) ==
+ (net_chunk.ptr[bytes] & bitmask[bits]);
+ }
+
+ return FALSE;
+}
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts, policy_dir_t dir)
+{
+ policy_entry_t *policy = malloc_thing(policy_entry_t);
+ policy->reqid = 0;
+ policy->direction = dir;
+ policy->route = NULL;
+ policy->activecount = 0;
+ policy->trapcount = 0;
+
+ src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+ dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+
+ /* src or dest proto may be "any" (0), use more restrictive one */
+ policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+ policy->src.proto = policy->src.proto ? policy->src.proto : 0;
+ policy->dst.proto = policy->src.proto;
+
+ return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+ DESTROY_IF(this->src.net);
+ DESTROY_IF(this->dst.net);
+ if (this->route)
+ {
+ route_entry_destroy(this->route);
+ }
+ free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+ return current->direction == policy->direction &&
+ current->src.proto == policy->src.proto &&
+ current->dst.proto == policy->dst.proto &&
+ current->src.mask == policy->src.mask &&
+ current->dst.mask == policy->dst.mask &&
+ current->src.net->equals(current->src.net, policy->src.net) &&
+ current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+static inline bool policy_entry_match_byaddrs(policy_entry_t *current, host_t *src,
+ host_t *dst)
+{
+ return is_host_in_net(src, current->src.net, current->src.mask) &&
+ is_host_in_net(dst, current->dst.net, current->dst.mask);
+}
+
+typedef struct sa_entry_t sa_entry_t;
+
+/**
+ * used for two things:
+ * - allocated SPIs that have not yet resulted in an installed SA
+ * - installed inbound SAs with enabled UDP encapsulation
+ */
+struct sa_entry_t {
+
+ /** protocol of this SA */
+ protocol_id_t protocol;
+
+ /** reqid of this SA */
+ u_int32_t reqid;
+
+ /** SPI of this SA */
+ u_int32_t spi;
+
+ /** src address of this SA */
+ host_t *src;
+
+ /** dst address of this SA */
+ host_t *dst;
+
+ /** TRUE if this SA uses UDP encapsulation */
+ bool encap;
+
+ /** TRUE if this SA is inbound */
+ bool inbound;
+};
+
+/**
+ * create an sa_entry_t object
+ */
+static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi,
+ u_int32_t reqid, host_t *src, host_t *dst,
+ bool encap, bool inbound)
+{
+ sa_entry_t *sa = malloc_thing(sa_entry_t);
+ sa->protocol = protocol;
+ sa->reqid = reqid;
+ sa->spi = spi;
+ sa->src = src ? src->clone(src) : NULL;
+ sa->dst = dst ? dst->clone(dst) : NULL;
+ sa->encap = encap;
+ sa->inbound = inbound;
+ return sa;
+}
+
+/**
+ * destroy an sa_entry_t object
+ */
+static void sa_entry_destroy(sa_entry_t *this)
+{
+ DESTROY_IF(this->src);
+ DESTROY_IF(this->dst);
+ free(this);
+}
+
+/**
+ * match an sa_entry_t for an inbound SA that uses UDP encapsulation by spi and src (remote) address
+ */
+static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi,
+ host_t *src)
+{
+ return current->encap && current->inbound &&
+ current->spi == *spi && src->ip_equals(src, current->src);
+}
+
+/**
+ * match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
+ */
+static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol,
+ u_int32_t *spi, host_t *dst)
+{
+ return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
+}
+
+/**
+ * match an sa_entry_t by protocol, reqid and spi
+ */
+static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol,
+ u_int32_t *spi, u_int32_t *reqid)
+{
+ return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+ /**
+ * PF_KEY message base
+ */
+ struct sadb_msg *msg;
+
+
+ /**
+ * PF_KEY message extensions
+ */
+ union {
+ struct sadb_ext *ext[SADB_EXT_MAX + 1];
+ struct {
+ struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
+ struct sadb_sa *sa; /* SADB_EXT_SA */
+ struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
+ struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
+ struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
+ struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
+ struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
+ struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
+ struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
+ struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
+ struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
+ struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
+ struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
+ struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
+ struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
+ struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
+ struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
+ struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
+ struct sadb_ext *x_policy; /* SADB_X_EXT_SATYPE2 */
+ struct sadb_ext *x_sa2; /* SADB_X_EXT_SA2 */
+ struct sadb_address *x_dst2; /* SADB_X_EXT_ADDRESS_DST2 */
+ struct sadb_address *x_src_flow; /* SADB_X_EXT_ADDRESS_SRC_FLOW */
+ struct sadb_address *x_dst_flow; /* SADB_X_EXT_ADDRESS_DST_FLOW */
+ struct sadb_address *x_src_mask; /* SADB_X_EXT_ADDRESS_SRC_MASK */
+ struct sadb_address *x_dst_mask; /* SADB_X_EXT_ADDRESS_DST_MASK */
+ struct sadb_x_debug *x_debug; /* SADB_X_EXT_DEBUG */
+ struct sadb_protocol *x_protocol; /* SADB_X_EXT_PROTOCOL */
+ struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
+ struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
+ struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
+ struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
+ } __attribute__((__packed__));
+ };
+};
+
+/**
+ * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto_ike2satype(protocol_id_t proto)
+{
+ switch (proto)
+ {
+ case PROTO_ESP:
+ return SADB_SATYPE_ESP;
+ case PROTO_AH:
+ return SADB_SATYPE_AH;
+ case IPPROTO_COMP:
+ return SADB_X_SATYPE_COMP;
+ default:
+ return proto;
+ }
+}
+
+/**
+ * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ */
+static protocol_id_t proto_satype2ike(u_int8_t proto)
+{
+ switch (proto)
+ {
+ case SADB_SATYPE_ESP:
+ return PROTO_ESP;
+ case SADB_SATYPE_AH:
+ return PROTO_AH;
+ case SADB_X_SATYPE_COMP:
+ return IPPROTO_COMP;
+ default:
+ return proto;
+ }
+}
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+ /**
+ * Identifier specified in IKEv2
+ */
+ int ikev2;
+
+ /**
+ * Identifier as defined in pfkeyv2.h
+ */
+ int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/* {ENCR_DES_IV64, 0 }, */
+ {ENCR_DES, SADB_EALG_DESCBC },
+ {ENCR_3DES, SADB_EALG_3DESCBC },
+/* {ENCR_RC5, 0 }, */
+/* {ENCR_IDEA, 0 }, */
+/* {ENCR_CAST, 0 }, */
+ {ENCR_BLOWFISH, SADB_EALG_BFCBC },
+/* {ENCR_3IDEA, 0 }, */
+/* {ENCR_DES_IV32, 0 }, */
+ {ENCR_NULL, SADB_EALG_NULL },
+ {ENCR_AES_CBC, SADB_EALG_AESCBC },
+/* {ENCR_AES_CTR, 0 }, */
+/* {ENCR_AES_CCM_ICV8, 0 }, */
+/* {ENCR_AES_CCM_ICV12, 0 }, */
+/* {ENCR_AES_CCM_ICV16, 0 }, */
+/* {ENCR_AES_GCM_ICV8, 0 }, */
+/* {ENCR_AES_GCM_ICV12, 0 }, */
+/* {ENCR_AES_GCM_ICV16, 0 }, */
+ {END_OF_LIST, 0 },
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+ {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
+ {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
+ {AUTH_HMAC_SHA2_256_128, SADB_AALG_SHA256_HMAC },
+ {AUTH_HMAC_SHA2_384_192, SADB_AALG_SHA384_HMAC },
+ {AUTH_HMAC_SHA2_512_256, SADB_AALG_SHA512_HMAC },
+/* {AUTH_DES_MAC, 0, }, */
+/* {AUTH_KPDK_MD5, 0, }, */
+/* {AUTH_AES_XCBC_96, 0, }, */
+ {END_OF_LIST, 0, },
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/* {IPCOMP_OUI, 0 }, */
+ {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
+ {IPCOMP_LZS, SADB_X_CALG_LZS },
+/* {IPCOMP_LZJH, 0 }, */
+ {END_OF_LIST, 0 },
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+ while (list->ikev2 != END_OF_LIST)
+ {
+ if (ikev2 == list->ikev2)
+ {
+ return list->kernel;
+ }
+ list++;
+ }
+ return 0;
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+ sockaddr_t *host_addr = host->get_sockaddr(host);
+ socklen_t *len = host->get_sockaddr_len(host);
+ memcpy((char*)(ext + 1), host_addr, *len);
+ ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type)
+{
+ struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = type;
+ host2ext(host, addr);
+ PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+ socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+ sizeof(struct sockaddr_in6);
+ struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = type;
+ sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+ saddr->sa_family = family;
+ addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+ PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst,
+ bool ports_only)
+{
+ struct sadb_x_nat_t_type* nat_type;
+ struct sadb_x_nat_t_port* nat_port;
+
+ if (!ports_only)
+ {
+ nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+ nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+ nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+ PFKEY_EXT_ADD(msg, nat_type);
+ }
+
+ nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+ nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+ nat_port->sadb_x_nat_t_port_port = src->get_port(src);
+ PFKEY_EXT_ADD(msg, nat_port);
+
+ nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+ nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+ nat_port->sadb_x_nat_t_port_port = dst->get_port(dst);
+ PFKEY_EXT_ADD(msg, nat_port);
+}
+
+/**
+ * build an SADB_X_ADDFLOW msg
+ */
+static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi,
+ host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+ host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+ struct sadb_sa *sa;
+ struct sadb_protocol *proto;
+ host_t *host;
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_ADDFLOW;
+ msg->sadb_msg_satype = satype;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_spi = spi;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
+ PFKEY_EXT_ADD(msg, sa);
+
+ if (!src)
+ {
+ add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
+ }
+ else
+ {
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+ }
+
+ if (!dst)
+ {
+ add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
+ }
+ else
+ {
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+ }
+
+ add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+ add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+
+ host = mask2host(src_net->get_family(src_net), src_mask);
+ add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+ host->destroy(host);
+
+ host = mask2host(dst_net->get_family(dst_net), dst_mask);
+ add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+ host->destroy(host);
+
+ proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+ proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+ proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+ proto->sadb_protocol_proto = protocol;
+ PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * build an SADB_X_DELFLOW msg
+ */
+static void build_delflow(struct sadb_msg *msg, u_int8_t satype,
+ host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+ u_int8_t protocol)
+{
+ struct sadb_protocol *proto;
+ host_t *host;
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_DELFLOW;
+ msg->sadb_msg_satype = satype;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
+ add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
+
+ host = mask2host(src_net->get_family(src_net),
+ src_mask);
+ add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
+ host->destroy(host);
+
+ host = mask2host(dst_net->get_family(dst_net),
+ dst_mask);
+ add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
+ host->destroy(host);
+
+ proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
+ proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+ proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
+ proto->sadb_protocol_proto = protocol;
+ PFKEY_EXT_ADD(msg, proto);
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+ struct sadb_ext* ext;
+ size_t len;
+
+ memset(out, 0, sizeof(pfkey_msg_t));
+ out->msg = msg;
+
+ len = msg->sadb_msg_len;
+ len -= PFKEY_LEN(sizeof(struct sadb_msg));
+
+ ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+
+ while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+ {
+ if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+ ext->sadb_ext_len > len)
+ {
+ DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+ break;
+ }
+
+ if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+ {
+ DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+ break;
+ }
+
+ if (out->ext[ext->sadb_ext_type])
+ {
+ DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
+ break;
+ }
+
+ out->ext[ext->sadb_ext_type] = ext;
+ ext = PFKEY_EXT_NEXT_LEN(ext, len);
+ }
+
+ if (len)
+ {
+ DBG1(DBG_KNL, "PF_KEY message length is invalid");
+ return FAILED;
+ }
+
+ return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket,
+ struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+ unsigned char buf[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg;
+ int in_len, len;
+
+ this->mutex_pfkey->lock(this->mutex_pfkey);
+
+ in->sadb_msg_seq = ++this->seq;
+ in->sadb_msg_pid = getpid();
+
+ in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+ while (TRUE)
+ {
+ len = send(socket, in, in_len, 0);
+
+ if (len != in_len)
+ {
+ switch (errno)
+ {
+ case EINTR:
+ /* interrupted, try again */
+ continue;
+ case EINVAL:
+ case EEXIST:
+ case ESRCH:
+ /* we should also get a response for these from KLIPS */
+ break;
+ default:
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ DBG1(DBG_KNL, "error sending to PF_KEY socket: %s (%d)",
+ strerror(errno), errno);
+ return FAILED;
+ }
+ }
+ break;
+ }
+
+ while (TRUE)
+ {
+ msg = (struct sadb_msg*)buf;
+
+ len = recv(socket, buf, sizeof(buf), 0);
+
+ if (len < 0)
+ {
+ if (errno == EINTR)
+ {
+ DBG1(DBG_KNL, "got interrupted");
+ /* interrupted, try again */
+ continue;
+ }
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+ return FAILED;
+ }
+ if (len < sizeof(struct sadb_msg) ||
+ msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+ {
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ DBG1(DBG_KNL, "received corrupted PF_KEY message");
+ return FAILED;
+ }
+ if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+ {
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+ return FAILED;
+ }
+ if (msg->sadb_msg_pid != in->sadb_msg_pid)
+ {
+ DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+ continue;
+ }
+ if (msg->sadb_msg_seq != this->seq)
+ {
+ DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number,"
+ " was %d expected %d", msg->sadb_msg_seq, this->seq);
+ if (msg->sadb_msg_seq < this->seq)
+ {
+ continue;
+ }
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (msg->sadb_msg_type != in->sadb_msg_type)
+ {
+ DBG2(DBG_KNL, "received PF_KEY message of wrong type,"
+ " was %d expected %d, ignoring",
+ msg->sadb_msg_type, in->sadb_msg_type);
+ }
+ break;
+ }
+
+ *out_len = len;
+ *out = (struct sadb_msg*)malloc(len);
+ memcpy(*out, buf, len);
+
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+
+ return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket.
+ */
+static status_t pfkey_send(private_kernel_klips_ipsec_t *this,
+ struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+ return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_msg *in)
+{
+ struct sadb_msg *out;
+ size_t len;
+
+ if (pfkey_send(this, in, &out, &len) != SUCCESS)
+ {
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "PF_KEY error: %s (%d)",
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Add an eroute to KLIPS
+ */
+static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+ u_int32_t spi, host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask,
+ host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg = (struct sadb_msg*)request;
+
+ memset(&request, 0, sizeof(request));
+
+ build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
+ dst_net, dst_mask, protocol, replace);
+
+ return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Delete an eroute fom KLIPS
+ */
+static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype,
+ host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask,
+ u_int8_t protocol)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg = (struct sadb_msg*)request;
+
+ memset(&request, 0, sizeof(request));
+
+ build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
+
+ return pfkey_send_ack(this, msg);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ host_t *src, *dst;
+ u_int32_t reqid;
+ u_int8_t proto;
+ policy_entry_t *policy;
+ job_t *job;
+
+ switch (msg->sadb_msg_satype)
+ {
+ case SADB_SATYPE_UNSPEC:
+ case SADB_SATYPE_ESP:
+ case SADB_SATYPE_AH:
+ break;
+ default:
+ /* acquire for AH/ESP only */
+ return;
+ }
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+ return;
+ }
+
+ /* KLIPS provides us only with the source and destination address,
+ * and the transport protocol of the packet that triggered the policy.
+ * we use this information to find a matching policy in our cache.
+ * because KLIPS installs a narrow %hold eroute covering only this information,
+ * we replace both the %trap and this %hold eroutes with a broader %hold
+ * eroute covering the whole policy */
+ src = host_create_from_sockaddr((sockaddr_t*)(response.src + 1));
+ dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
+ proto = response.src->sadb_address_proto;
+ if (!src || !dst || src->get_family(src) != dst->get_family(dst))
+ {
+ DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
+ return;
+ }
+
+ DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_match_byaddrs,
+ (void**)&policy, src, dst) != SUCCESS)
+ {
+ this->mutex->unlock(this->mutex);
+ DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
+ return;
+ }
+ if ((reqid = policy->reqid) == 0)
+ {
+ this->mutex->unlock(this->mutex);
+ DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
+ return;
+ }
+
+ /* add a broad %hold eroute that replaces the %trap eroute */
+ add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
+ policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+ policy->src.proto, TRUE);
+
+ /* remove the narrow %hold eroute installed by KLIPS */
+ del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
+
+ this->mutex->unlock(this->mutex);
+
+ DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+ DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
+ job = (job_t*)acquire_job_create(reqid, NULL, NULL);
+ charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ u_int32_t spi, reqid;
+ host_t *old_src, *new_src;
+ job_t *job;
+
+ DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+ return;
+ }
+
+ spi = response.sa->sadb_sa_spi;
+
+ if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+ {
+ sa_entry_t *sa;
+ sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
+ old_src = host_create_from_sockaddr(addr);
+
+ this->mutex->lock(this->mutex);
+ if (!old_src || this->installed_sas->find_first(this->installed_sas,
+ (linked_list_match_t)sa_entry_match_encapbysrc,
+ (void**)&sa, &spi, old_src) != SUCCESS)
+ {
+ this->mutex->unlock(this->mutex);
+ DBG1(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING, but found no matching SA");
+ return;
+ }
+ reqid = sa->reqid;
+ this->mutex->unlock(this->mutex);
+
+ addr = (sockaddr_t*)(response.dst + 1);
+ switch (addr->sa_family)
+ {
+ case AF_INET:
+ {
+ struct sockaddr_in *sin = (struct sockaddr_in*)addr;
+ sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+ }
+ case AF_INET6:
+ {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
+ sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+ }
+ default:
+ break;
+ }
+ new_src = host_create_from_sockaddr(addr);
+ if (new_src)
+ {
+ DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and"
+ " reqid {%d} changed, queuing update job", ntohl(spi), reqid);
+ job = (job_t*)update_sa_job_create(reqid, new_src);
+ charon->processor->queue_job(charon->processor, job);
+ }
+ }
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
+{
+ unsigned char buf[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg = (struct sadb_msg*)buf;
+ int len, oldstate;
+
+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+ len = recv(this->socket_events, buf, sizeof(buf), 0);
+ pthread_setcancelstate(oldstate, NULL);
+
+ if (len < 0)
+ {
+ switch (errno)
+ {
+ case EINTR:
+ /* interrupted, try again */
+ return JOB_REQUEUE_DIRECT;
+ case EAGAIN:
+ /* no data ready, select again */
+ return JOB_REQUEUE_DIRECT;
+ default:
+ DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+ sleep(1);
+ return JOB_REQUEUE_FAIR;
+ }
+ }
+
+ if (len < sizeof(struct sadb_msg) ||
+ msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+ {
+ DBG2(DBG_KNL, "received corrupted PF_KEY message");
+ return JOB_REQUEUE_DIRECT;
+ }
+ if (msg->sadb_msg_pid != 0)
+ { /* not from kernel. not interested, try another one */
+ return JOB_REQUEUE_DIRECT;
+ }
+ if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+ {
+ DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+ return JOB_REQUEUE_DIRECT;
+ }
+
+ switch (msg->sadb_msg_type)
+ {
+ case SADB_ACQUIRE:
+ process_acquire(this, msg);
+ break;
+ case SADB_EXPIRE:
+ /* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for
+ * the time based limits). So if there is no traffic for a longer
+ * period than configured as hard limit, we wouldn't be able to rekey
+ * the SA and just receive the hard expire and thus delete the SA.
+ * To avoid this behavior and to make charon behave as with the other
+ * kernel plugins, we implement the expiration of SAs ourselves. */
+ break;
+ case SADB_X_NAT_T_NEW_MAPPING:
+ process_mapping(this, msg);
+ break;
+ default:
+ break;
+ }
+
+ return JOB_REQUEUE_DIRECT;
+}
+
+typedef enum {
+ /** an SPI has expired */
+ EXPIRE_TYPE_SPI,
+ /** a CHILD_SA has to be rekeyed */
+ EXPIRE_TYPE_SOFT,
+ /** a CHILD_SA has to be deleted */
+ EXPIRE_TYPE_HARD
+} expire_type_t;
+
+typedef struct sa_expire_t sa_expire_t;
+
+struct sa_expire_t {
+ /** kernel interface */
+ private_kernel_klips_ipsec_t *this;
+ /** the SPI of the expiring SA */
+ u_int32_t spi;
+ /** the protocol of the expiring SA */
+ protocol_id_t protocol;
+ /** the reqid of the expiring SA*/
+ u_int32_t reqid;
+ /** what type of expire this is */
+ expire_type_t type;
+};
+
+/**
+ * Called when an SA expires
+ */
+static job_requeue_t sa_expires(sa_expire_t *expire)
+{
+ private_kernel_klips_ipsec_t *this = expire->this;
+ protocol_id_t protocol = expire->protocol;
+ u_int32_t spi = expire->spi, reqid = expire->reqid;
+ bool hard = expire->type != EXPIRE_TYPE_SOFT;
+ sa_entry_t *cached_sa;
+ linked_list_t *list;
+ job_t *job;
+
+ /* for an expired SPI we first check whether the CHILD_SA got installed
+ * in the meantime, for expired SAs we check whether they are still installed */
+ list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
+
+ this->mutex->lock(this->mutex);
+ if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
+ (void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
+ {
+ /* we found no entry:
+ * - for SPIs, a CHILD_SA has been installed
+ * - for SAs, the CHILD_SA has already been deleted */
+ this->mutex->unlock(this->mutex);
+ return JOB_REQUEUE_NONE;
+ }
+ else
+ {
+ list->remove(list, cached_sa, NULL);
+ sa_entry_destroy(cached_sa);
+ }
+ this->mutex->unlock(this->mutex);
+
+ DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
+ protocol_id_names, protocol, ntohl(spi), reqid);
+
+ DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
+ hard ? "delete" : "rekey", protocol_id_names,
+ protocol, ntohl(spi), reqid);
+ if (hard)
+ {
+ job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+ }
+ else
+ {
+ job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+ }
+ charon->processor->queue_job(charon->processor, job);
+ return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule an expire job for an SA. Time is in seconds.
+ */
+static void schedule_expire(private_kernel_klips_ipsec_t *this,
+ protocol_id_t protocol, u_int32_t spi,
+ u_int32_t reqid, expire_type_t type, u_int32_t time)
+{
+ callback_job_t *job;
+ sa_expire_t *expire = malloc_thing(sa_expire_t);
+ expire->this = this;
+ expire->protocol = protocol;
+ expire->spi = spi;
+ expire->reqid = reqid;
+ expire->type = type;
+ job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
+ charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time * 1000);
+}
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst,
+ protocol_id_t protocol, u_int32_t reqid,
+ u_int32_t *spi)
+{
+ /* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
+ * NAT-T type in an SADB_UPDATE which we would have to use to update the
+ * implicitly created SA.
+ */
+ rng_t *rng;
+ u_int32_t spi_gen;
+
+ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+ if (!rng)
+ {
+ DBG1(DBG_KNL, "allocating SPI failed: no RNG");
+ return FAILED;
+ }
+ rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
+ rng->destroy(rng);
+
+ /* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
+ spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
+
+ DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
+ spi_gen, protocol_id_names, protocol, src, dst);
+
+ *spi = htonl(spi_gen);
+
+ this->mutex->lock(this->mutex);
+ this->allocated_spis->insert_last(this->allocated_spis,
+ create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
+ this->mutex->unlock(this->mutex);
+ schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst,
+ u_int32_t reqid, u_int16_t *cpi)
+{
+ return FAILED;
+}
+
+/**
+ * Add a pseudo IPIP SA for tunnel mode with KLIPS.
+ */
+static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst, u_int32_t spi, u_int32_t reqid)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_ADD;
+ msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
+ PFKEY_EXT_ADD(msg, sa);
+
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * group the IPIP SA required for tunnel mode with the outer SA
+ */
+static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ struct sadb_x_satype *satype;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_GRPSA;
+ msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
+ PFKEY_EXT_ADD(msg, sa);
+
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+ satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
+ satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
+ satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
+ satype->sadb_x_satype_satype = proto_ike2satype(protocol);
+ PFKEY_EXT_ADD(msg, satype);
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_X_EXT_SA2;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
+ PFKEY_EXT_ADD(msg, sa);
+
+ add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to group SAs with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ u_int64_t expire_soft, u_int64_t expire_hard,
+ u_int16_t enc_alg, chunk_t enc_key,
+ u_int16_t int_alg, chunk_t int_key,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool encap, bool inbound)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ struct sadb_key *key;
+ size_t len;
+
+ if (inbound)
+ {
+ /* for inbound SAs we allocated an SPI via get_spi, so we first check
+ * whether that SPI has already expired (race condition) */
+ sa_entry_t *alloc_spi;
+ this->mutex->lock(this->mutex);
+ if (this->allocated_spis->find_first(this->allocated_spis,
+ (linked_list_match_t)sa_entry_match_byid, (void**)&alloc_spi,
+ &protocol, &spi, &reqid) != SUCCESS)
+ {
+ this->mutex->unlock(this->mutex);
+ DBG1(DBG_KNL, "allocated SPI %.8x has already expired", ntohl(spi));
+ return FAILED;
+ }
+ else
+ {
+ this->allocated_spis->remove(this->allocated_spis, alloc_spi, NULL);
+ sa_entry_destroy(alloc_spi);
+ }
+ this->mutex->unlock(this->mutex);
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_ADD;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
+ sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+ sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+ sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+ PFKEY_EXT_ADD(msg, sa);
+
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+ if (enc_alg != ENCR_UNDEFINED)
+ {
+ if (!sa->sadb_sa_encrypt)
+ {
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ encryption_algorithm_names, enc_alg);
+ return FAILED;
+ }
+ DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
+ encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+ key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+ key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+ key->sadb_key_bits = enc_key.len * 8;
+ key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+ memcpy(key + 1, enc_key.ptr, enc_key.len);
+
+ PFKEY_EXT_ADD(msg, key);
+ }
+
+ if (int_alg != AUTH_UNDEFINED)
+ {
+ if (!sa->sadb_sa_auth)
+ {
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ integrity_algorithm_names, int_alg);
+ return FAILED;
+ }
+ DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
+ integrity_algorithm_names, int_alg, int_key.len * 8);
+
+ key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+ key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+ key->sadb_key_bits = int_key.len * 8;
+ key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+ memcpy(key + 1, int_key.ptr, int_key.len);
+
+ PFKEY_EXT_ADD(msg, key);
+ }
+
+ if (ipcomp != IPCOMP_NONE)
+ {
+ /*TODO*/
+ }
+
+ if (encap)
+ {
+ add_encap_ext(msg, src, dst, FALSE);
+ }
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+
+ /* for tunnel mode SAs we have to install an additional IPIP SA and
+ * group the two SAs together */
+ if (mode == MODE_TUNNEL)
+ {
+ if (add_ipip_sa(this, src, dst, spi, reqid) != SUCCESS ||
+ group_ipip_sa(this, src, dst, spi, protocol, reqid) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ }
+
+ this->mutex->lock(this->mutex);
+ /* we cache this SA for two reasons:
+ * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
+ * - to decide if an expired SA is still installed */
+ this->installed_sas->insert_last(this->installed_sas,
+ create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
+ this->mutex->unlock(this->mutex);
+
+ /* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
+ * of SAs manually in the plugin. Refer to the comments in receive_events()
+ * for details. */
+ if (expire_soft)
+ {
+ schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, expire_soft);
+ }
+
+ if (expire_hard)
+ {
+ schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, expire_hard);
+ }
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_kernel_klips_ipsec_t *this,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+ host_t *src, host_t *dst,
+ host_t *new_src, host_t *new_dst,
+ bool encap, bool new_encap)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ size_t len;
+
+ /* we can't update the SA if any of the ip addresses have changed.
+ * that's because we can't use SADB_UPDATE and by deleting and readding the
+ * SA the sequence numbers would get lost */
+ if (!src->ip_equals(src, new_src) ||
+ !dst->ip_equals(dst, new_dst))
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+ " are not supported", ntohl(spi));
+ return NOT_SUPPORTED;
+ }
+
+ /* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
+ * we can't update the SA if the encap flag has changed since installing it */
+ if (encap != new_encap)
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: change of UDP"
+ " encapsulation is not supported", ntohl(spi));
+ return NOT_SUPPORTED;
+ }
+
+ DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+ ntohl(spi), src, dst, new_src, new_dst);
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_UPDATE;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ sa->sadb_sa_encrypt = SADB_EALG_AESCBC; /* ignored */
+ sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
+ PFKEY_EXT_ADD(msg, sa);
+
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+ add_encap_ext(msg, new_src, new_dst, TRUE);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ sa_entry_t *cached_sa;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ /* all grouped SAs are automatically deleted by KLIPS as soon as
+ * one of them is deleted, therefore we delete only the main one */
+ DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+ this->mutex->lock(this->mutex);
+ /* this should not fail, but we don't care if it does, let the kernel decide
+ * whether this SA exists or not */
+ if (this->installed_sas->find_first(this->installed_sas,
+ (linked_list_match_t)sa_entry_match_bydst, (void**)&cached_sa,
+ &protocol, &spi, dst) == SUCCESS)
+ {
+ this->installed_sas->remove(this->installed_sas, cached_sa, NULL);
+ sa_entry_destroy(cached_sa);
+ }
+ this->mutex->unlock(this->mutex);
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ PFKEY_EXT_ADD(msg, sa);
+
+ /* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
+ * it is not used for anything. */
+ add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+
+ DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool routed)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ policy_entry_t *policy, *found = NULL;
+ u_int8_t satype;
+ size_t len;
+
+ if (direction == POLICY_FWD)
+ {
+ /* no forward policies for KLIPS */
+ return SUCCESS;
+ }
+
+ /* tunnel mode policies direct the packets into the pseudo IPIP SA */
+ satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
+ proto_ike2satype(protocol);
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+ {
+ /* use existing policy */
+ DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing"
+ " refcount", src_ts, dst_ts,
+ policy_dir_names, direction);
+ policy_entry_destroy(policy);
+ policy = found;
+ }
+ else
+ {
+ /* apply the new one, if we have no such policy */
+ this->policies->insert_last(this->policies, policy);
+ }
+
+ if (routed)
+ {
+ /* we install this as a %trap eroute in the kernel, later to be
+ * triggered by packets matching the policy (-> ACQUIRE). */
+ spi = htonl(SPI_TRAP);
+ satype = SADB_X_SATYPE_INT;
+
+ /* the reqid is always set to the latest child SA that trapped this
+ * policy. we will need this reqid upon receiving an acquire. */
+ policy->reqid = reqid;
+
+ /* increase the trap counter */
+ policy->trapcount++;
+
+ if (policy->activecount)
+ {
+ /* we do not replace the current policy in the kernel while a
+ * policy is actively used */
+ this->mutex->unlock(this->mutex);
+ return SUCCESS;
+ }
+ }
+ else
+ {
+ /* increase the reference counter */
+ policy->activecount++;
+ }
+
+ DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+
+ /* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
+ build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
+ policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
+ policy->src.proto, found != NULL);
+
+ this->mutex->unlock(this->mutex);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+ policy_dir_names, direction,
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+
+ this->mutex->lock(this->mutex);
+
+ /* we try to find the policy again and install the route if needed */
+ if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+ {
+ this->mutex->unlock(this->mutex);
+ DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
+ src_ts, dst_ts, policy_dir_names, direction);
+ return SUCCESS;
+ }
+
+ /* KLIPS requires a special route that directs traffic that matches this
+ * policy to one of the virtual ipsec interfaces. The virtual interface
+ * has to be attached to the physical one the traffic runs over.
+ * This is a special case of the source route we install in other kernel
+ * interfaces.
+ * In the following cases we do NOT install a source route (but just a
+ * regular route):
+ * - we are not in tunnel mode
+ * - we are using IPv6 (does not work correctly yet!)
+ * - routing is disabled via strongswan.conf
+ */
+ if (policy->route == NULL && direction == POLICY_OUT)
+ {
+ char *iface;
+ ipsec_dev_t *dev;
+ route_entry_t *route = malloc_thing(route_entry_t);
+ route->src_ip = NULL;
+
+ if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+ this->install_routes)
+ {
+ charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+ src_ts, &route->src_ip);
+ }
+
+ if (!route->src_ip)
+ {
+ route->src_ip = host_create_any(src->get_family(src));
+ }
+
+ /* find the virtual interface */
+ iface = charon->kernel_interface->get_interface(charon->kernel_interface,
+ src);
+ if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
+ {
+ /* above, we got either the name of a virtual or a physical
+ * interface. for both cases it means we already have the devices
+ * properly attached (assuming that we are exclusively attaching
+ * ipsec devices). */
+ dev->refcount++;
+ }
+ else
+ {
+ /* there is no record of a mapping with the returned interface.
+ * thus, we attach the first free virtual interface we find to
+ * it. As above we assume we are the only client fiddling with
+ * ipsec devices. */
+ if (this->ipsec_devices->find_first(this->ipsec_devices,
+ (linked_list_match_t)ipsec_dev_match_free,
+ (void**)&dev) == SUCCESS)
+ {
+ if (attach_ipsec_dev(dev->name, iface) == SUCCESS)
+ {
+ strncpy(dev->phys_name, iface, IFNAMSIZ);
+ dev->refcount = 1;
+ }
+ else
+ {
+ DBG1(DBG_KNL, "failed to attach virtual interface %s"
+ " to %s", dev->name, iface);
+ this->mutex->unlock(this->mutex);
+ free(iface);
+ return FAILED;
+ }
+ }
+ else
+ {
+ this->mutex->unlock(this->mutex);
+ DBG1(DBG_KNL, "failed to attach a virtual interface to %s: no"
+ " virtual interfaces left", iface);
+ free(iface);
+ return FAILED;
+ }
+ }
+ free(iface);
+ route->if_name = strdup(dev->name);
+
+ /* get the nexthop to dst */
+ route->gateway = charon->kernel_interface->get_nexthop(
+ charon->kernel_interface, dst);
+ route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
+ route->prefixlen = policy->dst.mask;
+
+ switch (charon->kernel_interface->add_route(charon->kernel_interface,
+ route->dst_net, route->prefixlen, route->gateway,
+ route->src_ip, route->if_name))
+ {
+ default:
+ DBG1(DBG_KNL, "unable to install route for policy %R === %R",
+ src_ts, dst_ts);
+ /* FALL */
+ case ALREADY_DONE:
+ /* route exists, do not uninstall */
+ route_entry_destroy(route);
+ break;
+ case SUCCESS:
+ /* cache the installed route */
+ policy->route = route;
+ break;
+ }
+ }
+
+ this->mutex->unlock(this->mutex);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_kernel_klips_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, u_int32_t *use_time)
+{
+ #define IDLE_PREFIX "idle="
+ static const char *path_eroute = "/proc/net/ipsec_eroute";
+ static const char *path_spi = "/proc/net/ipsec_spi";
+ FILE *file;
+ char line[1024], src[INET6_ADDRSTRLEN + 9], dst[INET6_ADDRSTRLEN + 9];
+ char *said = NULL, *pos;
+ policy_entry_t *policy, *found = NULL;
+ status_t status = FAILED;
+
+ if (direction == POLICY_FWD)
+ {
+ /* we do not install forward policies */
+ return FAILED;
+ }
+
+ DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+ {
+ this->mutex->unlock(this->mutex);
+ DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+ dst_ts, policy_dir_names, direction);
+ policy_entry_destroy(policy);
+ return NOT_FOUND;
+ }
+ policy_entry_destroy(policy);
+ policy = found;
+
+ /* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
+ snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
+ policy->src.proto);
+ src[sizeof(src) - 1] = '\0';
+ snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
+ policy->dst.proto);
+ dst[sizeof(dst) - 1] = '\0';
+
+ this->mutex->unlock(this->mutex);
+
+ /* we try to find the matching eroute first */
+ file = fopen(path_eroute, "r");
+ if (file == NULL)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+ dst_ts, policy_dir_names, direction, strerror(errno), errno);
+ return FAILED;
+ }
+
+ /* read line by line where each line looks like:
+ * packets src -> dst => said */
+ while (fgets(line, sizeof(line), file))
+ {
+ enumerator_t *enumerator;
+ char *token;
+ int i = 0;
+
+ enumerator = enumerator_create_token(line, " \t", " \t\n");
+ while (enumerator->enumerate(enumerator, &token))
+ {
+ switch (i++)
+ {
+ case 0: /* packets */
+ continue;
+ case 1: /* src */
+ if (streq(token, src))
+ {
+ continue;
+ }
+ break;
+ case 2: /* -> */
+ continue;
+ case 3: /* dst */
+ if (streq(token, dst))
+ {
+ continue;
+ }
+ break;
+ case 4: /* => */
+ continue;
+ case 5: /* said */
+ said = strdup(token);
+ break;
+ }
+ break;
+ }
+ enumerator->destroy(enumerator);
+
+ if (i == 5)
+ {
+ /* eroute matched */
+ break;
+ }
+ }
+ fclose(file);
+
+ if (said == NULL)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
+ " eroute", src_ts, dst_ts, policy_dir_names, direction);
+ return FAILED;
+ }
+
+ /* compared with the one in the spi entry the SA ID from the eroute entry
+ * has an additional ":PROTO" appended, which we need to cut off */
+ pos = strrchr(said, ':');
+ *pos = '\0';
+
+ /* now we try to find the matching spi entry */
+ file = fopen(path_spi, "r");
+ if (file == NULL)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+ dst_ts, policy_dir_names, direction, strerror(errno), errno);
+ return FAILED;
+ }
+
+ while (fgets(line, sizeof(line), file))
+ {
+ if (strneq(line, said, strlen(said)))
+ {
+ /* fine we found the correct line, now find the idle time */
+ u_int32_t idle_time;
+ pos = strstr(line, IDLE_PREFIX);
+ if (pos == NULL)
+ {
+ /* no idle time, i.e. this SA has not been used yet */
+ break;
+ }
+ if (sscanf(pos, IDLE_PREFIX"%u", &idle_time) <= 0)
+ {
+ /* idle time not valid */
+ break;
+ }
+
+ *use_time = time(NULL) - idle_time;
+ status = SUCCESS;
+ break;
+ }
+ }
+ fclose(file);
+ free(said);
+
+ return status;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_kernel_klips_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, bool unrouted)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg = (struct sadb_msg*)request, *out;
+ policy_entry_t *policy, *found = NULL;
+ route_entry_t *route;
+ size_t len;
+
+ if (direction == POLICY_FWD)
+ {
+ /* no forward policies for KLIPS */
+ return SUCCESS;
+ }
+
+ DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+ {
+ this->mutex->unlock(this->mutex);
+ DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+ dst_ts, policy_dir_names, direction);
+ policy_entry_destroy(policy);
+ return NOT_FOUND;
+ }
+ policy_entry_destroy(policy);
+
+ /* decrease appropriate counter */
+ unrouted ? found->trapcount-- : found->activecount--;
+
+ if (found->trapcount == 0)
+ {
+ /* if this policy is finally unrouted, we reset the reqid because it
+ * may still be actively used and there might be a pending acquire for
+ * this policy. */
+ found->reqid = 0;
+ }
+
+ if (found->activecount > 0)
+ {
+ /* is still used by SAs, keep in kernel */
+ this->mutex->unlock(this->mutex);
+ DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+ return SUCCESS;
+ }
+ else if (found->activecount == 0 && found->trapcount > 0)
+ {
+ /* for a policy that is not used actively anymore, but is still trapped
+ * by another child SA we replace the current eroute with a %trap eroute */
+ DBG2(DBG_KNL, "policy still routed by another CHILD_SA, not removed");
+ memset(&request, 0, sizeof(request));
+ build_addflow(msg, SADB_X_SATYPE_INT, htonl(SPI_TRAP), NULL, NULL,
+ found->src.net, found->src.mask, found->dst.net,
+ found->dst.mask, found->src.proto, TRUE);
+ this->mutex->unlock(this->mutex);
+ return pfkey_send_ack(this, msg);
+ }
+
+ /* remove if last reference */
+ this->policies->remove(this->policies, found, NULL);
+ policy = found;
+
+ this->mutex->unlock(this->mutex);
+
+ memset(&request, 0, sizeof(request));
+
+ build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
+ policy->dst.mask, policy->src.proto);
+
+ route = policy->route;
+ policy->route = NULL;
+ policy_entry_destroy(policy);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+ dst_ts, policy_dir_names, direction,
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+
+ if (route)
+ {
+ ipsec_dev_t *dev;
+
+ if (charon->kernel_interface->del_route(charon->kernel_interface,
+ route->dst_net, route->prefixlen, route->gateway,
+ route->src_ip, route->if_name) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "error uninstalling route installed with"
+ " policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ }
+
+ /* we have to detach the ipsec interface from the physical one over which
+ * this SA ran (if it is not used by any other) */
+ this->mutex->lock(this->mutex);
+
+ if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
+ {
+ /* fine, we found a matching device object, let's check if we have
+ * to detach it. */
+ if (--dev->refcount == 0)
+ {
+ if (detach_ipsec_dev(dev->name, dev->phys_name) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "failed to detach virtual interface %s"
+ " from %s", dev->name, dev->phys_name);
+ }
+ dev->phys_name[0] = '\0';
+ }
+ }
+
+ this->mutex->unlock(this->mutex);
+
+ route_entry_destroy(route);
+ }
+
+ return SUCCESS;
+}
+
+/**
+ * Initialize the list of ipsec devices
+ */
+static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
+{
+ int i, count = lib->settings->get_int(lib->settings,
+ "charon.plugins.kernel_klips.ipsec_dev_count",
+ DEFAULT_IPSEC_DEV_COUNT);
+
+ for (i = 0; i < count; ++i)
+ {
+ ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
+ snprintf(dev->name, IFNAMSIZ, IPSEC_DEV_PREFIX"%d", i);
+ dev->name[IFNAMSIZ - 1] = '\0';
+ dev->phys_name[0] = '\0';
+ dev->refcount = 0;
+ this->ipsec_devices->insert_last(this->ipsec_devices, dev);
+
+ /* detach any previously attached ipsec device */
+ detach_ipsec_dev(dev->name, dev->phys_name);
+ }
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_REGISTER;
+ msg->sadb_msg_satype = satype;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to register PF_KEY socket");
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_kernel_klips_ipsec_t *this)
+{
+ this->job->cancel(this->job);
+ close(this->socket);
+ close(this->socket_events);
+ this->mutex_pfkey->destroy(this->mutex_pfkey);
+ this->mutex->destroy(this->mutex);
+ this->ipsec_devices->destroy_function(this->ipsec_devices, (void*)ipsec_dev_destroy);
+ this->installed_sas->destroy_function(this->installed_sas, (void*)sa_entry_destroy);
+ this->allocated_spis->destroy_function(this->allocated_spis, (void*)sa_entry_destroy);
+ this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create()
+{
+ private_kernel_klips_ipsec_t *this = malloc_thing(private_kernel_klips_ipsec_t);
+
+ /* public functions */
+ this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+ this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+ this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+ this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
+ this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+ this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
+
+ this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+
+ /* private members */
+ this->policies = linked_list_create();
+ this->allocated_spis = linked_list_create();
+ this->installed_sas = linked_list_create();
+ this->ipsec_devices = linked_list_create();
+ this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+ this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
+ this->seq = 0;
+
+ /* initialize ipsec devices */
+ init_ipsec_devices(this);
+
+ /* create a PF_KEY socket to communicate with the kernel */
+ this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (this->socket <= 0)
+ {
+ charon->kill(charon, "unable to create PF_KEY socket");
+ }
+
+ /* create a PF_KEY socket for ACQUIRE & EXPIRE */
+ this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (this->socket_events <= 0)
+ {
+ charon->kill(charon, "unable to create PF_KEY event socket");
+ }
+
+ /* register the event socket */
+ if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+ register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+ {
+ charon->kill(charon, "unable to register PF_KEY event socket");
+ }
+
+ this->job = callback_job_create((callback_job_cb_t)receive_events,
+ this, NULL, NULL);
+ charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+ return &this->public;
+}
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
new file mode 100644
index 000000000..b16390ab4
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_ipsec.h 4617 2008-11-11 08:45:19Z tobias $
+ */
+
+/**
+ * @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_IPSEC_H_
+#define KERNEL_KLIPS_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_klips_ipsec_t {
+
+ /**
+ * Implements kernel_ipsec_t interface
+ */
+ kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return kernel_klips_ipsec_t instance
+ */
+kernel_klips_ipsec_t *kernel_klips_ipsec_create();
+
+#endif /* KERNEL_KLIPS_IPSEC_H_ @} */
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
new file mode 100644
index 000000000..42d7307ec
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_plugin.c 4617 2008-11-11 08:45:19Z tobias $
+ */
+
+
+#include "kernel_klips_plugin.h"
+
+#include "kernel_klips_ipsec.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_klips_plugin_t {
+ /**
+ * implements plugin interface
+ */
+ kernel_klips_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_klips_plugin_t *this)
+{
+ charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+
+ return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
new file mode 100644
index 000000000..67c3b74c6
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_klips_plugin.h 4617 2008-11-11 08:45:19Z tobias $
+ */
+
+/**
+ * @defgroup kernel_klips kernel_klips
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_klips_plugin kernel_klips_plugin
+ * @{ @ingroup kernel_klips
+ */
+
+#ifndef KERNEL_KLIPS_PLUGIN_H_
+#define KERNEL_KLIPS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_klips_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a kernel_klips_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* KERNEL_KLIPS_PLUGIN_H_ @} */
diff --git a/src/charon/plugins/kernel_klips/pfkeyv2.h b/src/charon/plugins/kernel_klips/pfkeyv2.h
new file mode 100644
index 000000000..78d3dfa91
--- /dev/null
+++ b/src/charon/plugins/kernel_klips/pfkeyv2.h
@@ -0,0 +1,322 @@
+/*
+RFC 2367 PF_KEY Key Management API July 1998
+
+
+Appendix D: Sample Header File
+
+This file defines structures and symbols for the PF_KEY Version 2
+key management interface. It was written at the U.S. Naval Research
+Laboratory. This file is in the public domain. The authors ask that
+you leave this credit intact on any copies of this file.
+*/
+#ifndef __PFKEY_V2_H
+#define __PFKEY_V2_H 1
+
+#define PF_KEY_V2 2
+#define PFKEYV2_REVISION 199806L
+
+#define SADB_RESERVED 0
+#define SADB_GETSPI 1
+#define SADB_UPDATE 2
+#define SADB_ADD 3
+#define SADB_DELETE 4
+#define SADB_GET 5
+#define SADB_ACQUIRE 6
+#define SADB_REGISTER 7
+#define SADB_EXPIRE 8
+#define SADB_FLUSH 9
+#define SADB_DUMP 10
+#define SADB_X_PROMISC 11
+#define SADB_X_PCHANGE 12
+#define SADB_X_GRPSA 13
+#define SADB_X_ADDFLOW 14
+#define SADB_X_DELFLOW 15
+#define SADB_X_DEBUG 16
+#define SADB_X_NAT_T_NEW_MAPPING 17
+#define SADB_MAX 17
+
+struct sadb_msg {
+ uint8_t sadb_msg_version;
+ uint8_t sadb_msg_type;
+ uint8_t sadb_msg_errno;
+ uint8_t sadb_msg_satype;
+ uint16_t sadb_msg_len;
+ uint16_t sadb_msg_reserved;
+ uint32_t sadb_msg_seq;
+ uint32_t sadb_msg_pid;
+};
+
+struct sadb_ext {
+ uint16_t sadb_ext_len;
+ uint16_t sadb_ext_type;
+};
+
+struct sadb_sa {
+ uint16_t sadb_sa_len;
+ uint16_t sadb_sa_exttype;
+ uint32_t sadb_sa_spi;
+ uint8_t sadb_sa_replay;
+ uint8_t sadb_sa_state;
+ uint8_t sadb_sa_auth;
+ uint8_t sadb_sa_encrypt;
+ uint32_t sadb_sa_flags;
+};
+
+struct sadb_lifetime {
+ uint16_t sadb_lifetime_len;
+ uint16_t sadb_lifetime_exttype;
+ uint32_t sadb_lifetime_allocations;
+ uint64_t sadb_lifetime_bytes;
+ uint64_t sadb_lifetime_addtime;
+ uint64_t sadb_lifetime_usetime;
+ uint32_t sadb_x_lifetime_packets;
+ uint32_t sadb_x_lifetime_reserved;
+};
+
+struct sadb_address {
+ uint16_t sadb_address_len;
+ uint16_t sadb_address_exttype;
+ uint8_t sadb_address_proto;
+ uint8_t sadb_address_prefixlen;
+ uint16_t sadb_address_reserved;
+};
+
+struct sadb_key {
+ uint16_t sadb_key_len;
+ uint16_t sadb_key_exttype;
+ uint16_t sadb_key_bits;
+ uint16_t sadb_key_reserved;
+};
+
+struct sadb_ident {
+ uint16_t sadb_ident_len;
+ uint16_t sadb_ident_exttype;
+ uint16_t sadb_ident_type;
+ uint16_t sadb_ident_reserved;
+ uint64_t sadb_ident_id;
+};
+
+struct sadb_sens {
+ uint16_t sadb_sens_len;
+ uint16_t sadb_sens_exttype;
+ uint32_t sadb_sens_dpd;
+ uint8_t sadb_sens_sens_level;
+ uint8_t sadb_sens_sens_len;
+ uint8_t sadb_sens_integ_level;
+ uint8_t sadb_sens_integ_len;
+ uint32_t sadb_sens_reserved;
+};
+
+struct sadb_prop {
+ uint16_t sadb_prop_len;
+ uint16_t sadb_prop_exttype;
+ uint8_t sadb_prop_replay;
+ uint8_t sadb_prop_reserved[3];
+};
+
+struct sadb_comb {
+ uint8_t sadb_comb_auth;
+ uint8_t sadb_comb_encrypt;
+ uint16_t sadb_comb_flags;
+ uint16_t sadb_comb_auth_minbits;
+ uint16_t sadb_comb_auth_maxbits;
+ uint16_t sadb_comb_encrypt_minbits;
+ uint16_t sadb_comb_encrypt_maxbits;
+ uint32_t sadb_comb_reserved;
+ uint32_t sadb_comb_soft_allocations;
+ uint32_t sadb_comb_hard_allocations;
+ uint64_t sadb_comb_soft_bytes;
+ uint64_t sadb_comb_hard_bytes;
+ uint64_t sadb_comb_soft_addtime;
+ uint64_t sadb_comb_hard_addtime;
+ uint64_t sadb_comb_soft_usetime;
+ uint64_t sadb_comb_hard_usetime;
+ uint32_t sadb_x_comb_soft_packets;
+ uint32_t sadb_x_comb_hard_packets;
+};
+
+struct sadb_supported {
+ uint16_t sadb_supported_len;
+ uint16_t sadb_supported_exttype;
+ uint32_t sadb_supported_reserved;
+};
+
+struct sadb_alg {
+ uint8_t sadb_alg_id;
+ uint8_t sadb_alg_ivlen;
+ uint16_t sadb_alg_minbits;
+ uint16_t sadb_alg_maxbits;
+ uint16_t sadb_alg_reserved;
+};
+
+struct sadb_spirange {
+ uint16_t sadb_spirange_len;
+ uint16_t sadb_spirange_exttype;
+ uint32_t sadb_spirange_min;
+ uint32_t sadb_spirange_max;
+ uint32_t sadb_spirange_reserved;
+};
+
+struct sadb_x_kmprivate {
+ uint16_t sadb_x_kmprivate_len;
+ uint16_t sadb_x_kmprivate_exttype;
+ uint32_t sadb_x_kmprivate_reserved;
+};
+
+struct sadb_x_satype {
+ uint16_t sadb_x_satype_len;
+ uint16_t sadb_x_satype_exttype;
+ uint8_t sadb_x_satype_satype;
+ uint8_t sadb_x_satype_reserved[3];
+};
+
+struct sadb_x_debug {
+ uint16_t sadb_x_debug_len;
+ uint16_t sadb_x_debug_exttype;
+ uint32_t sadb_x_debug_tunnel;
+ uint32_t sadb_x_debug_netlink;
+ uint32_t sadb_x_debug_xform;
+ uint32_t sadb_x_debug_eroute;
+ uint32_t sadb_x_debug_spi;
+ uint32_t sadb_x_debug_radij;
+ uint32_t sadb_x_debug_esp;
+ uint32_t sadb_x_debug_ah;
+ uint32_t sadb_x_debug_rcv;
+ uint32_t sadb_x_debug_pfkey;
+ uint32_t sadb_x_debug_ipcomp;
+ uint32_t sadb_x_debug_verbose;
+ uint8_t sadb_x_debug_reserved[4];
+};
+
+struct sadb_x_nat_t_type {
+ uint16_t sadb_x_nat_t_type_len;
+ uint16_t sadb_x_nat_t_type_exttype;
+ uint8_t sadb_x_nat_t_type_type;
+ uint8_t sadb_x_nat_t_type_reserved[3];
+};
+struct sadb_x_nat_t_port {
+ uint16_t sadb_x_nat_t_port_len;
+ uint16_t sadb_x_nat_t_port_exttype;
+ uint16_t sadb_x_nat_t_port_port;
+ uint16_t sadb_x_nat_t_port_reserved;
+};
+
+/*
+ * A protocol structure for passing through the transport level
+ * protocol. It contains more fields than are actually used/needed
+ * but it is this way to be compatible with the structure used in
+ * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
+ */
+struct sadb_protocol {
+ uint16_t sadb_protocol_len;
+ uint16_t sadb_protocol_exttype;
+ uint8_t sadb_protocol_proto;
+ uint8_t sadb_protocol_direction;
+ uint8_t sadb_protocol_flags;
+ uint8_t sadb_protocol_reserved2;
+};
+
+#define SADB_EXT_RESERVED 0
+#define SADB_EXT_SA 1
+#define SADB_EXT_LIFETIME_CURRENT 2
+#define SADB_EXT_LIFETIME_HARD 3
+#define SADB_EXT_LIFETIME_SOFT 4
+#define SADB_EXT_ADDRESS_SRC 5
+#define SADB_EXT_ADDRESS_DST 6
+#define SADB_EXT_ADDRESS_PROXY 7
+#define SADB_EXT_KEY_AUTH 8
+#define SADB_EXT_KEY_ENCRYPT 9
+#define SADB_EXT_IDENTITY_SRC 10
+#define SADB_EXT_IDENTITY_DST 11
+#define SADB_EXT_SENSITIVITY 12
+#define SADB_EXT_PROPOSAL 13
+#define SADB_EXT_SUPPORTED_AUTH 14
+#define SADB_EXT_SUPPORTED_ENCRYPT 15
+#define SADB_EXT_SPIRANGE 16
+#define SADB_X_EXT_KMPRIVATE 17
+#define SADB_X_EXT_SATYPE2 18
+#define SADB_X_EXT_SA2 19
+#define SADB_X_EXT_ADDRESS_DST2 20
+#define SADB_X_EXT_ADDRESS_SRC_FLOW 21
+#define SADB_X_EXT_ADDRESS_DST_FLOW 22
+#define SADB_X_EXT_ADDRESS_SRC_MASK 23
+#define SADB_X_EXT_ADDRESS_DST_MASK 24
+#define SADB_X_EXT_DEBUG 25
+#define SADB_X_EXT_PROTOCOL 26
+#define SADB_X_EXT_NAT_T_TYPE 27
+#define SADB_X_EXT_NAT_T_SPORT 28
+#define SADB_X_EXT_NAT_T_DPORT 29
+#define SADB_X_EXT_NAT_T_OA 30
+#define SADB_EXT_MAX 30
+
+/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
+#define SADB_X_EXT_ADDRESS_DELFLOW \
+ ( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
+ | (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
+ | (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
+ | (1<<SADB_X_EXT_ADDRESS_DST_MASK))
+
+#define SADB_SATYPE_UNSPEC 0
+#define SADB_SATYPE_AH 2
+#define SADB_SATYPE_ESP 3
+#define SADB_SATYPE_RSVP 5
+#define SADB_SATYPE_OSPFV2 6
+#define SADB_SATYPE_RIPV2 7
+#define SADB_SATYPE_MIP 8
+#define SADB_X_SATYPE_IPIP 9
+#define SADB_X_SATYPE_COMP 10
+#define SADB_X_SATYPE_INT 11
+#define SADB_SATYPE_MAX 11
+
+#define SADB_SASTATE_LARVAL 0
+#define SADB_SASTATE_MATURE 1
+#define SADB_SASTATE_DYING 2
+#define SADB_SASTATE_DEAD 3
+#define SADB_SASTATE_MAX 3
+
+#define SADB_SAFLAGS_PFS 1
+#define SADB_X_SAFLAGS_REPLACEFLOW 2
+#define SADB_X_SAFLAGS_CLEARFLOW 4
+#define SADB_X_SAFLAGS_INFLOW 8
+
+#define SADB_AALG_NONE 0
+#define SADB_AALG_MD5HMAC 2
+#define SADB_AALG_SHA1HMAC 3
+#define SADB_AALG_SHA256_HMAC 5
+#define SADB_AALG_SHA384_HMAC 6
+#define SADB_AALG_SHA512_HMAC 7
+#define SADB_AALG_RIPEMD160HMAC 8
+#define SADB_AALG_MAX 15
+
+#define SADB_EALG_NONE 0
+#define SADB_EALG_DESCBC 2
+#define SADB_EALG_3DESCBC 3
+#define SADB_EALG_BFCBC 7
+#define SADB_EALG_NULL 11
+#define SADB_EALG_AESCBC 12
+#define SADB_EALG_MAX 255
+
+#define SADB_X_CALG_NONE 0
+#define SADB_X_CALG_OUI 1
+#define SADB_X_CALG_DEFLATE 2
+#define SADB_X_CALG_LZS 3
+#define SADB_X_CALG_V42BIS 4
+#define SADB_X_CALG_MAX 4
+
+#define SADB_X_TALG_NONE 0
+#define SADB_X_TALG_IPv4_in_IPv4 1
+#define SADB_X_TALG_IPv6_in_IPv4 2
+#define SADB_X_TALG_IPv4_in_IPv6 3
+#define SADB_X_TALG_IPv6_in_IPv6 4
+#define SADB_X_TALG_MAX 4
+
+
+#define SADB_IDENTTYPE_RESERVED 0
+#define SADB_IDENTTYPE_PREFIX 1
+#define SADB_IDENTTYPE_FQDN 2
+#define SADB_IDENTTYPE_USERFQDN 3
+#define SADB_X_IDENTTYPE_CONNECTION 4
+#define SADB_IDENTTYPE_MAX 4
+
+#define SADB_KEY_FLAGS_MAX 0
+#endif /* __PFKEY_V2_H */
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 7b78f9eb1..70a0b3e7c 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2006-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2008 Andreas Steffen
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
@@ -16,17 +17,18 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: kernel_netlink_ipsec.c 4406 2008-10-10 08:36:01Z martin $
+ * $Id: kernel_netlink_ipsec.c 4662 2008-11-16 21:19:58Z andreas $
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
+#include <stdint.h>
+#include <linux/ipsec.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/xfrm.h>
#include <linux/udp.h>
-#include <netinet/in.h>
#include <pthread.h>
#include <unistd.h>
#include <errno.h>
@@ -36,9 +38,11 @@
#include "kernel_netlink_shared.h"
#include <daemon.h>
+#include <utils/mutex.h>
#include <utils/linked_list.h>
#include <processing/jobs/callback_job.h>
#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/migrate_job.h>
#include <processing/jobs/rekey_child_sa_job.h>
#include <processing/jobs/delete_child_sa_job.h>
#include <processing/jobs/update_sa_job.h>
@@ -48,6 +52,11 @@
#define XFRM_STATE_AF_UNSPEC 32
#endif
+/** from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif
+
/** default priority of installed policies */
#define PRIO_LOW 3000
#define PRIO_HIGH 2000
@@ -76,30 +85,41 @@
typedef struct kernel_algorithm_t kernel_algorithm_t;
/**
- * Mapping from the algorithms defined in IKEv2 to
- * kernel level algorithm names and their key length
+ * Mapping of IKEv2 kernel identifier to linux crypto API names
*/
struct kernel_algorithm_t {
/**
* Identifier specified in IKEv2
*/
- int ikev2_id;
+ int ikev2;
/**
- * Name of the algorithm, as used as kernel identifier
+ * Name of the algorithm in linux crypto API
*/
char *name;
-
- /**
- * Key length in bits, if fixed size
- */
- u_int key_size;
};
-ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
- "in",
- "out",
- "fwd"
+ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
+ "XFRMA_UNSPEC",
+ "XFRMA_ALG_AUTH",
+ "XFRMA_ALG_CRYPT",
+ "XFRMA_ALG_COMP",
+ "XFRMA_ENCAP",
+ "XFRMA_TMPL",
+ "XFRMA_SA",
+ "XFRMA_POLICY",
+ "XFRMA_SEC_CTX",
+ "XFRMA_LTIME_VAL",
+ "XFRMA_REPLAY_VAL",
+ "XFRMA_REPLAY_THRESH",
+ "XFRMA_ETIMER_THRESH",
+ "XFRMA_SRCADDR",
+ "XFRMA_COADDR",
+ "XFRMA_LASTUSED",
+ "XFRMA_POLICY_TYPE",
+ "XFRMA_MIGRATE",
+ "XFRMA_ALG_AEAD",
+ "XFRMA_KMADDRESS"
);
#define END_OF_LIST -1
@@ -108,71 +128,65 @@ ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
* Algorithms for encryption
*/
static kernel_algorithm_t encryption_algs[] = {
-/* {ENCR_DES_IV64, "***", 0}, */
- {ENCR_DES, "des", 64},
- {ENCR_3DES, "des3_ede", 192},
-/* {ENCR_RC5, "***", 0}, */
-/* {ENCR_IDEA, "***", 0}, */
- {ENCR_CAST, "cast128", 0},
- {ENCR_BLOWFISH, "blowfish", 0},
-/* {ENCR_3IDEA, "***", 0}, */
-/* {ENCR_DES_IV32, "***", 0}, */
- {ENCR_NULL, "cipher_null", 0},
- {ENCR_AES_CBC, "aes", 0},
-/* {ENCR_AES_CTR, "***", 0}, */
- {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
- {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
- {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
- {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
- {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
- {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
- {END_OF_LIST, NULL, 0},
+/* {ENCR_DES_IV64, "***" }, */
+ {ENCR_DES, "des" },
+ {ENCR_3DES, "des3_ede" },
+/* {ENCR_RC5, "***" }, */
+/* {ENCR_IDEA, "***" }, */
+ {ENCR_CAST, "cast128" },
+ {ENCR_BLOWFISH, "blowfish" },
+/* {ENCR_3IDEA, "***" }, */
+/* {ENCR_DES_IV32, "***" }, */
+ {ENCR_NULL, "cipher_null" },
+ {ENCR_AES_CBC, "aes" },
+/* {ENCR_AES_CTR, "***" }, */
+ {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
+ {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
+ {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
+ {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
+ {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
+ {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
+ {END_OF_LIST, NULL },
};
/**
* Algorithms for integrity protection
*/
static kernel_algorithm_t integrity_algs[] = {
- {AUTH_HMAC_MD5_96, "md5", 128},
- {AUTH_HMAC_SHA1_96, "sha1", 160},
- {AUTH_HMAC_SHA2_256_128, "sha256", 256},
- {AUTH_HMAC_SHA2_384_192, "sha384", 384},
- {AUTH_HMAC_SHA2_512_256, "sha512", 512},
-/* {AUTH_DES_MAC, "***", 0}, */
-/* {AUTH_KPDK_MD5, "***", 0}, */
- {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
- {END_OF_LIST, NULL, 0},
+ {AUTH_HMAC_MD5_96, "md5" },
+ {AUTH_HMAC_SHA1_96, "sha1" },
+ {AUTH_HMAC_SHA2_256_128, "sha256" },
+ {AUTH_HMAC_SHA2_384_192, "sha384" },
+ {AUTH_HMAC_SHA2_512_256, "sha512" },
+/* {AUTH_DES_MAC, "***" }, */
+/* {AUTH_KPDK_MD5, "***" }, */
+ {AUTH_AES_XCBC_96, "xcbc(aes)" },
+ {END_OF_LIST, NULL },
};
/**
* Algorithms for IPComp
*/
static kernel_algorithm_t compression_algs[] = {
-/* {IPCOMP_OUI, "***", 0}, */
- {IPCOMP_DEFLATE, "deflate", 0},
- {IPCOMP_LZS, "lzs", 0},
- {IPCOMP_LZJH, "lzjh", 0},
- {END_OF_LIST, NULL, 0},
+/* {IPCOMP_OUI, "***" }, */
+ {IPCOMP_DEFLATE, "deflate" },
+ {IPCOMP_LZS, "lzs" },
+ {IPCOMP_LZJH, "lzjh" },
+ {END_OF_LIST, NULL },
};
/**
* Look up a kernel algorithm name and its key size
*/
-static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
- u_int16_t ikev2_algo, u_int16_t *key_size)
+static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
{
- while (kernel_algo->ikev2_id != END_OF_LIST)
+ while (list->ikev2 != END_OF_LIST)
{
- if (ikev2_algo == kernel_algo->ikev2_id)
+ if (list->ikev2 == ikev2)
{
- /* match, evaluate key length */
- if (key_size && *key_size == 0)
- { /* update key size if not set */
- *key_size = kernel_algo->key_size;
- }
- return kernel_algo->name;
+ return list->name;
}
- kernel_algo++;
+ list++;
}
return NULL;
}
@@ -221,9 +235,6 @@ struct policy_entry_t {
/** direction of this policy: in, out, forward */
u_int8_t direction;
- /** reqid of the policy */
- u_int32_t reqid;
-
/** parameters of installed policy */
struct xfrm_selector sel;
@@ -248,7 +259,7 @@ struct private_kernel_netlink_ipsec_t {
/**
* mutex to lock access to various lists
*/
- pthread_mutex_t mutex;
+ mutex_t *mutex;
/**
* List of installed policies (policy_entry_t)
@@ -344,41 +355,13 @@ static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
static void ts2subnet(traffic_selector_t* ts,
xfrm_address_t *net, u_int8_t *mask)
{
- /* there is no way to do this cleanly, as the address range may
- * be anything else but a subnet. We use from_addr as subnet
- * and try to calculate a usable subnet mask.
- */
- int byte, bit;
- bool found = FALSE;
- chunk_t from, to;
- size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-
- from = ts->get_from_address(ts);
- to = ts->get_to_address(ts);
+ host_t *net_host;
+ chunk_t net_chunk;
- *mask = (size * 8);
- /* go trough all bits of the addresses, beginning in the front.
- * as long as they are equal, the subnet gets larger
- */
- for (byte = 0; byte < size; byte++)
- {
- for (bit = 7; bit >= 0; bit--)
- {
- if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
- {
- *mask = ((7 - bit) + (byte * 8));
- found = TRUE;
- break;
- }
- }
- if (found)
- {
- break;
- }
- }
- memcpy(net, from.ptr, from.len);
- chunk_free(&from);
- chunk_free(&to);
+ ts->to_subnet(ts, &net_host, mask);
+ net_chunk = net_host->get_address(net_host);
+ memcpy(net, net_chunk.ptr, net_chunk.len);
+ net_host->destroy(net_host);
}
/**
@@ -430,6 +413,57 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
return sel;
}
+/**
+ * convert a xfrm_selector to a src|dst traffic_selector
+ */
+static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+{
+ int family;
+ chunk_t addr;
+ u_int8_t prefixlen;
+ u_int16_t port, port_mask;
+ host_t *host;
+ traffic_selector_t *ts;
+
+ if (src)
+ {
+ addr.ptr = (u_char*)&sel->saddr;
+ prefixlen = sel->prefixlen_s;
+ port = sel->sport;
+ port_mask = sel->sport_mask;
+ }
+ else
+ {
+ addr.ptr = (u_char*)&sel->daddr;
+ prefixlen = sel->prefixlen_d;
+ port = sel->dport;
+ port_mask = sel->dport_mask;
+ }
+
+ /* The Linux 2.6 kernel does not set the selector's family field,
+ * so as a kludge we additionally test the prefix length.
+ */
+ if (sel->family == AF_INET || sel->prefixlen_s == 32)
+ {
+ family = AF_INET;
+ addr.len = 4;
+ }
+ else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
+ {
+ family = AF_INET6;
+ addr.len = 16;
+ }
+ else
+ {
+ return NULL;
+ }
+ host = host_create_from_chunk(family, addr, 0);
+ port = (port_mask == 0) ? 0 : ntohs(port);
+
+ ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
+ host->destroy(host);
+ return ts;
+}
/**
* process a XFRM_MSG_ACQUIRE from kernel
@@ -438,18 +472,31 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
{
u_int32_t reqid = 0;
int proto = 0;
+ traffic_selector_t *src_ts, *dst_ts;
+ struct xfrm_user_acquire *acquire;
+ struct rtattr *rta;
+ size_t rtasize;
job_t *job;
- struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
- size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
- if (RTA_OK(rtattr, rtsize))
+ acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
+ rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
+ rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
+
+ DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
+
+ while (RTA_OK(rta, rtasize))
{
- if (rtattr->rta_type == XFRMA_TMPL)
+ DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
+
+ if (rta->rta_type == XFRMA_TMPL)
{
- struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
+ struct xfrm_user_tmpl* tmpl;
+
+ tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
reqid = tmpl->reqid;
proto = tmpl->id.proto;
}
+ rta = RTA_NEXT(rta, rtasize);
}
switch (proto)
{
@@ -461,14 +508,11 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
/* acquire for AH/ESP only, not for IPCOMP */
return;
}
- if (reqid == 0)
- {
- DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
- return;
- }
- DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
- DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
- job = (job_t*)acquire_job_create(reqid);
+ src_ts = selector2ts(&acquire->sel, TRUE);
+ dst_ts = selector2ts(&acquire->sel, FALSE);
+ DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
+ src_ts, dst_ts, reqid);
+ job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
charon->processor->queue_job(charon->processor, job);
}
@@ -491,7 +535,7 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr
if (protocol != PROTO_ESP && protocol != PROTO_AH)
{
- DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
+ DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
"which is not a CHILD_SA", ntohl(spi), reqid);
return;
}
@@ -511,6 +555,86 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr
}
/**
+ * process a XFRM_MSG_MIGRATE from kernel
+ */
+static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
+{
+ traffic_selector_t *src_ts, *dst_ts;
+ host_t *local = NULL, *remote = NULL;
+ host_t *old_src = NULL, *old_dst = NULL;
+ host_t *new_src = NULL, *new_dst = NULL;
+ struct xfrm_userpolicy_id *policy_id;
+ struct rtattr *rta;
+ size_t rtasize;
+ u_int32_t reqid = 0;
+ policy_dir_t dir;
+ job_t *job;
+
+ policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+ rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
+ rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
+
+ DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
+
+ src_ts = selector2ts(&policy_id->sel, TRUE);
+ dst_ts = selector2ts(&policy_id->sel, FALSE);
+ dir = (policy_dir_t)policy_id->dir;
+
+ DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
+
+ while (RTA_OK(rta, rtasize))
+ {
+ DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
+ if (rta->rta_type == XFRMA_KMADDRESS)
+ {
+ struct xfrm_user_kmaddress *kmaddress;
+
+ kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
+ local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
+ remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
+ DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
+ }
+ else if (rta->rta_type == XFRMA_MIGRATE)
+ {
+ struct xfrm_user_migrate *migrate;
+ protocol_id_t proto;
+
+ migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
+ old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
+ old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
+ new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
+ new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
+ proto = proto_kernel2ike(migrate->proto);
+ reqid = migrate->reqid;
+ DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
+ protocol_id_names, proto, old_src, old_dst,
+ new_src, new_dst, reqid);
+ DESTROY_IF(old_src);
+ DESTROY_IF(old_dst);
+ DESTROY_IF(new_src);
+ DESTROY_IF(new_dst);
+ }
+ rta = RTA_NEXT(rta, rtasize);
+ }
+
+ if (src_ts && dst_ts && local && remote)
+ {
+ DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
+ src_ts, dst_ts, policy_dir_names, dir, reqid, local);
+ job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
+ local, remote);
+ charon->processor->queue_job(charon->processor, job);
+ }
+ else
+ {
+ DESTROY_IF(src_ts);
+ DESTROY_IF(dst_ts);
+ DESTROY_IF(local);
+ DESTROY_IF(remote);
+ }
+}
+
+/**
* process a XFRM_MSG_MAPPING from kernel
*/
static void process_mapping(private_kernel_netlink_ipsec_t *this,
@@ -534,7 +658,7 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
if (host)
{
DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
- "reqid {%d} changed, queueing update job", ntohl(spi), reqid);
+ "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
job = (job_t*)update_sa_job_create(reqid, host);
charon->processor->queue_job(charon->processor, job);
}
@@ -589,6 +713,9 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
case XFRM_MSG_EXPIRE:
process_expire(this, hdr);
break;
+ case XFRM_MSG_MIGRATE:
+ process_migrate(this, hdr);
+ break;
case XFRM_MSG_MAPPING:
process_mapping(this, hdr);
break;
@@ -601,71 +728,13 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
}
/**
- * Tries to find an ip address of a local interface that is included in the
- * supplied traffic selector.
- */
-static status_t get_address_by_ts(private_kernel_netlink_ipsec_t *this,
- traffic_selector_t *ts, host_t **ip)
-{
- enumerator_t *addrs;
- host_t *host;
- int family;
- bool found = FALSE;
-
- DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
-
- /* if we have a family which includes localhost, we do not
- * search for an IP, we use the default */
- family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-
- if (family == AF_INET)
- {
- host = host_create_from_string("127.0.0.1", 0);
- }
- else
- {
- host = host_create_from_string("::1", 0);
- }
-
- if (ts->includes(ts, host))
- {
- *ip = host_create_any(family);
- host->destroy(host);
- DBG2(DBG_KNL, "using host %H", *ip);
- return SUCCESS;
- }
- host->destroy(host);
-
- addrs = charon->kernel_interface->create_address_enumerator(
- charon->kernel_interface, TRUE, TRUE);
- while (addrs->enumerate(addrs, (void**)&host))
- {
- if (ts->includes(ts, host))
- {
- found = TRUE;
- *ip = host->clone(host);
- break;
- }
- }
- addrs->destroy(addrs);
-
- if (!found)
- {
- DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
- return FAILED;
- }
- DBG2(DBG_KNL, "using host %H", *ip);
- return SUCCESS;
-}
-
-/**
* Get an SPI for a specific protocol from the kernel.
*/
static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
u_int32_t reqid, u_int32_t *spi)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *hdr, *out;
struct xfrm_userspi_info *userspi;
u_int32_t received_spi = 0;
@@ -737,16 +806,16 @@ static status_t get_spi(private_kernel_netlink_ipsec_t *this,
protocol_id_t protocol, u_int32_t reqid,
u_int32_t *spi)
{
- DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
+ DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
{
- DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
+ DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
return FAILED;
}
- DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
+ DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
return SUCCESS;
}
@@ -760,18 +829,18 @@ static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
{
u_int32_t received_spi = 0;
- DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
+ DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
if (get_spi_internal(this, src, dst,
IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
{
- DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
+ DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
return FAILED;
}
*cpi = htons((u_int16_t)ntohl(received_spi));
- DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
+ DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
return SUCCESS;
}
@@ -783,26 +852,35 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst, u_int32_t spi,
protocol_id_t protocol, u_int32_t reqid,
u_int64_t expire_soft, u_int64_t expire_hard,
- u_int16_t enc_alg, u_int16_t enc_size,
- u_int16_t int_alg, u_int16_t int_size,
- prf_plus_t *prf_plus, ipsec_mode_t mode,
- u_int16_t ipcomp, bool encap,
- bool replace)
+ u_int16_t enc_alg, chunk_t enc_key,
+ u_int16_t int_alg, chunk_t int_key,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool encap, bool inbound)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
char *alg_name;
- /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
- u_int16_t add_keymat = 32;
struct nlmsghdr *hdr;
struct xfrm_usersa_info *sa;
+ u_int16_t icv_size = 64;
+
+ /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
+ * we are in the recursive call below */
+ if (ipcomp != IPCOMP_NONE && cpi != 0)
+ {
+ add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
+ ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
+ mode, ipcomp, 0, FALSE, inbound);
+ ipcomp = IPCOMP_NONE;
+ }
memset(&request, 0, sizeof(request));
- DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
+ DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
+ ntohl(spi), reqid);
+
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
- hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+ hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
@@ -836,19 +914,19 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
case ENCR_UNDEFINED:
/* no encryption */
break;
- case ENCR_AES_CCM_ICV8:
- case ENCR_AES_CCM_ICV12:
case ENCR_AES_CCM_ICV16:
- /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
- add_keymat = 24;
- /* fall-through */
- case ENCR_AES_GCM_ICV8:
- case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
+ icv_size += 32;
+ /* FALL */
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_GCM_ICV12:
+ icv_size += 32;
+ /* FALL */
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_GCM_ICV8:
{
- u_int16_t icv_size = 0;
rthdr->rta_type = XFRMA_ALG_AEAD;
- alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
+ alg_name = lookup_algorithm(encryption_algs, enc_alg);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -856,12 +934,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
return FAILED;
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
- encryption_algorithm_names, enc_alg, enc_size);
+ encryption_algorithm_names, enc_alg, enc_key.len * 8);
- /* additional KEYMAT required */
- enc_size += add_keymat;
-
- rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
+ rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
@@ -869,10 +944,10 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
}
struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
- algo->alg_key_len = enc_size;
+ algo->alg_key_len = enc_key.len * 8;
algo->alg_icv_len = icv_size;
strcpy(algo->alg_name, alg_name);
- prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
+ memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
rthdr = XFRM_RTA_NEXT(rthdr);
break;
@@ -880,7 +955,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
default:
{
rthdr->rta_type = XFRMA_ALG_CRYPT;
- alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
+ alg_name = lookup_algorithm(encryption_algs, enc_alg);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -888,9 +963,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
return FAILED;
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
- encryption_algorithm_names, enc_alg, enc_size);
+ encryption_algorithm_names, enc_alg, enc_key.len * 8);
- rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
+ rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
@@ -898,9 +973,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
}
struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
- algo->alg_key_len = enc_size;
+ algo->alg_key_len = enc_key.len * 8;
strcpy(algo->alg_name, alg_name);
- prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
+ memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
rthdr = XFRM_RTA_NEXT(rthdr);
break;
@@ -910,7 +985,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
if (int_alg != AUTH_UNDEFINED)
{
rthdr->rta_type = XFRMA_ALG_AUTH;
- alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
+ alg_name = lookup_algorithm(integrity_algs, int_alg);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -918,9 +993,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
return FAILED;
}
DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
- integrity_algorithm_names, int_alg, int_size);
+ integrity_algorithm_names, int_alg, int_key.len * 8);
- rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
+ rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
@@ -928,9 +1003,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
}
struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
- algo->alg_key_len = int_size;
+ algo->alg_key_len = int_key.len * 8;
strcpy(algo->alg_name, alg_name);
- prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
+ memcpy(algo->alg_key, int_key.ptr, int_key.len);
rthdr = XFRM_RTA_NEXT(rthdr);
}
@@ -938,7 +1013,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
if (ipcomp != IPCOMP_NONE)
{
rthdr->rta_type = XFRMA_ALG_COMP;
- alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
+ alg_name = lookup_algorithm(compression_algs, ipcomp);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -1005,7 +1080,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
u_int32_t spi, protocol_id_t protocol, host_t *dst,
struct xfrm_replay_state *replay)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *hdr, *out = NULL;
struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
size_t len;
@@ -1020,7 +1095,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETAE;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
-
+
aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
aevent_id->flags = XFRM_AE_RVAL;
@@ -1070,9 +1145,10 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
while(RTA_OK(rta, rtasize))
{
- if (rta->rta_type == XFRMA_REPLAY_VAL)
+ if (rta->rta_type == XFRMA_REPLAY_VAL &&
+ RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
{
- memcpy(replay, RTA_DATA(rta), rta->rta_len);
+ memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
free(out);
return SUCCESS;
}
@@ -1086,14 +1162,56 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
}
/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+ netlink_buf_t request;
+ struct nlmsghdr *hdr;
+ struct xfrm_usersa_id *sa_id;
+
+ /* if IPComp was used, we first delete the additional IPComp SA */
+ if (cpi)
+ {
+ del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+ hdr = (struct nlmsghdr*)request;
+ hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+ hdr->nlmsg_type = XFRM_MSG_DELSA;
+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+ sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+ host2xfrm(dst, &sa_id->daddr);
+ sa_id->spi = spi;
+ sa_id->proto = proto_ike2kernel(protocol);
+ sa_id->family = dst->get_family(dst);
+
+ if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+ return SUCCESS;
+}
+
+/**
* Implementation of kernel_interface_t.update_sa.
*/
static status_t update_sa(private_kernel_netlink_ipsec_t *this,
- u_int32_t spi, protocol_id_t protocol,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
host_t *src, host_t *dst,
- host_t *new_src, host_t *new_dst, bool encap)
+ host_t *new_src, host_t *new_dst,
+ bool old_encap, bool new_encap)
{
- unsigned char request[NETLINK_BUFFER_SIZE], *pos;
+ netlink_buf_t request;
+ u_char *pos;
struct nlmsghdr *hdr, *out = NULL;
struct xfrm_usersa_id *sa_id;
struct xfrm_usersa_info *out_sa = NULL, *sa;
@@ -1101,19 +1219,26 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
struct rtattr *rta;
size_t rtasize;
struct xfrm_encap_tmpl* tmpl = NULL;
- bool got_replay_state;
+ bool got_replay_state = FALSE;
struct xfrm_replay_state replay;
+ /* if IPComp is used, we first update the IPComp SA */
+ if (cpi)
+ {
+ update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
+ src, dst, new_src, new_dst, FALSE, FALSE);
+ }
+
memset(&request, 0, sizeof(request));
DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
-
+
/* query the existing SA first */
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
+
sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
host2xfrm(dst, &sa_id->daddr);
sa_id->spi = spi;
@@ -1156,11 +1281,13 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
}
/* try to get the replay state */
- got_replay_state = (get_replay_state(
- this, spi, protocol, dst, &replay) == SUCCESS);
+ if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
+ {
+ got_replay_state = TRUE;
+ }
- /* delete the old SA */
- if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
+ /* delete the old SA (without affecting the IPComp SA) */
+ if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
free(out);
@@ -1169,7 +1296,6 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
ntohl(spi), src, dst, new_src, new_dst);
-
/* copy over the SA from out to request */
hdr = (struct nlmsghdr*)request;
memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
@@ -1194,7 +1320,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
while(RTA_OK(rta, rtasize))
{
/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
- if (rta->rta_type != XFRMA_ENCAP || encap)
+ if (rta->rta_type != XFRMA_ENCAP || new_encap)
{
if (rta->rta_type == XFRMA_ENCAP)
{ /* update encap tmpl */
@@ -1210,7 +1336,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
}
rta = (struct rtattr*)pos;
- if (tmpl == NULL && encap)
+ if (tmpl == NULL && new_encap)
{ /* add tmpl if we are enabling it */
rta->rta_type = XFRMA_ENCAP;
rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
@@ -1257,122 +1383,21 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
}
/**
- * Implementation of kernel_interface_t.query_sa.
- */
-static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol,
- u_int32_t *use_time)
-{
- unsigned char request[NETLINK_BUFFER_SIZE];
- struct nlmsghdr *out = NULL, *hdr;
- struct xfrm_usersa_id *sa_id;
- struct xfrm_usersa_info *sa = NULL;
- size_t len;
-
- DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
- memset(&request, 0, sizeof(request));
-
- hdr = (struct nlmsghdr*)request;
- hdr->nlmsg_flags = NLM_F_REQUEST;
- hdr->nlmsg_type = XFRM_MSG_GETSA;
- hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-
- sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
- host2xfrm(dst, &sa_id->daddr);
- sa_id->spi = spi;
- sa_id->proto = proto_ike2kernel(protocol);
- sa_id->family = dst->get_family(dst);
-
- if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
- {
- hdr = out;
- while (NLMSG_OK(hdr, len))
- {
- switch (hdr->nlmsg_type)
- {
- case XFRM_MSG_NEWSA:
- {
- sa = NLMSG_DATA(hdr);
- break;
- }
- case NLMSG_ERROR:
- {
- struct nlmsgerr *err = NLMSG_DATA(hdr);
- DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
- strerror(-err->error), -err->error);
- break;
- }
- default:
- hdr = NLMSG_NEXT(hdr, len);
- continue;
- case NLMSG_DONE:
- break;
- }
- break;
- }
- }
-
- if (sa == NULL)
- {
- DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
- free(out);
- return FAILED;
- }
-
- *use_time = sa->curlft.use_time;
- free (out);
- return SUCCESS;
-}
-
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol)
-{
- unsigned char request[NETLINK_BUFFER_SIZE];
- struct nlmsghdr *hdr;
- struct xfrm_usersa_id *sa_id;
-
- memset(&request, 0, sizeof(request));
-
- DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
- hdr = (struct nlmsghdr*)request;
- hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
- hdr->nlmsg_type = XFRM_MSG_DELSA;
- hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
- sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
- host2xfrm(dst, &sa_id->daddr);
- sa_id->spi = spi;
- sa_id->proto = proto_ike2kernel(protocol);
- sa_id->family = dst->get_family(dst);
-
- if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
- {
- DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
- return FAILED;
- }
- DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
- return SUCCESS;
-}
-
-/**
* Implementation of kernel_interface_t.add_policy.
*/
static status_t add_policy(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
- policy_dir_t direction, protocol_id_t protocol,
- u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
- u_int16_t ipcomp)
+ policy_dir_t direction, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool routed)
{
iterator_t *iterator;
policy_entry_t *current, *policy;
bool found = FALSE;
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct xfrm_userpolicy_info *policy_info;
struct nlmsghdr *hdr;
@@ -1383,7 +1408,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
policy->direction = direction;
/* find the policy, which matches EXACTLY */
- pthread_mutex_lock(&this->mutex);
+ this->mutex->lock(this->mutex);
iterator = this->policies->create_iterator(this->policies, TRUE);
while (iterator->iterate(iterator, (void**)&current))
{
@@ -1421,13 +1446,13 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
policy_info->sel = policy->sel;
policy_info->dir = policy->direction;
/* calculate priority based on source selector size, small size = high prio */
- policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
+ policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
policy_info->priority -= policy->sel.prefixlen_s * 10;
policy_info->priority -= policy->sel.proto ? 2 : 0;
policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
policy_info->action = XFRM_POLICY_ALLOW;
policy_info->share = XFRM_SHARE_ANY;
- pthread_mutex_unlock(&this->mutex);
+ this->mutex->unlock(this->mutex);
/* policies don't expire */
policy_info->lft.soft_byte_limit = XFRM_INF;
@@ -1503,7 +1528,8 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
{
route_entry_t *route = malloc_thing(route_entry_t);
- if (get_address_by_ts(this, dst_ts, &route->src_ip) == SUCCESS)
+ if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+ dst_ts, &route->src_ip) == SUCCESS)
{
/* get the nexthop to src (src as we are in POLICY_FWD).*/
route->gateway = charon->kernel_interface->get_nexthop(
@@ -1514,22 +1540,30 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
route->prefixlen = policy->sel.prefixlen_s;
- switch (charon->kernel_interface->add_route(charon->kernel_interface,
- route->dst_net, route->prefixlen, route->gateway,
- route->src_ip, route->if_name))
+ if (route->if_name)
+ {
+ switch (charon->kernel_interface->add_route(
+ charon->kernel_interface, route->dst_net,
+ route->prefixlen, route->gateway,
+ route->src_ip, route->if_name))
+ {
+ default:
+ DBG1(DBG_KNL, "unable to install source route for %H",
+ route->src_ip);
+ /* FALL */
+ case ALREADY_DONE:
+ /* route exists, do not uninstall */
+ route_entry_destroy(route);
+ break;
+ case SUCCESS:
+ /* cache the installed route */
+ policy->route = route;
+ break;
+ }
+ }
+ else
{
- default:
- DBG1(DBG_KNL, "unable to install source route for %H",
- route->src_ip);
- /* FALL */
- case ALREADY_DONE:
- /* route exists, do not uninstall */
- route_entry_destroy(route);
- break;
- case SUCCESS:
- /* cache the installed route */
- policy->route = route;
- break;
+ route_entry_destroy(route);
}
}
else
@@ -1537,7 +1571,6 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
free(route);
}
}
-
return SUCCESS;
}
@@ -1549,7 +1582,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *out = NULL, *hdr;
struct xfrm_userpolicy_id *policy_id;
struct xfrm_userpolicy_info *policy = NULL;
@@ -1617,14 +1650,14 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this,
static status_t del_policy(private_kernel_netlink_ipsec_t *this,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
- policy_dir_t direction)
+ policy_dir_t direction, bool unrouted)
{
policy_entry_t *current, policy, *to_delete = NULL;
route_entry_t *route;
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_userpolicy_id *policy_id;
- iterator_t *iterator;
+ enumerator_t *enumerator;
DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
@@ -1635,10 +1668,11 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
policy.direction = direction;
/* find the policy */
- iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
- while (iterator->iterate(iterator, (void**)&current))
+ this->mutex->lock(this->mutex);
+ enumerator = this->policies->create_enumerator(this->policies);
+ while (enumerator->enumerate(enumerator, &current))
{
- if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
+ if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
policy.direction == current->direction)
{
to_delete = current;
@@ -1646,15 +1680,17 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this,
{
/* is used by more SAs, keep in kernel */
DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
- iterator->destroy(iterator);
+ this->mutex->unlock(this->mutex);
+ enumerator->destroy(enumerator);
return SUCCESS;
}
/* remove if last reference */
- iterator->remove(iterator);
+ this->policies->remove_at(this->policies, enumerator);
break;
}
}
- iterator->destroy(iterator);
+ this->mutex->unlock(this->mutex);
+ enumerator->destroy(enumerator);
if (!to_delete)
{
DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
@@ -1707,9 +1743,75 @@ static void destroy(private_kernel_netlink_ipsec_t *this)
close(this->socket_xfrm_events);
this->socket_xfrm->destroy(this->socket_xfrm);
this->policies->destroy(this->policies);
+ this->mutex->destroy(this->mutex);
free(this);
}
+/**
+ * Add bypass policies for IKE on the sockets used by charon
+ */
+static bool add_bypass_policies()
+{
+ int fd, family, port;
+ enumerator_t *sockets;
+ bool status = TRUE;
+
+ /* we open an AF_KEY socket to autoload the af_key module. Otherwise
+ * setsockopt(IPSEC_POLICY) won't work. */
+ fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (fd == 0)
+ {
+ DBG1(DBG_KNL, "could not open AF_KEY socket");
+ return FALSE;
+ }
+ close(fd);
+
+ sockets = charon->socket->create_enumerator(charon->socket);
+ while (sockets->enumerate(sockets, &fd, &family, &port))
+ {
+ struct sadb_x_policy policy;
+ u_int sol, ipsec_policy;
+
+ switch (family)
+ {
+ case AF_INET:
+ sol = SOL_IP;
+ ipsec_policy = IP_IPSEC_POLICY;
+ break;
+ case AF_INET6:
+ sol = SOL_IPV6;
+ ipsec_policy = IPV6_IPSEC_POLICY;
+ break;
+ default:
+ continue;
+ }
+
+ memset(&policy, 0, sizeof(policy));
+ policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+ policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+
+ policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ status = FALSE;
+ break;
+ }
+ policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ status = FALSE;
+ break;
+ }
+ }
+ sockets->destroy(sockets);
+ return status;
+}
+
/*
* Described in header.
*/
@@ -1721,33 +1823,39 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
/* public functions */
this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
- this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
- this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
- this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
- this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
+ this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+ this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
- this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
+ this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
/* private members */
this->policies = linked_list_create();
- pthread_mutex_init(&this->mutex, NULL);
+ this->mutex = mutex_create(MUTEX_DEFAULT);
this->install_routes = lib->settings->get_bool(lib->settings,
"charon.install_routes", TRUE);
+ /* add bypass policies on the sockets used by charon */
+ if (!add_bypass_policies())
+ {
+ charon->kill(charon, "unable to add bypass policies on sockets");
+ }
+
this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
- /* create and bind XFRM socket for ACQUIRE & EXPIRE */
+ /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
if (this->socket_xfrm_events <= 0)
{
charon->kill(charon, "unable to create XFRM event socket");
}
- addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | XFRMNLGRP(MAPPING);
+ addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
+ XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
{
charon->kill(charon, "unable to bind XFRM event socket");
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index d8bba9412..69a781c14 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: kernel_netlink_net.c 4391 2008-10-09 05:44:00Z andreas $
+ * $Id: kernel_netlink_net.c 4660 2008-11-14 14:23:11Z martin $
*/
#include <sys/socket.h>
@@ -29,6 +29,7 @@
#include "kernel_netlink_shared.h"
#include <daemon.h>
+#include <utils/mutex.h>
#include <utils/linked_list.h>
#include <processing/jobs/callback_job.h>
#include <processing/jobs/roam_job.h>
@@ -116,12 +117,12 @@ struct private_kernel_netlink_net_t {
/**
* mutex to lock access to various lists
*/
- pthread_mutex_t mutex;
+ mutex_t *mutex;
/**
* condition variable to signal virtual IP add/removal
*/
- pthread_cond_t cond;
+ condvar_t *condvar;
/**
* Cached list of interfaces and its addresses (iface_entry_t)
@@ -157,7 +158,7 @@ struct private_kernel_netlink_net_t {
* priority of used routing table
*/
int routing_table_prio;
-
+
/**
* whether to react to RTM_NEWROUTE or RTM_DELROUTE events
*/
@@ -206,7 +207,7 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
{
struct timeval now;
-
+
if (gettimeofday(&now, NULL) == 0)
{
if (timercmp(&now, &this->last_roam, >))
@@ -233,7 +234,7 @@ static void process_link(private_kernel_netlink_net_t *this,
struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
struct rtattr *rta = IFLA_RTA(msg);
size_t rtasize = IFLA_PAYLOAD (hdr);
- iterator_t *iterator;
+ enumerator_t *enumerator;
iface_entry_t *current, *entry = NULL;
char *name = NULL;
bool update = FALSE;
@@ -253,6 +254,7 @@ static void process_link(private_kernel_netlink_net_t *this,
name = "(unknown)";
}
+ this->mutex->lock(this->mutex);
switch (hdr->nlmsg_type)
{
case RTM_NEWLINK:
@@ -261,9 +263,8 @@ static void process_link(private_kernel_netlink_net_t *this,
{ /* ignore loopback interfaces */
break;
}
- iterator = this->ifaces->create_iterator_locked(this->ifaces,
- &this->mutex);
- while (iterator->iterate(iterator, (void**)&current))
+ enumerator = this->ifaces->create_enumerator(this->ifaces);
+ while (enumerator->enumerate(enumerator, &current))
{
if (current->ifindex == msg->ifi_index)
{
@@ -271,6 +272,7 @@ static void process_link(private_kernel_netlink_net_t *this,
break;
}
}
+ enumerator->destroy(enumerator);
if (!entry)
{
entry = malloc_thing(iface_entry_t);
@@ -295,14 +297,12 @@ static void process_link(private_kernel_netlink_net_t *this,
}
}
entry->flags = msg->ifi_flags;
- iterator->destroy(iterator);
break;
}
case RTM_DELLINK:
{
- iterator = this->ifaces->create_iterator_locked(this->ifaces,
- &this->mutex);
- while (iterator->iterate(iterator, (void**)&current))
+ enumerator = this->ifaces->create_enumerator(this->ifaces);
+ while (enumerator->enumerate(enumerator, &current))
{
if (current->ifindex == msg->ifi_index)
{
@@ -312,10 +312,11 @@ static void process_link(private_kernel_netlink_net_t *this,
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
break;
}
}
+ this->mutex->unlock(this->mutex);
/* send an update to all IKE_SAs */
if (update && event)
@@ -334,7 +335,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
struct rtattr *rta = IFA_RTA(msg);
size_t rtasize = IFA_PAYLOAD (hdr);
host_t *host = NULL;
- iterator_t *ifaces, *addrs;
+ enumerator_t *ifaces, *addrs;
iface_entry_t *iface;
addr_entry_t *addr;
chunk_t local = chunk_empty, address = chunk_empty;
@@ -373,20 +374,21 @@ static void process_addr(private_kernel_netlink_net_t *this,
return;
}
- ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
- while (ifaces->iterate(ifaces, (void**)&iface))
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
{
if (iface->ifindex == msg->ifa_index)
{
- addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
- while (addrs->iterate(addrs, (void**)&addr))
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
{
if (host->ip_equals(host, addr->ip))
{
found = TRUE;
if (hdr->nlmsg_type == RTM_DELADDR)
{
- addrs->remove(addrs);
+ iface->addrs->remove_at(iface->addrs, addrs);
if (!addr->virtual)
{
changed = TRUE;
@@ -430,6 +432,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
}
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
host->destroy(host);
/* send an update to all IKE_SAs */
@@ -468,10 +471,12 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
}
if (host)
{
+ this->mutex->lock(this->mutex);
if (!get_vip_refcount(this, host))
{ /* ignore routes added for virtual IPs */
fire_roam_job(this, FALSE);
}
+ this->mutex->unlock(this->mutex);
host->destroy(host);
}
}
@@ -522,12 +527,12 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
case RTM_NEWADDR:
case RTM_DELADDR:
process_addr(this, hdr, TRUE);
- pthread_cond_broadcast(&this->cond);
+ this->condvar->broadcast(this->condvar);
break;
case RTM_NEWLINK:
case RTM_DELLINK:
process_link(this, hdr, TRUE);
- pthread_cond_broadcast(&this->cond);
+ this->condvar->broadcast(this->condvar);
break;
case RTM_NEWROUTE:
case RTM_DELROUTE:
@@ -558,7 +563,7 @@ typedef struct {
*/
static void address_enumerator_destroy(address_enumerator_t *data)
{
- pthread_mutex_unlock(&data->this->mutex);
+ data->this->mutex->unlock(data->this->mutex);
free(data);
}
@@ -612,7 +617,7 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi
data->include_down_ifaces = include_down_ifaces;
data->include_virtual_ips = include_virtual_ips;
- pthread_mutex_lock(&this->mutex);
+ this->mutex->lock(this->mutex);
return enumerator_create_nested(
enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
(void*)filter_interfaces, data, NULL),
@@ -624,18 +629,19 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi
*/
static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
{
- iterator_t *ifaces, *addrs;
+ enumerator_t *ifaces, *addrs;
iface_entry_t *iface;
addr_entry_t *addr;
char *name = NULL;
DBG2(DBG_KNL, "getting interface name for %H", ip);
- ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
- while (ifaces->iterate(ifaces, (void**)&iface))
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
{
- addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
- while (addrs->iterate(addrs, (void**)&addr))
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
{
if (ip->ip_equals(ip, addr->ip))
{
@@ -650,6 +656,7 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
}
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
if (name)
{
@@ -667,14 +674,15 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
*/
static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
{
- iterator_t *ifaces;
+ enumerator_t *ifaces;
iface_entry_t *iface;
int ifindex = 0;
DBG2(DBG_KNL, "getting iface index for %s", name);
- ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
- while (ifaces->iterate(ifaces, (void**)&iface))
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
{
if (streq(name, iface->ifname))
{
@@ -683,6 +691,7 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
}
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
if (ifindex == 0)
{
@@ -692,6 +701,28 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
}
/**
+ * Check if an interface with a given index is up
+ */
+static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
+{
+ enumerator_t *ifaces;
+ iface_entry_t *iface;
+ bool up = FALSE;
+
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ if (iface->ifindex == index)
+ {
+ up = iface->flags & IFF_UP;
+ break;
+ }
+ }
+ ifaces->destroy(ifaces);
+ return up;
+}
+
+/**
* check if an address (chunk) addr is in subnet (net with net_len net bits)
*/
static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
@@ -730,7 +761,7 @@ static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
bool nexthop, host_t *candidate)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *hdr, *out, *current;
struct rtmsg *msg;
chunk_t chunk;
@@ -763,6 +794,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
DBG1(DBG_KNL, "getting address to %H failed", dest);
return NULL;
}
+ this->mutex->lock(this->mutex);
current = out;
while (NLMSG_OK(current, len))
{
@@ -776,6 +808,9 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
size_t rtasize;
chunk_t rta_gtw, rta_src, rta_dst;
u_int32_t rta_oif = 0;
+ enumerator_t *ifaces, *addrs;
+ iface_entry_t *iface;
+ addr_entry_t *addr;
rta_gtw = rta_src = rta_dst = chunk_empty;
msg = (struct rtmsg*)(NLMSG_DATA(current));
@@ -803,79 +838,80 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
}
rta = RTA_NEXT(rta, rtasize);
}
+ if (rta_oif && !is_interface_up(this, rta_oif))
+ { /* interface is down */
+ goto next;
+ }
+ if (this->routing_table != 0 &&
+ msg->rtm_table == this->routing_table)
+ { /* route is from our own ipsec routing table */
+ goto next;
+ }
+ if (msg->rtm_dst_len <= best)
+ { /* not better than a previous one */
+ goto next;
+ }
+ if (msg->rtm_dst_len != 0 &&
+ (!rta_dst.ptr ||
+ !addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len)))
+ { /* is not the default route and not contained in our dst */
+ goto next;
+ }
- /* apply the route if:
- * - it is not from our own ipsec routing table
- * - is better than a previous one
- * - is the default route or
- * - its destination net contains our destination
- */
- if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
- && msg->rtm_dst_len > best
- && (msg->rtm_dst_len == 0 || /* default route */
- (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
+ best = msg->rtm_dst_len;
+ if (nexthop)
{
- iterator_t *ifaces, *addrs;
- iface_entry_t *iface;
- addr_entry_t *addr;
-
- best = msg->rtm_dst_len;
- if (nexthop)
- {
- DESTROY_IF(gtw);
- gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
- }
- else if (rta_src.ptr)
- {
+ DESTROY_IF(gtw);
+ gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
+ goto next;
+ }
+ if (rta_src.ptr)
+ {
+ DESTROY_IF(src);
+ src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
+ if (get_vip_refcount(this, src))
+ { /* skip source address if it is installed by us */
DESTROY_IF(src);
- src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
- if (get_vip_refcount(this, src))
- { /* skip source address if it is installed by us */
- DESTROY_IF(src);
- src = NULL;
- current = NLMSG_NEXT(current, len);
- continue;
- }
+ src = NULL;
}
- else
+ goto next;
+ }
+ /* no source addr, get one from the interfaces */
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ if (iface->ifindex == rta_oif &&
+ iface->flags & IFF_UP)
{
- /* no source addr, get one from the interfaces */
- ifaces = this->ifaces->create_iterator_locked(
- this->ifaces, &this->mutex);
- while (ifaces->iterate(ifaces, (void**)&iface))
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
{
- if (iface->ifindex == rta_oif)
+ chunk_t ip = addr->ip->get_address(addr->ip);
+ if ((msg->rtm_dst_len == 0 &&
+ addr->ip->get_family(addr->ip) ==
+ dest->get_family(dest)) ||
+ addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
{
- addrs = iface->addrs->create_iterator(
- iface->addrs, TRUE);
- while (addrs->iterate(addrs, (void**)&addr))
- {
- chunk_t ip = addr->ip->get_address(addr->ip);
- if ((msg->rtm_dst_len == 0 &&
- addr->ip->get_family(addr->ip) ==
- dest->get_family(dest)) ||
- addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
- {
- DESTROY_IF(src);
- src = addr->ip->clone(addr->ip);
- break;
- }
- }
- addrs->destroy(addrs);
+ DESTROY_IF(src);
+ src = addr->ip->clone(addr->ip);
+ break;
}
}
- ifaces->destroy(ifaces);
+ addrs->destroy(addrs);
}
}
- /* FALL through */
+ ifaces->destroy(ifaces);
+ goto next;
}
default:
+ next:
current = NLMSG_NEXT(current, len);
continue;
}
break;
}
free(out);
+ this->mutex->unlock(this->mutex);
if (nexthop)
{
@@ -912,7 +948,7 @@ static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
int flags, int if_index, host_t *ip)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *hdr;
struct ifaddrmsg *msg;
chunk_t chunk;
@@ -946,18 +982,19 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
{
iface_entry_t *iface;
addr_entry_t *addr;
- iterator_t *addrs, *ifaces;
+ enumerator_t *addrs, *ifaces;
int ifindex;
DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
- ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
- while (ifaces->iterate(ifaces, (void**)&iface))
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
{
bool iface_found = FALSE;
- addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
- while (addrs->iterate(addrs, (void**)&addr))
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
{
if (iface_ip->ip_equals(iface_ip, addr->ip))
{
@@ -970,6 +1007,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
virtual_ip, iface->ifname);
addrs->destroy(addrs);
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
return SUCCESS;
}
}
@@ -990,17 +1028,20 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
{
while (get_vip_refcount(this, virtual_ip) == 0)
{ /* wait until address appears */
- pthread_cond_wait(&this->cond, &this->mutex);
+ this->condvar->wait(this->condvar, this->mutex);
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
return SUCCESS;
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
return FAILED;
}
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
DBG1(DBG_KNL, "interface address %H not found, unable to install"
"virtual IP %H", iface_ip, virtual_ip);
@@ -1014,17 +1055,18 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
{
iface_entry_t *iface;
addr_entry_t *addr;
- iterator_t *addrs, *ifaces;
+ enumerator_t *addrs, *ifaces;
status_t status;
int ifindex;
DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
- ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
- while (ifaces->iterate(ifaces, (void**)&iface))
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
{
- addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
- while (addrs->iterate(addrs, (void**)&addr))
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
{
if (virtual_ip->ip_equals(virtual_ip, addr->ip))
{
@@ -1037,11 +1079,12 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
{ /* wait until the address is really gone */
while (get_vip_refcount(this, virtual_ip) > 0)
{
- pthread_cond_wait(&this->cond, &this->mutex);
+ this->condvar->wait(this->condvar, this->mutex);
}
}
addrs->destroy(addrs);
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
return status;
}
else
@@ -1052,12 +1095,14 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
virtual_ip);
addrs->destroy(addrs);
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
return SUCCESS;
}
}
addrs->destroy(addrs);
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
return FAILED;
@@ -1071,7 +1116,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
int flags, chunk_t dst_net, u_int8_t prefixlen,
host_t *gateway, host_t *src_ip, char *if_name)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *hdr;
struct rtmsg *msg;
int ifindex;
@@ -1151,11 +1196,11 @@ status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
*/
static status_t init_address_list(private_kernel_netlink_net_t *this)
{
- char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *out, *current, *in;
struct rtgenmsg *msg;
size_t len;
- iterator_t *ifaces, *addrs;
+ enumerator_t *ifaces, *addrs;
iface_entry_t *iface;
addr_entry_t *addr;
@@ -1217,14 +1262,15 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
}
free(out);
- ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
- while (ifaces->iterate(ifaces, (void**)&iface))
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
{
if (iface->flags & IFF_UP)
{
DBG1(DBG_KNL, " %s", iface->ifname);
- addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
- while (addrs->iterate(addrs, (void**)&addr))
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, (void**)&addr))
{
DBG1(DBG_KNL, " %H", addr->ip);
}
@@ -1232,6 +1278,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
}
}
ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
return SUCCESS;
}
@@ -1241,7 +1288,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
u_int32_t table, u_int32_t prio)
{
- unsigned char request[NETLINK_BUFFER_SIZE];
+ netlink_buf_t request;
struct nlmsghdr *hdr;
struct rtmsg *msg;
chunk_t chunk;
@@ -1284,6 +1331,8 @@ static void destroy(private_kernel_netlink_net_t *this)
close(this->socket_events);
this->socket->destroy(this->socket);
this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+ this->condvar->destroy(this->condvar);
+ this->mutex->destroy(this->mutex);
free(this);
}
@@ -1308,8 +1357,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
/* private members */
this->ifaces = linked_list_create();
- pthread_mutex_init(&this->mutex, NULL);
- pthread_cond_init(&this->cond, NULL);
+ this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->condvar = condvar_create(CONDVAR_DEFAULT);
timerclear(&this->last_roam);
this->routing_table = lib->settings->get_int(lib->settings,
"charon.routing_table", IPSEC_ROUTING_TABLE);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index 55d08c5e5..3de56bf48 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: kernel_netlink_shared.c 4350 2008-09-18 15:16:43Z tobias $
+ * $Id: kernel_netlink_shared.c 4579 2008-11-05 11:29:56Z martin $
*/
#include <sys/socket.h>
@@ -24,6 +24,7 @@
#include "kernel_netlink_shared.h"
#include <daemon.h>
+#include <utils/mutex.h>
typedef struct private_netlink_socket_t private_netlink_socket_t;
@@ -39,7 +40,7 @@ struct private_netlink_socket_t {
/**
* mutex to lock access to netlink socket
*/
- pthread_mutex_t mutex;
+ mutex_t *mutex;
/**
* current sequence number for netlink request
@@ -63,7 +64,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
chunk_t result = chunk_empty, tmp;
struct nlmsghdr *msg, peek;
- pthread_mutex_lock(&this->mutex);
+ this->mutex->lock(this->mutex);
in->nlmsg_seq = ++this->seq;
in->nlmsg_pid = getpid();
@@ -85,7 +86,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
/* interrupted, try again */
continue;
}
- pthread_mutex_unlock(&this->mutex);
+ this->mutex->unlock(this->mutex);
DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
return FAILED;
}
@@ -117,14 +118,14 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
continue;
}
DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
- pthread_mutex_unlock(&this->mutex);
+ this->mutex->unlock(this->mutex);
free(result.ptr);
return FAILED;
}
if (!NLMSG_OK(msg, len))
{
DBG1(DBG_KNL, "received corrupted netlink message");
- pthread_mutex_unlock(&this->mutex);
+ this->mutex->unlock(this->mutex);
free(result.ptr);
return FAILED;
}
@@ -135,7 +136,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
{
continue;
}
- pthread_mutex_unlock(&this->mutex);
+ this->mutex->unlock(this->mutex);
free(result.ptr);
return FAILED;
}
@@ -161,7 +162,7 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in
*out_len = result.len;
*out = (struct nlmsghdr*)result.ptr;
- pthread_mutex_unlock(&this->mutex);
+ this->mutex->unlock(this->mutex);
return SUCCESS;
}
@@ -221,6 +222,7 @@ static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr
static void destroy(private_netlink_socket_t *this)
{
close(this->socket);
+ this->mutex->destroy(this->mutex);
free(this);
}
@@ -238,7 +240,7 @@ netlink_socket_t *netlink_socket_create(int protocol) {
/* private members */
this->seq = 200;
- pthread_mutex_init(&this->mutex, NULL);
+ this->mutex = mutex_create(MUTEX_DEFAULT);
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
index 6428cc9a2..90e464796 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: kernel_netlink_shared.h 4350 2008-09-18 15:16:43Z tobias $
+ * $Id: kernel_netlink_shared.h 4660 2008-11-14 14:23:11Z martin $
*/
#ifndef KERNEL_NETLINK_SHARED_H_
@@ -20,7 +20,15 @@
#include <library.h>
-#define NETLINK_BUFFER_SIZE 1024
+#include <linux/rtnetlink.h>
+
+/**
+ * General purpose netlink buffer.
+ *
+ * 1024 byte is currently sufficient for all operations. Some platform
+ * require an enforced aligment to four bytes (e.g. ARM).
+ */
+typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO)));
typedef struct netlink_socket_t netlink_socket_t;
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am
new file mode 100644
index 000000000..c9d66b5de
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+
+libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
new file mode 100644
index 000000000..41bad9715
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -0,0 +1,501 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/kernel_pfkey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfkey_la_LIBADD =
+am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
+ kernel_pfkey_ipsec.lo
+libstrongswan_kernel_pfkey_la_OBJECTS = \
+ $(am_libstrongswan_kernel_pfkey_la_OBJECTS)
+libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+ && exit 0; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfkey/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES)
+ $(libstrongswan_kernel_pfkey_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
new file mode 100644
index 000000000..77f3cbed8
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -0,0 +1,1991 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_ipsec.c 4662 2008-11-16 21:19:58Z andreas $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdint.h>
+#include <linux/ipsec.h>
+#include <linux/pfkeyv2.h>
+#include <linux/udp.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/mutex.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/migrate_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+/** from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 4096
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+ (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+ (ext)->sadb_ext_len <= (len))
+
+typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_kernel_pfkey_ipsec_t
+{
+ /**
+ * Public part of the kernel_pfkey_t object.
+ */
+ kernel_pfkey_ipsec_t public;
+
+ /**
+ * mutex to lock access to various lists
+ */
+ mutex_t *mutex;
+
+ /**
+ * List of installed policies (policy_entry_t)
+ */
+ linked_list_t *policies;
+
+ /**
+ * whether to install routes along policies
+ */
+ bool install_routes;
+
+ /**
+ * job receiving PF_KEY events
+ */
+ callback_job_t *job;
+
+ /**
+ * mutex to lock access to the PF_KEY socket
+ */
+ mutex_t *mutex_pfkey;
+
+ /**
+ * PF_KEY socket to communicate with the kernel
+ */
+ int socket;
+
+ /**
+ * PF_KEY socket to receive acquire and expire events
+ */
+ int socket_events;
+
+ /**
+ * sequence number for messages sent to the kernel
+ */
+ int seq;
+};
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+ /** Name of the interface the route is bound to */
+ char *if_name;
+
+ /** Source ip of the route */
+ host_t *src_ip;
+
+ /** gateway for this route */
+ host_t *gateway;
+
+ /** Destination net */
+ chunk_t dst_net;
+
+ /** Destination net prefixlen */
+ u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+ free(this->if_name);
+ this->src_ip->destroy(this->src_ip);
+ this->gateway->destroy(this->gateway);
+ chunk_free(&this->dst_net);
+ free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+
+ /** reqid of this policy */
+ u_int32_t reqid;
+
+ /** index assigned by the kernel */
+ u_int32_t index;
+
+ /** direction of this policy: in, out, forward */
+ u_int8_t direction;
+
+ /** parameters of installed policy */
+ struct {
+ /** subnet and port */
+ host_t *net;
+ /** subnet mask */
+ u_int8_t mask;
+ /** protocol */
+ u_int8_t proto;
+ } src, dst;
+
+ /** associated route installed for this policy */
+ route_entry_t *route;
+
+ /** by how many CHILD_SA's this policy is used */
+ u_int refcount;
+};
+
+/**
+ * create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
+{
+ policy_entry_t *policy = malloc_thing(policy_entry_t);
+ policy->reqid = reqid;
+ policy->index = 0;
+ policy->direction = dir;
+ policy->route = NULL;
+ policy->refcount = 0;
+
+ src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+ dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+
+ /* src or dest proto may be "any" (0), use more restrictive one */
+ policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+ policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
+ policy->dst.proto = policy->src.proto;
+
+ return policy;
+}
+
+/**
+ * destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+ DESTROY_IF(this->src.net);
+ DESTROY_IF(this->dst.net);
+ if (this->route)
+ {
+ route_entry_destroy(this->route);
+ }
+ free(this);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
+{
+ return current->direction == policy->direction &&
+ current->src.proto == policy->src.proto &&
+ current->dst.proto == policy->dst.proto &&
+ current->src.mask == policy->src.mask &&
+ current->dst.mask == policy->dst.mask &&
+ current->src.net->equals(current->src.net, policy->src.net) &&
+ current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+/**
+ * compare the given kernel index with that of a policy
+ */
+static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
+{
+ return current->index == *index;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+ /**
+ * PF_KEY message base
+ */
+ struct sadb_msg *msg;
+
+
+ /**
+ * PF_KEY message extensions
+ */
+ union {
+ struct sadb_ext *ext[SADB_EXT_MAX + 1];
+ struct {
+ struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
+ struct sadb_sa *sa; /* SADB_EXT_SA */
+ struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
+ struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
+ struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
+ struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
+ struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
+ struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
+ struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
+ struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
+ struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
+ struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
+ struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
+ struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
+ struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
+ struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
+ struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
+ struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
+ struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
+ struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
+ struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
+ struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
+ struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
+ struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
+ struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
+ struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
+ } __attribute__((__packed__));
+ };
+};
+
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
+ "SADB_EXT_RESERVED",
+ "SADB_EXT_SA",
+ "SADB_EXT_LIFETIME_CURRENT",
+ "SADB_EXT_LIFETIME_HARD",
+ "SADB_EXT_LIFETIME_SOFT",
+ "SADB_EXT_ADDRESS_SRC",
+ "SADB_EXT_ADDRESS_DST",
+ "SADB_EXT_ADDRESS_PROXY",
+ "SADB_EXT_KEY_AUTH",
+ "SADB_EXT_KEY_ENCRYPT",
+ "SADB_EXT_IDENTITY_SRC",
+ "SADB_EXT_IDENTITY_DST",
+ "SADB_EXT_SENSITIVITY",
+ "SADB_EXT_PROPOSAL",
+ "SADB_EXT_SUPPORTED_AUTH",
+ "SADB_EXT_SUPPORTED_ENCRYPT",
+ "SADB_EXT_SPIRANGE",
+ "SADB_X_EXT_KMPRIVATE",
+ "SADB_X_EXT_POLICY",
+ "SADB_X_EXT_SA2",
+ "SADB_X_EXT_NAT_T_TYPE",
+ "SADB_X_EXT_NAT_T_SPORT",
+ "SADB_X_EXT_NAT_T_DPORT",
+ "SADB_X_EXT_NAT_T_OA",
+ "SADB_X_EXT_SEC_CTX",
+ "SADB_X_EXT_KMADDRESS"
+);
+/**
+ * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto_ike2satype(protocol_id_t proto)
+{
+ switch (proto)
+ {
+ case PROTO_ESP:
+ return SADB_SATYPE_ESP;
+ case PROTO_AH:
+ return SADB_SATYPE_AH;
+ case IPPROTO_COMP:
+ return SADB_X_SATYPE_IPCOMP;
+ default:
+ return proto;
+ }
+}
+
+/**
+ * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ */
+static protocol_id_t proto_satype2ike(u_int8_t proto)
+{
+ switch (proto)
+ {
+ case SADB_SATYPE_ESP:
+ return PROTO_ESP;
+ case SADB_SATYPE_AH:
+ return PROTO_AH;
+ case SADB_X_SATYPE_IPCOMP:
+ return IPPROTO_COMP;
+ default:
+ return proto;
+ }
+}
+
+/**
+ * convert a IKEv2 specific protocol identifier to the IP protocol identifier
+ */
+static u_int8_t proto_ike2ip(protocol_id_t proto)
+{
+ switch (proto)
+ {
+ case PROTO_ESP:
+ return IPPROTO_ESP;
+ case PROTO_AH:
+ return IPPROTO_AH;
+ default:
+ return proto;
+ }
+}
+
+/**
+ * convert the general ipsec mode to the one defined in ipsec.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+ switch (mode)
+ {
+ case MODE_TRANSPORT:
+ return IPSEC_MODE_TRANSPORT;
+ case MODE_TUNNEL:
+ return IPSEC_MODE_TUNNEL;
+ case MODE_BEET:
+ return IPSEC_MODE_BEET;
+ default:
+ return mode;
+ }
+}
+
+/**
+ * convert the general policy direction to the one defined in ipsec.h
+ */
+static u_int8_t dir2kernel(policy_dir_t dir)
+{
+ switch (dir)
+ {
+ case POLICY_IN:
+ return IPSEC_DIR_INBOUND;
+ case POLICY_OUT:
+ return IPSEC_DIR_OUTBOUND;
+ case POLICY_FWD:
+ return IPSEC_DIR_FWD;
+ default:
+ return dir;
+ }
+}
+
+/**
+ * convert the policy direction in ipsec.h to the general one.
+ */
+static policy_dir_t kernel2dir(u_int8_t dir)
+{
+ switch (dir)
+ {
+ case IPSEC_DIR_INBOUND:
+ return POLICY_IN;
+ case IPSEC_DIR_OUTBOUND:
+ return POLICY_OUT;
+ case IPSEC_DIR_FWD:
+ return POLICY_FWD;
+ default:
+ return dir;
+ }
+}
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+ /**
+ * Identifier specified in IKEv2
+ */
+ int ikev2;
+
+ /**
+ * Identifier as defined in pfkeyv2.h
+ */
+ int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/* {ENCR_DES_IV64, 0 }, */
+ {ENCR_DES, SADB_EALG_DESCBC },
+ {ENCR_3DES, SADB_EALG_3DESCBC },
+/* {ENCR_RC5, 0 }, */
+/* {ENCR_IDEA, 0 }, */
+ {ENCR_CAST, SADB_X_EALG_CASTCBC },
+ {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
+/* {ENCR_3IDEA, 0 }, */
+/* {ENCR_DES_IV32, 0 }, */
+ {ENCR_NULL, SADB_EALG_NULL },
+ {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
+/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
+/* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
+/* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
+/* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
+/* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
+/* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
+/* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
+ {END_OF_LIST, 0 },
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+ {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
+ {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
+ {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
+ {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
+ {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
+/* {AUTH_DES_MAC, 0, }, */
+/* {AUTH_KPDK_MD5, 0, }, */
+ {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
+ {END_OF_LIST, 0, },
+};
+
+#if 0
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/* {IPCOMP_OUI, 0 }, */
+ {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
+ {IPCOMP_LZS, SADB_X_CALG_LZS },
+ {IPCOMP_LZJH, SADB_X_CALG_LZJH },
+ {END_OF_LIST, 0 },
+};
+#endif
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+{
+ while (list->ikev2 != END_OF_LIST)
+ {
+ if (ikev2 == list->ikev2)
+ {
+ return list->kernel;
+ }
+ list++;
+ }
+ return 0;
+}
+
+/**
+ * add a host behind a sadb_address extension
+ */
+static void host2ext(host_t *host, struct sadb_address *ext)
+{
+ sockaddr_t *host_addr = host->get_sockaddr(host);
+ socklen_t *len = host->get_sockaddr_len(host);
+ memcpy((char*)(ext + 1), host_addr, *len);
+ ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+}
+
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
+{
+ struct sadb_x_nat_t_type* nat_type;
+ struct sadb_x_nat_t_port* nat_port;
+
+ nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+ nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
+ nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+ PFKEY_EXT_ADD(msg, nat_type);
+
+ nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+ nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+ nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
+ PFKEY_EXT_ADD(msg, nat_port);
+
+ nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+ nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
+ nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
+ PFKEY_EXT_ADD(msg, nat_port);
+}
+
+/**
+ * Convert a sadb_address to a traffic_selector
+ */
+static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
+{
+ traffic_selector_t *ts;
+ host_t *host;
+
+ /* The Linux 2.6 kernel does not set the protocol and port information
+ * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
+ */
+ host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
+ ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
+ address->sadb_address_proto, host->get_port(host));
+ host->destroy(host);
+ return ts;
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+ struct sadb_ext* ext;
+ size_t len;
+
+ memset(out, 0, sizeof(pfkey_msg_t));
+ out->msg = msg;
+
+ len = msg->sadb_msg_len;
+ len -= PFKEY_LEN(sizeof(struct sadb_msg));
+
+ ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+
+ while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+ {
+ DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
+ if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+ ext->sadb_ext_len > len)
+ {
+ DBG1(DBG_KNL, "length of %N extension is invalid",
+ sadb_ext_type_names, ext->sadb_ext_type);
+ break;
+ }
+
+ if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+ {
+ DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
+ break;
+ }
+
+ if (out->ext[ext->sadb_ext_type])
+ {
+ DBG1(DBG_KNL, "duplicate %N extension",
+ sadb_ext_type_names, ext->sadb_ext_type);
+ break;
+ }
+
+ out->ext[ext->sadb_ext_type] = ext;
+ ext = PFKEY_EXT_NEXT_LEN(ext, len);
+ }
+
+ if (len)
+ {
+ DBG1(DBG_KNL, "PF_KEY message length is invalid");
+ return FAILED;
+ }
+
+ return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
+ struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+ unsigned char buf[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg;
+ int in_len, len;
+
+ this->mutex_pfkey->lock(this->mutex_pfkey);
+
+ in->sadb_msg_seq = ++this->seq;
+ in->sadb_msg_pid = getpid();
+
+ in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+ while (TRUE)
+ {
+ len = send(socket, in, in_len, 0);
+
+ if (len != in_len)
+ {
+ if (errno == EINTR)
+ {
+ /* interrupted, try again */
+ continue;
+ }
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
+ return FAILED;
+ }
+ break;
+ }
+
+ while (TRUE)
+ {
+ msg = (struct sadb_msg*)buf;
+
+ len = recv(socket, buf, sizeof(buf), 0);
+
+ if (len < 0)
+ {
+ if (errno == EINTR)
+ {
+ DBG1(DBG_KNL, "got interrupted");
+ /* interrupted, try again */
+ continue;
+ }
+ DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (len < sizeof(struct sadb_msg) ||
+ msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+ {
+ DBG1(DBG_KNL, "received corrupted PF_KEY message");
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+ {
+ DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (msg->sadb_msg_pid != in->sadb_msg_pid)
+ {
+ DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+ continue;
+ }
+ if (msg->sadb_msg_seq != this->seq)
+ {
+ DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
+ "was %d expected %d", msg->sadb_msg_seq, this->seq);
+ if (msg->sadb_msg_seq < this->seq)
+ {
+ continue;
+ }
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (msg->sadb_msg_type != in->sadb_msg_type)
+ {
+ DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
+ "was %d expected %d, ignoring",
+ msg->sadb_msg_type, in->sadb_msg_type);
+ }
+ break;
+ }
+
+ *out_len = len;
+ *out = (struct sadb_msg*)malloc(len);
+ memcpy(*out, buf, len);
+
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+
+ return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
+ struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+ return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ u_int32_t index, reqid = 0;
+ traffic_selector_t *src_ts, *dst_ts;
+ policy_entry_t *policy;
+ job_t *job;
+
+ switch (msg->sadb_msg_satype)
+ {
+ case SADB_SATYPE_UNSPEC:
+ case SADB_SATYPE_ESP:
+ case SADB_SATYPE_AH:
+ break;
+ default:
+ /* acquire for AH/ESP only */
+ return;
+ }
+ DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+ return;
+ }
+
+ index = response.x_policy->sadb_x_policy_id;
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
+ {
+ reqid = policy->reqid;
+ }
+ else
+ {
+ DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
+ index);
+ }
+ src_ts = sadb_address2ts(response.src);
+ dst_ts = sadb_address2ts(response.dst);
+ this->mutex->unlock(this->mutex);
+
+ DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
+ src_ts, dst_ts, reqid);
+ job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
+ charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_EXPIRE message from the kernel
+ */
+static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ protocol_id_t protocol;
+ u_int32_t spi, reqid;
+ bool hard;
+ job_t *job;
+
+ DBG2(DBG_KNL, "received an SADB_EXPIRE");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
+ return;
+ }
+
+ protocol = proto_satype2ike(msg->sadb_msg_satype);
+ spi = response.sa->sadb_sa_spi;
+ reqid = response.x_sa2->sadb_x_sa2_reqid;
+ hard = response.lft_hard != NULL;
+
+ if (protocol != PROTO_ESP && protocol != PROTO_AH)
+ {
+ DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
+ "which is not a CHILD_SA", ntohl(spi), reqid);
+ return;
+ }
+
+ DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
+ hard ? "delete" : "rekey", protocol_id_names,
+ protocol, ntohl(spi), reqid);
+ if (hard)
+ {
+ job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+ }
+ else
+ {
+ job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+ }
+ charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * Process a SADB_MIGRATE message from the kernel
+ */
+static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ traffic_selector_t *src_ts, *dst_ts;
+ policy_dir_t dir;
+ u_int32_t reqid = 0;
+ host_t *local = NULL, *remote = NULL;
+ job_t *job;
+
+ DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
+ return;
+ }
+ src_ts = sadb_address2ts(response.src);
+ dst_ts = sadb_address2ts(response.dst);
+ dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
+ DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
+ policy_dir_names, dir);
+
+ /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
+ if (response.x_kmaddress)
+ {
+ sockaddr_t *local_addr, *remote_addr;
+ u_int32_t local_len;
+
+ local_addr = (sockaddr_t*)&response.x_kmaddress[1];
+ local = host_create_from_sockaddr(local_addr);
+ local_len = (local_addr->sa_family == AF_INET6)?
+ sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
+ remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
+ remote = host_create_from_sockaddr(remote_addr);
+ DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
+ }
+
+ if (src_ts && dst_ts && local && remote)
+ {
+ DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
+ src_ts, dst_ts, policy_dir_names, dir, reqid, local);
+ job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
+ local, remote);
+ charon->processor->queue_job(charon->processor, job);
+ }
+ else
+ {
+ DESTROY_IF(src_ts);
+ DESTROY_IF(dst_ts);
+ DESTROY_IF(local);
+ DESTROY_IF(remote);
+ }
+}
+
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ u_int32_t spi, reqid;
+ host_t *host;
+ job_t *job;
+
+ DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+ return;
+ }
+
+ if (!response.x_sa2)
+ {
+ DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
+ return;
+ }
+
+ spi = response.sa->sadb_sa_spi;
+ reqid = response.x_sa2->sadb_x_sa2_reqid;
+
+ if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+ {
+ sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
+ switch (sa->sa_family)
+ {
+ case AF_INET:
+ {
+ struct sockaddr_in *sin = (struct sockaddr_in*)sa;
+ sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+ }
+ case AF_INET6:
+ {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
+ sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+ }
+ default:
+ break;
+ }
+ host = host_create_from_sockaddr(sa);
+ if (host)
+ {
+ DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
+ "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
+ job = (job_t*)update_sa_job_create(reqid, host);
+ charon->processor->queue_job(charon->processor, job);
+ }
+ }
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
+{
+ unsigned char buf[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg = (struct sadb_msg*)buf;
+ int len, oldstate;
+
+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+ len = recv(this->socket_events, buf, sizeof(buf), 0);
+ pthread_setcancelstate(oldstate, NULL);
+
+ if (len < 0)
+ {
+ switch (errno)
+ {
+ case EINTR:
+ /* interrupted, try again */
+ return JOB_REQUEUE_DIRECT;
+ case EAGAIN:
+ /* no data ready, select again */
+ return JOB_REQUEUE_DIRECT;
+ default:
+ DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+ sleep(1);
+ return JOB_REQUEUE_FAIR;
+ }
+ }
+
+ if (len < sizeof(struct sadb_msg) ||
+ msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+ {
+ DBG2(DBG_KNL, "received corrupted PF_KEY message");
+ return JOB_REQUEUE_DIRECT;
+ }
+ if (msg->sadb_msg_pid != 0)
+ { /* not from kernel. not interested, try another one */
+ return JOB_REQUEUE_DIRECT;
+ }
+ if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+ {
+ DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
+ return JOB_REQUEUE_DIRECT;
+ }
+
+ switch (msg->sadb_msg_type)
+ {
+ case SADB_ACQUIRE:
+ process_acquire(this, msg);
+ break;
+ case SADB_EXPIRE:
+ process_expire(this, msg);
+ break;
+ case SADB_X_MIGRATE:
+ process_migrate(this, msg);
+ break;
+ case SADB_X_NAT_T_NEW_MAPPING:
+ process_mapping(this, msg);
+ break;
+ default:
+ break;
+ }
+
+ return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
+ protocol_id_t protocol, u_int32_t reqid,
+ u_int32_t *spi)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_x_sa2 *sa2;
+ struct sadb_address *addr;
+ struct sadb_spirange *range;
+ pfkey_msg_t response;
+ u_int32_t received_spi = 0;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_GETSPI;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+ sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+ sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+ sa2->sadb_x_sa2_reqid = reqid;
+ PFKEY_EXT_ADD(msg, sa2);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+ host2ext(src, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ host2ext(dst, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
+ range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+ range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+ range->sadb_spirange_min = 0xc0000000;
+ range->sadb_spirange_max = 0xcFFFFFFF;
+ PFKEY_EXT_ADD(msg, range);
+
+ if (pfkey_send(this, msg, &out, &len) == SUCCESS)
+ {
+ if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ }
+ else if (parse_pfkey_message(out, &response) == SUCCESS)
+ {
+ received_spi = response.sa->sadb_sa_spi;
+ }
+ free(out);
+ }
+
+ if (received_spi == 0)
+ {
+ return FAILED;
+ }
+
+ *spi = received_spi;
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
+ u_int32_t reqid, u_int16_t *cpi)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ u_int64_t expire_soft, u_int64_t expire_hard,
+ u_int16_t enc_alg, chunk_t enc_key,
+ u_int16_t int_alg, chunk_t int_key,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool encap, bool inbound)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ struct sadb_x_sa2 *sa2;
+ struct sadb_address *addr;
+ struct sadb_lifetime *lft;
+ struct sadb_key *key;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
+ sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
+ sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+ PFKEY_EXT_ADD(msg, sa);
+
+ sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+ sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+ sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+ sa2->sadb_x_sa2_mode = mode2kernel(mode);
+ sa2->sadb_x_sa2_reqid = reqid;
+ PFKEY_EXT_ADD(msg, sa2);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+ host2ext(src, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ host2ext(dst, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+ lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
+ lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_addtime = expire_soft;
+ PFKEY_EXT_ADD(msg, lft);
+
+ lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+ lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+ lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_addtime = expire_hard;
+ PFKEY_EXT_ADD(msg, lft);
+
+ if (enc_alg != ENCR_UNDEFINED)
+ {
+ if (!sa->sadb_sa_encrypt)
+ {
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ encryption_algorithm_names, enc_alg);
+ return FAILED;
+ }
+ DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
+ encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+ key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+ key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+ key->sadb_key_bits = enc_key.len * 8;
+ key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+ memcpy(key + 1, enc_key.ptr, enc_key.len);
+
+ PFKEY_EXT_ADD(msg, key);
+ }
+
+ if (int_alg != AUTH_UNDEFINED)
+ {
+ if (!sa->sadb_sa_auth)
+ {
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ integrity_algorithm_names, int_alg);
+ return FAILED;
+ }
+ DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
+ integrity_algorithm_names, int_alg, int_key.len * 8);
+
+ key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+ key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+ key->sadb_key_bits = int_key.len * 8;
+ key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+ memcpy(key + 1, int_key.ptr, int_key.len);
+
+ PFKEY_EXT_ADD(msg, key);
+ }
+
+ if (ipcomp != IPCOMP_NONE)
+ {
+ /*TODO*/
+ }
+
+ if (encap)
+ {
+ add_encap_ext(msg, src, dst);
+ }
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+ host_t *src, host_t *dst,
+ host_t *new_src, host_t *new_dst,
+ bool encap, bool new_encap)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ struct sadb_address *addr;
+ pfkey_msg_t response;
+ size_t len;
+
+ /* we can't update the SA if any of the ip addresses have changed.
+ * that's because we can't use SADB_UPDATE and by deleting and readding the
+ * SA the sequence numbers would get lost */
+ if (!src->ip_equals(src, new_src) ||
+ !dst->ip_equals(dst, new_dst))
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
+ " are not supported", ntohl(spi));
+ return NOT_SUPPORTED;
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_GET;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ PFKEY_EXT_ADD(msg, sa);
+
+ /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
+ * it is not used for anything, so we just send dst twice */
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+ host2ext(dst, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ host2ext(dst, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
+ ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
+ "from kernel failed", ntohl(spi));
+ free(out);
+ return FAILED;
+ }
+
+ DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+ ntohl(spi), src, dst, new_src, new_dst);
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_UPDATE;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ PFKEY_EXT_COPY(msg, response.sa);
+ PFKEY_EXT_COPY(msg, response.x_sa2);
+
+ PFKEY_EXT_COPY(msg, response.src);
+ PFKEY_EXT_COPY(msg, response.dst);
+
+ PFKEY_EXT_COPY(msg, response.lft_soft);
+ PFKEY_EXT_COPY(msg, response.lft_hard);
+
+ if (response.key_encr)
+ {
+ PFKEY_EXT_COPY(msg, response.key_encr);
+ }
+
+ if (response.key_auth)
+ {
+ PFKEY_EXT_COPY(msg, response.key_auth);
+ }
+
+ if (new_encap)
+ {
+ add_encap_ext(msg, new_src, new_dst);
+ }
+
+ free(out);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ struct sadb_address *addr;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ PFKEY_EXT_ADD(msg, sa);
+
+ /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
+ * it is not used for anything, so we just send dst twice */
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+ host2ext(dst, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ host2ext(dst, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+
+ DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool routed)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_x_policy *pol;
+ struct sadb_address *addr;
+ struct sadb_x_ipsecrequest *req;
+ policy_entry_t *policy, *found = NULL;
+ pfkey_msg_t response;
+ size_t len;
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+ {
+ /* use existing policy */
+ found->refcount++;
+ DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+ "refcount", src_ts, dst_ts,
+ policy_dir_names, direction);
+ policy_entry_destroy(policy);
+ policy = found;
+ }
+ else
+ {
+ /* apply the new one, if we have no such policy */
+ this->policies->insert_last(this->policies, policy);
+ policy->refcount = 1;
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
+ msg->sadb_msg_satype = 0;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+ pol->sadb_x_policy_id = 0;
+ pol->sadb_x_policy_dir = dir2kernel(direction);
+ /* calculate priority based on source selector size, small size = high prio */
+ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
+ pol->sadb_x_policy_priority -= policy->src.mask * 10;
+ pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
+ pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+
+ /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
+ req = (struct sadb_x_ipsecrequest*)(pol + 1);
+ req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
+ /* !!! the length of this struct MUST be in octets instead of 64 bit words */
+ req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+ req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
+ req->sadb_x_ipsecrequest_reqid = reqid;
+ req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
+ if (mode == MODE_TUNNEL)
+ {
+ sockaddr_t *sa;
+ socklen_t sl;
+ sa = src->get_sockaddr(src);
+ sl = *src->get_sockaddr_len(src);
+ memcpy(req + 1, sa, sl);
+ sa = dst->get_sockaddr(dst);
+ memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
+ req->sadb_x_ipsecrequest_len += sl * 2;
+ }
+
+ pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
+ PFKEY_EXT_ADD(msg, pol);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+ addr->sadb_address_proto = policy->src.proto;
+ addr->sadb_address_prefixlen = policy->src.mask;
+ host2ext(policy->src.net, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ addr->sadb_address_proto = policy->dst.proto;
+ addr->sadb_address_prefixlen = policy->dst.mask;
+ host2ext(policy->dst.net, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ this->mutex->unlock(this->mutex);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
+ policy_dir_names, direction,
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
+ "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+ free(out);
+ return FAILED;
+ }
+
+ this->mutex->lock(this->mutex);
+
+ /* we try to find the policy again and update the kernel index */
+ if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+ {
+ DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
+ "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
+ this->mutex->unlock(this->mutex);
+ free(out);
+ return SUCCESS;
+ }
+ policy->index = response.x_policy->sadb_x_policy_id;
+ free(out);
+
+ /* install a route, if:
+ * - we are NOT updating a policy
+ * - this is a forward policy (to just get one for each child)
+ * - we are in tunnel mode
+ * - we are not using IPv6 (does not work correctly yet!)
+ * - routing is not disabled via strongswan.conf
+ */
+ if (policy->route == NULL && direction == POLICY_FWD &&
+ mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+ this->install_routes)
+ {
+ route_entry_t *route = malloc_thing(route_entry_t);
+
+ if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+ dst_ts, &route->src_ip) == SUCCESS)
+ {
+ /* get the nexthop to src (src as we are in POLICY_FWD).*/
+ route->gateway = charon->kernel_interface->get_nexthop(
+ charon->kernel_interface, src);
+ route->if_name = charon->kernel_interface->get_interface(
+ charon->kernel_interface, dst);
+ route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
+ route->prefixlen = policy->src.mask;
+
+ switch (charon->kernel_interface->add_route(charon->kernel_interface,
+ route->dst_net, route->prefixlen, route->gateway,
+ route->src_ip, route->if_name))
+ {
+ default:
+ DBG1(DBG_KNL, "unable to install source route for %H",
+ route->src_ip);
+ /* FALL */
+ case ALREADY_DONE:
+ /* route exists, do not uninstall */
+ route_entry_destroy(route);
+ break;
+ case SUCCESS:
+ /* cache the installed route */
+ policy->route = route;
+ break;
+ }
+ }
+ else
+ {
+ free(route);
+ }
+ }
+
+ this->mutex->unlock(this->mutex);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, u_int32_t *use_time)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_x_policy *pol;
+ struct sadb_address *addr;
+ policy_entry_t *policy, *found = NULL;
+ pfkey_msg_t response;
+ size_t len;
+
+ DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+ dst_ts, policy_dir_names, direction);
+ policy_entry_destroy(policy);
+ this->mutex->unlock(this->mutex);
+ return NOT_FOUND;
+ }
+ policy_entry_destroy(policy);
+ policy = found;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_SPDGET;
+ msg->sadb_msg_satype = 0;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_id = policy->index;
+ pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+ pol->sadb_x_policy_dir = dir2kernel(direction);
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+ PFKEY_EXT_ADD(msg, pol);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+ addr->sadb_address_proto = policy->src.proto;
+ addr->sadb_address_prefixlen = policy->src.mask;
+ host2ext(policy->src.net, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ addr->sadb_address_proto = policy->dst.proto;
+ addr->sadb_address_prefixlen = policy->dst.mask;
+ host2ext(policy->dst.net, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ this->mutex->unlock(this->mutex);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+ dst_ts, policy_dir_names, direction,
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
+ "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
+ free(out);
+ return FAILED;
+ }
+
+ *use_time = response.lft_current->sadb_lifetime_usetime;
+
+ free(out);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, bool unrouted)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_x_policy *pol;
+ struct sadb_address *addr;
+ policy_entry_t *policy, *found = NULL;
+ route_entry_t *route;
+ size_t len;
+
+ DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction, 0);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
+ {
+ if (--found->refcount > 0)
+ {
+ /* is used by more SAs, keep in kernel */
+ DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+ policy_entry_destroy(policy);
+ this->mutex->unlock(this->mutex);
+ return SUCCESS;
+ }
+ /* remove if last reference */
+ this->policies->remove(this->policies, found, NULL);
+ policy_entry_destroy(policy);
+ policy = found;
+ }
+ else
+ {
+ DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+ dst_ts, policy_dir_names, direction);
+ policy_entry_destroy(policy);
+ this->mutex->unlock(this->mutex);
+ return NOT_FOUND;
+ }
+ this->mutex->unlock(this->mutex);
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_SPDDELETE;
+ msg->sadb_msg_satype = 0;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+ pol->sadb_x_policy_dir = dir2kernel(direction);
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+ PFKEY_EXT_ADD(msg, pol);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+ addr->sadb_address_proto = policy->src.proto;
+ addr->sadb_address_prefixlen = policy->src.mask;
+ host2ext(policy->src.net, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ addr->sadb_address_proto = policy->dst.proto;
+ addr->sadb_address_prefixlen = policy->dst.mask;
+ host2ext(policy->dst.net, addr);
+ PFKEY_EXT_ADD(msg, addr);
+
+ route = policy->route;
+ policy->route = NULL;
+ policy_entry_destroy(policy);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+ dst_ts, policy_dir_names, direction,
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+
+ if (route)
+ {
+ if (charon->kernel_interface->del_route(charon->kernel_interface,
+ route->dst_net, route->prefixlen, route->gateway,
+ route->src_ip, route->if_name) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "error uninstalling route installed with "
+ "policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ }
+ route_entry_destroy(route);
+ }
+
+ return SUCCESS;
+}
+
+/**
+ * Register a socket for AQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_REGISTER;
+ msg->sadb_msg_satype = satype;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to register PF_KEY socket");
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_kernel_pfkey_ipsec_t *this)
+{
+ this->job->cancel(this->job);
+ close(this->socket);
+ close(this->socket_events);
+ this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+ this->mutex->destroy(this->mutex);
+ this->mutex_pfkey->destroy(this->mutex_pfkey);
+ free(this);
+}
+
+/**
+ * Add bypass policies for IKE on the sockets of charon
+ */
+static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
+{
+ int fd, family, port;
+ enumerator_t *sockets;
+ bool status = TRUE;
+
+ sockets = charon->socket->create_enumerator(charon->socket);
+ while (sockets->enumerate(sockets, &fd, &family, &port))
+ {
+ struct sadb_x_policy policy;
+ u_int sol, ipsec_policy;
+
+ switch (family)
+ {
+ case AF_INET:
+ sol = SOL_IP;
+ ipsec_policy = IP_IPSEC_POLICY;
+ break;
+ case AF_INET6:
+ {
+ sol = SOL_IPV6;
+ ipsec_policy = IPV6_IPSEC_POLICY;
+ break;
+ }
+ }
+
+ memset(&policy, 0, sizeof(policy));
+ policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+ policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+
+ policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ status = FALSE;
+ break;
+ }
+ policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ status = FALSE;
+ break;
+ }
+ }
+ sockets->destroy(sockets);
+ return status;
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
+{
+ private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
+
+ /* public functions */
+ this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+ this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+ this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+ this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
+ this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+ this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
+
+ this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+
+ /* private members */
+ this->policies = linked_list_create();
+ this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+ this->install_routes = lib->settings->get_bool(lib->settings,
+ "charon.install_routes", TRUE);
+ this->seq = 0;
+
+ /* create a PF_KEY socket to communicate with the kernel */
+ this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (this->socket <= 0)
+ {
+ charon->kill(charon, "unable to create PF_KEY socket");
+ }
+
+ /* create a PF_KEY socket for ACQUIRE & EXPIRE */
+ this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (this->socket_events <= 0)
+ {
+ charon->kill(charon, "unable to create PF_KEY event socket");
+ }
+
+ /* add bypass policies on the sockets used by charon */
+ if (!add_bypass_policies(this))
+ {
+ charon->kill(charon, "unable to add bypass policies on sockets");
+ }
+
+ /* register the event socket */
+ if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+ register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+ {
+ charon->kill(charon, "unable to register PF_KEY event socket");
+ }
+
+ this->job = callback_job_create((callback_job_cb_t)receive_events,
+ this, NULL, NULL);
+ charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+ return &this->public;
+}
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
new file mode 100644
index 000000000..6e2ec5377
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_ipsec.h 4361 2008-10-01 16:47:51Z tobias $
+ */
+
+/**
+ * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_IPSEC_H_
+#define KERNEL_PFKEY_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_pfkey_ipsec_t {
+
+ /**
+ * Implements kernel_ipsec_t interface
+ */
+ kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return kernel_pfkey_ipsec_t instance
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
+
+#endif /* KERNEL_PFKEY_IPSEC_H_ @} */
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
new file mode 100644
index 000000000..93015d75a
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_plugin.c 4361 2008-10-01 16:47:51Z tobias $
+ */
+
+
+#include "kernel_pfkey_plugin.h"
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_pfkey_plugin_t {
+ /**
+ * implements plugin interface
+ */
+ kernel_pfkey_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfkey_plugin_t *this)
+{
+ charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+
+ return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
new file mode 100644
index 000000000..5e256ca74
--- /dev/null
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_pfkey_plugin.h 4361 2008-10-01 16:47:51Z tobias $
+ */
+
+/**
+ * @defgroup kernel_pfkey kernel_pfkey
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_PLUGIN_H_
+#define KERNEL_PFKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_pfkey_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a kernel_pfkey_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* KERNEL_PFKEY_PLUGIN_H_ @} */
diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am
new file mode 100644
index 000000000..88a6b688c
--- /dev/null
+++ b/src/charon/plugins/load_tester/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-load-tester.la
+
+libstrongswan_load_tester_la_SOURCES = \
+ load_tester_plugin.c load_tester_plugin.h \
+ load_tester_config.c load_tester_config.h \
+ load_tester_creds.c load_tester_creds.h \
+ load_tester_ipsec.c load_tester_ipsec.h \
+ load_tester_listener.c load_tester_listener.h
+
+libstrongswan_load_tester_la_LDFLAGS = -module
+
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
new file mode 100644
index 000000000..a0a749b87
--- /dev/null
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -0,0 +1,509 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/load_tester
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_load_tester_la_LIBADD =
+am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
+ load_tester_config.lo load_tester_creds.lo \
+ load_tester_ipsec.lo load_tester_listener.lo
+libstrongswan_load_tester_la_OBJECTS = \
+ $(am_libstrongswan_load_tester_la_OBJECTS)
+libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_load_tester_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-load-tester.la
+libstrongswan_load_tester_la_SOURCES = \
+ load_tester_plugin.c load_tester_plugin.h \
+ load_tester_config.c load_tester_config.h \
+ load_tester_creds.c load_tester_creds.h \
+ load_tester_ipsec.c load_tester_ipsec.h \
+ load_tester_listener.c load_tester_listener.h
+
+libstrongswan_load_tester_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+ && exit 0; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/load_tester/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/load_tester/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES)
+ $(libstrongswan_load_tester_la_LINK) -rpath $(plugindir) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/load_tester/load_tester_config.c b/src/charon/plugins/load_tester/load_tester_config.c
new file mode 100644
index 000000000..8e93d24bb
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_config.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_config.h"
+
+#include <daemon.h>
+
+typedef struct private_load_tester_config_t private_load_tester_config_t;
+
+/**
+ * Private data of an load_tester_config_t object
+ */
+struct private_load_tester_config_t {
+
+ /**
+ * Public part
+ */
+ load_tester_config_t public;
+
+ /**
+ * peer config
+ */
+ peer_cfg_t *peer_cfg;
+};
+
+/**
+ * Implementation of backend_t.create_peer_cfg_enumerator.
+ */
+static enumerator_t* create_peer_cfg_enumerator(private_load_tester_config_t *this,
+ identification_t *me,
+ identification_t *other)
+{
+ return enumerator_create_single(this->peer_cfg, NULL);
+}
+
+/**
+ * Implementation of backend_t.create_ike_cfg_enumerator.
+ */
+static enumerator_t* create_ike_cfg_enumerator(private_load_tester_config_t *this,
+ host_t *me, host_t *other)
+{
+ ike_cfg_t *ike_cfg;
+
+ ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
+ return enumerator_create_single(ike_cfg, NULL);
+}
+
+/**
+ * implements backend_t.get_peer_cfg_by_name.
+ */
+static peer_cfg_t *get_peer_cfg_by_name(private_load_tester_config_t *this,
+ char *name)
+{
+ if (streq(name, "load-test"))
+ {
+ return this->peer_cfg->get_ref(this->peer_cfg);;
+ }
+ return NULL;
+}
+
+/**
+ * Implementation of load_tester_config_t.destroy.
+ */
+static void destroy(private_load_tester_config_t *this)
+{
+ this->peer_cfg->destroy(this->peer_cfg);
+ free(this);
+}
+
+/**
+ * Described in header.
+ */
+load_tester_config_t *load_tester_config_create()
+{
+ private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
+ ike_cfg_t *ike_cfg;
+ child_cfg_t *child_cfg;
+ proposal_t *proposal;
+ traffic_selector_t *ts;
+ auth_info_t *auth;
+ auth_class_t class;
+ char *remote, *pool;
+ host_t *vip = NULL;
+
+ this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
+ this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
+ this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
+ this->public.destroy = (void(*)(load_tester_config_t*))destroy;
+
+ if (lib->settings->get_bool(lib->settings,
+ "charon.plugins.load_tester.request_virtual_ip", FALSE))
+ {
+ vip = host_create_from_string("0.0.0.0", 0);
+ }
+ pool = lib->settings->get_str(lib->settings,
+ "charon.plugins.load_tester.pool", NULL);
+ remote = lib->settings->get_str(lib->settings,
+ "charon.plugins.load_tester.remote", "127.0.0.1");
+ ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", remote);
+ proposal = proposal_create_from_string(PROTO_IKE,
+ lib->settings->get_str(lib->settings,
+ "charon.plugins.load_tester.proposal", "aes128-sha1-modp768"));
+ if (!proposal)
+ { /* fallback */
+ proposal = proposal_create_from_string(PROTO_IKE, "aes128-sha1-modp768");
+ }
+ ike_cfg->add_proposal(ike_cfg, proposal);
+ this->peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
+ identification_create_from_string("load-test@strongswan.org"),
+ identification_create_from_string("load-test@strongswan.org"),
+ CERT_SEND_IF_ASKED, UNIQUE_NO, 1, 0, 0, /* keytries, rekey, reauth */
+ 0, 0, TRUE, 60, /* jitter, overtime, mobike, dpddelay */
+ vip, pool, FALSE, NULL, NULL);
+ auth = this->peer_cfg->get_auth(this->peer_cfg);
+ class = AUTH_CLASS_PUBKEY;
+ auth->add_item(auth, AUTHN_AUTH_CLASS, &class);
+ child_cfg = child_cfg_create("load-test", 600, 400, 100, NULL, TRUE,
+ MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+ proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
+ child_cfg->add_proposal(child_cfg, proposal);
+ ts = traffic_selector_create_dynamic(0, 0, 65535);
+ child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+ ts = traffic_selector_create_dynamic(0, 0, 65535);
+ child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+ this->peer_cfg->add_child_cfg(this->peer_cfg, child_cfg);
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_config.h b/src/charon/plugins/load_tester/load_tester_config.h
new file mode 100644
index 000000000..d5391da63
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_config.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_config_t load_tester_config
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CONFIG_H_
+#define LOAD_TESTER_CONFIG_H_
+
+#include <config/backend.h>
+
+typedef struct load_tester_config_t load_tester_config_t;
+
+/**
+ * Provide configurations for load testing.
+ */
+struct load_tester_config_t {
+
+ /**
+ * Implements backend_t interface
+ */
+ backend_t backend;
+
+ /**
+ * Destroy the backend.
+ */
+ void (*destroy)(load_tester_config_t *this);
+};
+
+/**
+ * Create a configuration backend for load testing.
+ *
+ * @return configuration backend
+ */
+load_tester_config_t *load_tester_config_create();
+
+#endif /* LOAD_TESTER_CONFIG_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_creds.c b/src/charon/plugins/load_tester/load_tester_creds.c
new file mode 100644
index 000000000..ec69a1ac9
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_creds.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_creds.h"
+
+#include <daemon.h>
+#include <credentials/keys/shared_key.h>
+#include <utils/identification.h>
+
+typedef struct private_load_tester_creds_t private_load_tester_creds_t;
+
+/**
+ * Private data of an load_tester_creds_t object
+ */
+struct private_load_tester_creds_t {
+ /**
+ * Public part
+ */
+ load_tester_creds_t public;
+
+ /**
+ * Private key to create signatures
+ */
+ private_key_t *private;
+
+ /**
+ * Trusted certificate to verify signatures
+ */
+ certificate_t *cert;
+};
+
+/**
+ * 1024-bit RSA key:
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8EVRLx
+JEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZqBUEC
+7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQIDAQAB
+AoGACVACtkxJf7VY2jWTPXwaQoy/uIqYfX3zhwI9i6eTbDlxCE+JDi/xzpKaWjLa
+99RmjvP0OPArWQB239ck03x7gAm2obutosGbqbKzJZS5cyIayzyW9djZDHBdt9Ho
+quKB39aspWit3xPzkrr+QeIkiggtmBKALTBxTwxAU+P6euECQQD4IPdrzKbCrO79
+LKvoPrQQtTjL6ogag9rI9n2ZuoK3/XVybh2byOXT8tA5G5jSz9Ac8XeVOsnH9gT5
+3WXeaLOFAkEA1vrm/hVSEasp5eATgQ7ig9CF+GGKqhTwXp/uOSl/h3IRmStu5J0C
+9AkYyx0bn3j5R8iUEX/C00KSE1kQNh4NOQJAVOsLYlRG2idPH0xThQc4nuM2jes1
+K0Xm8ZISSDNhm1BeCoyPC4rExTW7d1/vfG5svgsRrvvQpOOYrl7MB0Lz9QJBALhg
+AWJiyLsskEd90Vx7dpvUaEHo7jMGuEx/X6GYzK5Oj3dNP9NEMfc4IhJ5SWqRJ0KA
+bTVA3MexLXT4iqXPSkkCQQDSjLhBwvEnSuW4ElIMzBwLbu7573z2gzU82Mj6trrw
+Osoox/vmcepT1Wjy4AvPZHgxp7vEXNSeS+M5L29QNTp8
+-----END RSA PRIVATE KEY-----
+ */
+static char private[] = {
+ 0x30,0x82,0x02,0x5d,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xd0,0x5e,0xbe,0xe9,0xa0,
+ 0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,0xa4,0xf4,0x77,
+ 0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,0x55,0x12,0xf1,
+ 0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,0xda,0xee,0xa4,
+ 0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,0x90,0xea,0x4e,
+ 0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,0x05,0x41,0x02,
+ 0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,0x06,0xb8,0x94,
+ 0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,0xe4,0xc4,0x07,
+ 0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,0x01,0x00,0x01,
+ 0x02,0x81,0x80,0x09,0x50,0x02,0xb6,0x4c,0x49,0x7f,0xb5,0x58,0xda,0x35,0x93,0x3d,
+ 0x7c,0x1a,0x42,0x8c,0xbf,0xb8,0x8a,0x98,0x7d,0x7d,0xf3,0x87,0x02,0x3d,0x8b,0xa7,
+ 0x93,0x6c,0x39,0x71,0x08,0x4f,0x89,0x0e,0x2f,0xf1,0xce,0x92,0x9a,0x5a,0x32,0xda,
+ 0xf7,0xd4,0x66,0x8e,0xf3,0xf4,0x38,0xf0,0x2b,0x59,0x00,0x76,0xdf,0xd7,0x24,0xd3,
+ 0x7c,0x7b,0x80,0x09,0xb6,0xa1,0xbb,0xad,0xa2,0xc1,0x9b,0xa9,0xb2,0xb3,0x25,0x94,
+ 0xb9,0x73,0x22,0x1a,0xcb,0x3c,0x96,0xf5,0xd8,0xd9,0x0c,0x70,0x5d,0xb7,0xd1,0xe8,
+ 0xaa,0xe2,0x81,0xdf,0xd6,0xac,0xa5,0x68,0xad,0xdf,0x13,0xf3,0x92,0xba,0xfe,0x41,
+ 0xe2,0x24,0x8a,0x08,0x2d,0x98,0x12,0x80,0x2d,0x30,0x71,0x4f,0x0c,0x40,0x53,0xe3,
+ 0xfa,0x7a,0xe1,0x02,0x41,0x00,0xf8,0x20,0xf7,0x6b,0xcc,0xa6,0xc2,0xac,0xee,0xfd,
+ 0x2c,0xab,0xe8,0x3e,0xb4,0x10,0xb5,0x38,0xcb,0xea,0x88,0x1a,0x83,0xda,0xc8,0xf6,
+ 0x7d,0x99,0xba,0x82,0xb7,0xfd,0x75,0x72,0x6e,0x1d,0x9b,0xc8,0xe5,0xd3,0xf2,0xd0,
+ 0x39,0x1b,0x98,0xd2,0xcf,0xd0,0x1c,0xf1,0x77,0x95,0x3a,0xc9,0xc7,0xf6,0x04,0xf9,
+ 0xdd,0x65,0xde,0x68,0xb3,0x85,0x02,0x41,0x00,0xd6,0xfa,0xe6,0xfe,0x15,0x52,0x11,
+ 0xab,0x29,0xe5,0xe0,0x13,0x81,0x0e,0xe2,0x83,0xd0,0x85,0xf8,0x61,0x8a,0xaa,0x14,
+ 0xf0,0x5e,0x9f,0xee,0x39,0x29,0x7f,0x87,0x72,0x11,0x99,0x2b,0x6e,0xe4,0x9d,0x02,
+ 0xf4,0x09,0x18,0xcb,0x1d,0x1b,0x9f,0x78,0xf9,0x47,0xc8,0x94,0x11,0x7f,0xc2,0xd3,
+ 0x42,0x92,0x13,0x59,0x10,0x36,0x1e,0x0d,0x39,0x02,0x40,0x54,0xeb,0x0b,0x62,0x54,
+ 0x46,0xda,0x27,0x4f,0x1f,0x4c,0x53,0x85,0x07,0x38,0x9e,0xe3,0x36,0x8d,0xeb,0x35,
+ 0x2b,0x45,0xe6,0xf1,0x92,0x12,0x48,0x33,0x61,0x9b,0x50,0x5e,0x0a,0x8c,0x8f,0x0b,
+ 0x8a,0xc4,0xc5,0x35,0xbb,0x77,0x5f,0xef,0x7c,0x6e,0x6c,0xbe,0x0b,0x11,0xae,0xfb,
+ 0xd0,0xa4,0xe3,0x98,0xae,0x5e,0xcc,0x07,0x42,0xf3,0xf5,0x02,0x41,0x00,0xb8,0x60,
+ 0x01,0x62,0x62,0xc8,0xbb,0x2c,0x90,0x47,0x7d,0xd1,0x5c,0x7b,0x76,0x9b,0xd4,0x68,
+ 0x41,0xe8,0xee,0x33,0x06,0xb8,0x4c,0x7f,0x5f,0xa1,0x98,0xcc,0xae,0x4e,0x8f,0x77,
+ 0x4d,0x3f,0xd3,0x44,0x31,0xf7,0x38,0x22,0x12,0x79,0x49,0x6a,0x91,0x27,0x42,0x80,
+ 0x6d,0x35,0x40,0xdc,0xc7,0xb1,0x2d,0x74,0xf8,0x8a,0xa5,0xcf,0x4a,0x49,0x02,0x41,
+ 0x00,0xd2,0x8c,0xb8,0x41,0xc2,0xf1,0x27,0x4a,0xe5,0xb8,0x12,0x52,0x0c,0xcc,0x1c,
+ 0x0b,0x6e,0xee,0xf9,0xef,0x7c,0xf6,0x83,0x35,0x3c,0xd8,0xc8,0xfa,0xb6,0xba,0xf0,
+ 0x3a,0xca,0x28,0xc7,0xfb,0xe6,0x71,0xea,0x53,0xd5,0x68,0xf2,0xe0,0x0b,0xcf,0x64,
+ 0x78,0x31,0xa7,0xbb,0xc4,0x5c,0xd4,0x9e,0x4b,0xe3,0x39,0x2f,0x6f,0x50,0x35,0x3a,
+ 0x7c,
+};
+
+/**
+ * And an associated self-signed certificate
+-----BEGIN CERTIFICATE-----
+MIIB2zCCAUSgAwIBAgIRAKmSLQc+3QV4WswVkpxqY5kwDQYJKoZIhvcNAQEFBQAw
+FzEVMBMGA1UEAxMMbG9hZC10ZXN0aW5nMB4XDTA4MTAyMTEyNDk0MFoXDTEzMTAy
+MDEyNDk0MFowFzEVMBMGA1UEAxMMbG9hZC10ZXN0aW5nMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDQXr7poAPYZLxmTCqR51STGRuk9Hc5SWtTcs6b2RzpnP8E
+VRLxJEVxOKE9Mw6n7mD1pNrupCpnpGRdLAV5VznTPhSQ6k7ppJJrxosRYg0pHTZq
+BUEC7nQFwAe10g8q0UnM1wa4lJzGxDH78d21cVweJgbkxAeyriS0jhNs7gO5nQID
+AQABoycwJTAjBgNVHREEHDAagRhsb2FkLXRlc3RAc3Ryb25nc3dhbi5vcmcwDQYJ
+KoZIhvcNAQEFBQADgYEATyQ3KLVU13Q3U3uZZtQL56rm680wMLu0+2z164PnxcTu
+Donp19AwPfvl4y0kjCdQYqUA6NXczub40ZrCMfmZEbVarW9oAys9lWef8sqfW0pv
+asNWsTOOwgg4gcASh1VCYsMX73C8R1pegWM/btyX2SEa7+R1rBEZwHVtIxgFcnM=
+-----END CERTIFICATE-----
+ */
+static char cert[] = {
+ 0x30,0x82,0x01,0xdb,0x30,0x82,0x01,0x44,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+ 0xa9,0x92,0x2d,0x07,0x3e,0xdd,0x05,0x78,0x5a,0xcc,0x15,0x92,0x9c,0x6a,0x63,0x99,
+ 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,
+ 0x17,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x6c,0x6f,0x61,0x64,
+ 0x2d,0x74,0x65,0x73,0x74,0x69,0x6e,0x67,0x30,0x1e,0x17,0x0d,0x30,0x38,0x31,0x30,
+ 0x32,0x31,0x31,0x32,0x34,0x39,0x34,0x30,0x5a,0x17,0x0d,0x31,0x33,0x31,0x30,0x32,
+ 0x30,0x31,0x32,0x34,0x39,0x34,0x30,0x5a,0x30,0x17,0x31,0x15,0x30,0x13,0x06,0x03,
+ 0x55,0x04,0x03,0x13,0x0c,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x69,0x6e,
+ 0x67,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+ 0x01,0x05,0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xd0,0x5e,
+ 0xbe,0xe9,0xa0,0x03,0xd8,0x64,0xbc,0x66,0x4c,0x2a,0x91,0xe7,0x54,0x93,0x19,0x1b,
+ 0xa4,0xf4,0x77,0x39,0x49,0x6b,0x53,0x72,0xce,0x9b,0xd9,0x1c,0xe9,0x9c,0xff,0x04,
+ 0x55,0x12,0xf1,0x24,0x45,0x71,0x38,0xa1,0x3d,0x33,0x0e,0xa7,0xee,0x60,0xf5,0xa4,
+ 0xda,0xee,0xa4,0x2a,0x67,0xa4,0x64,0x5d,0x2c,0x05,0x79,0x57,0x39,0xd3,0x3e,0x14,
+ 0x90,0xea,0x4e,0xe9,0xa4,0x92,0x6b,0xc6,0x8b,0x11,0x62,0x0d,0x29,0x1d,0x36,0x6a,
+ 0x05,0x41,0x02,0xee,0x74,0x05,0xc0,0x07,0xb5,0xd2,0x0f,0x2a,0xd1,0x49,0xcc,0xd7,
+ 0x06,0xb8,0x94,0x9c,0xc6,0xc4,0x31,0xfb,0xf1,0xdd,0xb5,0x71,0x5c,0x1e,0x26,0x06,
+ 0xe4,0xc4,0x07,0xb2,0xae,0x24,0xb4,0x8e,0x13,0x6c,0xee,0x03,0xb9,0x9d,0x02,0x03,
+ 0x01,0x00,0x01,0xa3,0x27,0x30,0x25,0x30,0x23,0x06,0x03,0x55,0x1d,0x11,0x04,0x1c,
+ 0x30,0x1a,0x81,0x18,0x6c,0x6f,0x61,0x64,0x2d,0x74,0x65,0x73,0x74,0x40,0x73,0x74,
+ 0x72,0x6f,0x6e,0x67,0x73,0x77,0x61,0x6e,0x2e,0x6f,0x72,0x67,0x30,0x0d,0x06,0x09,
+ 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x4f,
+ 0x24,0x37,0x28,0xb5,0x54,0xd7,0x74,0x37,0x53,0x7b,0x99,0x66,0xd4,0x0b,0xe7,0xaa,
+ 0xe6,0xeb,0xcd,0x30,0x30,0xbb,0xb4,0xfb,0x6c,0xf5,0xeb,0x83,0xe7,0xc5,0xc4,0xee,
+ 0x0e,0x89,0xe9,0xd7,0xd0,0x30,0x3d,0xfb,0xe5,0xe3,0x2d,0x24,0x8c,0x27,0x50,0x62,
+ 0xa5,0x00,0xe8,0xd5,0xdc,0xce,0xe6,0xf8,0xd1,0x9a,0xc2,0x31,0xf9,0x99,0x11,0xb5,
+ 0x5a,0xad,0x6f,0x68,0x03,0x2b,0x3d,0x95,0x67,0x9f,0xf2,0xca,0x9f,0x5b,0x4a,0x6f,
+ 0x6a,0xc3,0x56,0xb1,0x33,0x8e,0xc2,0x08,0x38,0x81,0xc0,0x12,0x87,0x55,0x42,0x62,
+ 0xc3,0x17,0xef,0x70,0xbc,0x47,0x5a,0x5e,0x81,0x63,0x3f,0x6e,0xdc,0x97,0xd9,0x21,
+ 0x1a,0xef,0xe4,0x75,0xac,0x11,0x19,0xc0,0x75,0x6d,0x23,0x18,0x05,0x72,0x73,
+};
+
+/**
+ * Implements credential_set_t.create_private_enumerator
+ */
+static enumerator_t* create_private_enumerator(private_load_tester_creds_t *this,
+ key_type_t type, identification_t *id)
+{
+ if (this->private == NULL)
+ {
+ return NULL;
+ }
+ if (type != KEY_ANY && type != KEY_RSA)
+ {
+ return NULL;
+ }
+ if (id)
+ {
+ identification_t *keyid;
+
+ keyid = this->private->get_id(this->private, id->get_type(id));
+ if (!keyid || !keyid->equals(keyid, id))
+ {
+ return NULL;
+ }
+ }
+ return enumerator_create_single(this->private, NULL);
+}
+
+/**
+ * Implements credential_set_t.create_cert_enumerator
+ */
+static enumerator_t* create_cert_enumerator(private_load_tester_creds_t *this,
+ certificate_type_t cert, key_type_t key,
+ identification_t *id, bool trusted)
+{
+ if (this->cert == NULL)
+ {
+ return NULL;
+ }
+ if (cert != CERT_ANY && cert != CERT_X509)
+ {
+ return NULL;
+ }
+ if (key != KEY_ANY && key != KEY_RSA)
+ {
+ return NULL;
+ }
+ if (id && !this->cert->has_subject(this->cert, id))
+ {
+ return NULL;
+ }
+ return enumerator_create_single(this->cert, NULL);
+}
+
+/**
+ * Implementation of load_tester_creds_t.destroy
+ */
+static void destroy(private_load_tester_creds_t *this)
+{
+ DESTROY_IF(this->private);
+ DESTROY_IF(this->cert);
+ free(this);
+}
+
+load_tester_creds_t *load_tester_creds_create()
+{
+ private_load_tester_creds_t *this = malloc_thing(private_load_tester_creds_t);
+
+ this->public.credential_set.create_shared_enumerator = (enumerator_t*(*)(credential_set_t*, shared_key_type_t, identification_t*, identification_t*))return_null;
+ this->public.credential_set.create_private_enumerator = (enumerator_t*(*) (credential_set_t*, key_type_t, identification_t*))create_private_enumerator;
+ this->public.credential_set.create_cert_enumerator = (enumerator_t*(*) (credential_set_t*, certificate_type_t, key_type_t,identification_t *, bool))create_cert_enumerator;
+ this->public.credential_set.create_cdp_enumerator = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
+ this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
+ this->public.destroy = (void(*) (load_tester_creds_t*))destroy;
+
+ this->private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)), BUILD_END);
+
+ this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)), BUILD_END);
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_creds.h b/src/charon/plugins/load_tester/load_tester_creds.h
new file mode 100644
index 000000000..bc092bd12
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_creds.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_creds_t load_tester_creds
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CREDS_H_
+#define LOAD_TESTER_CREDS_H_
+
+#include <credentials/credential_set.h>
+
+typedef struct load_tester_creds_t load_tester_creds_t;
+
+/**
+ * Provide hard-coded credentials for load testing.
+ */
+struct load_tester_creds_t {
+
+ /**
+ * Implements credential set interface.
+ */
+ credential_set_t credential_set;
+
+ /**
+ * Destroy the backend.
+ */
+ void (*destroy)(load_tester_creds_t *this);
+};
+
+/**
+ * Create a credential set for load testing.
+ *
+ * @return credential set
+ */
+load_tester_creds_t *load_tester_creds_create();
+
+#endif /* LOAD_TESTER_CREDS_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
new file mode 100644
index 000000000..9abd65195
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_ipsec.h"
+
+#include <time.h>
+
+typedef struct private_load_tester_ipsec_t private_load_tester_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_load_tester_ipsec_t {
+ /**
+ * Public interface.
+ */
+ load_tester_ipsec_t public;
+
+ /**
+ * faked SPI counter
+ */
+ u_int32_t spi;
+};
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_load_tester_ipsec_t *this,
+ host_t *src, host_t *dst,
+ protocol_id_t protocol, u_int32_t reqid,
+ u_int32_t *spi)
+{
+ *spi = ++this->spi;
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_cpi.
+ */
+static status_t get_cpi(private_load_tester_ipsec_t *this,
+ host_t *src, host_t *dst,
+ u_int32_t reqid, u_int16_t *cpi)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_load_tester_ipsec_t *this,
+ host_t *src, host_t *dst, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ u_int64_t expire_soft, u_int64_t expire_hard,
+ u_int16_t enc_alg, chunk_t enc_key,
+ u_int16_t int_alg, chunk_t int_key,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool encap, bool inbound)
+{
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_load_tester_ipsec_t *this,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+ host_t *src, host_t *dst,
+ host_t *new_src, host_t *new_dst,
+ bool encap, bool new_encap)
+{
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_load_tester_ipsec_t *this,
+ host_t *src, host_t *dst,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ bool routed)
+{
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_load_tester_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, u_int32_t *use_time)
+{
+ *use_time = time(NULL);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_load_tester_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, bool unrouted)
+{
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_load_tester_ipsec_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+load_tester_ipsec_t *load_tester_ipsec_create()
+{
+ private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t);
+
+ /* public functions */
+ this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+ this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
+ this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+ this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
+ this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+ this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
+ this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
+
+ this->spi = 0;
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.h b/src/charon/plugins/load_tester/load_tester_ipsec.h
new file mode 100644
index 000000000..34a99dcbd
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_ipsec_i load_tester_ipsec
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_IPSEC_H_
+#define LOAD_TESTER_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct load_tester_ipsec_t load_tester_ipsec_t;
+
+/**
+ * Implementation of a fake kernel ipsec interface for load testing.
+ */
+struct load_tester_ipsec_t {
+
+ /**
+ * Implements kernel_ipsec_t interface
+ */
+ kernel_ipsec_t interface;
+};
+
+/**
+ * Create a faked kernel ipsec interface instance.
+ *
+ * @return kernel_load_tester_ipsec_t instance
+ */
+load_tester_ipsec_t *load_tester_ipsec_create();
+
+#endif /* LOAD_TESTER_IPSEC_H_ @} */
diff --git a/src/charon/plugins/load_tester/load_tester_listener.c b/src/charon/plugins/load_tester/load_tester_listener.c
new file mode 100644
index 000000000..991408a44
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_listener.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_listener.h"
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_load_tester_listener_t private_load_tester_listener_t;
+
+/**
+ * Private data of an load_tester_listener_t object
+ */
+struct private_load_tester_listener_t {
+ /**
+ * Public part
+ */
+ load_tester_listener_t public;
+
+ /**
+ * Delete IKE_SA after it has been established
+ */
+ bool delete_after_established;
+};
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(private_load_tester_listener_t *this,
+ ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+ if (this->delete_after_established && state == IKE_ESTABLISHED)
+ {
+ charon->processor->queue_job(charon->processor,
+ (job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+ }
+ return TRUE;
+}
+
+/**
+ * Implementation of load_tester_listener_t.destroy
+ */
+static void destroy(private_load_tester_listener_t *this)
+{
+ free(this);
+}
+
+load_tester_listener_t *load_tester_listener_create()
+{
+ private_load_tester_listener_t *this = malloc_thing(private_load_tester_listener_t);
+
+ memset(&this->public.listener, 0, sizeof(listener_t));
+ this->public.listener.ike_state_change = (void*)ike_state_change;
+ this->public.destroy = (void(*) (load_tester_listener_t*))destroy;
+
+ this->delete_after_established = lib->settings->get_bool(lib->settings,
+ "charon.plugins.load_tester.delete_after_established", FALSE);
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
new file mode 100644
index 000000000..28bb57d05
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_listener.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester_listener_t load_tester_listener
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_LISTENER_H_
+#define LOAD_TESTER_LISTENER_H_
+
+#include <bus/bus.h>
+
+typedef struct load_tester_listener_t load_tester_listener_t;
+
+/**
+ * Provide hard-coded credentials for load testing.
+ */
+struct load_tester_listener_t {
+
+ /**
+ * Implements listener set interface.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy the backend.
+ */
+ void (*destroy)(load_tester_listener_t *this);
+};
+
+/**
+ * Create a listener to handle special events during load test
+ *
+ * @return listener
+ */
+load_tester_listener_t *load_tester_listener_create();
+
+#endif /* LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
new file mode 100644
index 000000000..aff83a9a7
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "load_tester_plugin.h"
+#include "load_tester_config.h"
+#include "load_tester_creds.h"
+#include "load_tester_ipsec.h"
+#include "load_tester_listener.h"
+
+#include <unistd.h>
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
+
+/**
+ * private data of load_tester plugin
+ */
+struct private_load_tester_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ load_tester_plugin_t public;
+
+ /**
+ * load_tester configuration backend
+ */
+ load_tester_config_t *config;
+
+ /**
+ * load_tester credential set implementation
+ */
+ load_tester_creds_t *creds;
+
+ /**
+ * event handler, listens on bus
+ */
+ load_tester_listener_t *listener;
+
+ /**
+ * number of iterations per thread
+ */
+ int iterations;
+
+ /**
+ * number of threads
+ */
+ int initiators;
+
+ /**
+ * delay between initiations, in ms
+ */
+ int delay;
+};
+
+/**
+ * Begin the load test
+ */
+static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
+{
+ peer_cfg_t *peer_cfg;
+ child_cfg_t *child_cfg = NULL;;
+ enumerator_t *enumerator;
+ int i, s = 0, ms = 0;
+
+ if (this->delay)
+ {
+ s = this->delay / 1000;
+ ms = this->delay % 1000;
+ }
+ peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+ "load-test");
+ if (peer_cfg)
+ {
+ enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+ if (enumerator->enumerate(enumerator, &child_cfg))
+ {
+ child_cfg->get_ref(child_cfg);
+ }
+ enumerator->destroy(enumerator);
+
+ if (child_cfg)
+ {
+ for (i = 0; this->iterations == 0 || i < this->iterations; i++)
+ {
+ charon->controller->initiate(charon->controller,
+ peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
+ NULL, NULL);
+
+ if (s)
+ {
+ sleep(s);
+ }
+ if (ms)
+ {
+ usleep(ms * 1000);
+ }
+ }
+ child_cfg->destroy(child_cfg);
+ }
+ peer_cfg->destroy(peer_cfg);
+ }
+ return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_load_tester_plugin_t *this)
+{
+ charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
+ (kernel_ipsec_constructor_t)load_tester_ipsec_create);
+ charon->backends->remove_backend(charon->backends, &this->config->backend);
+ charon->credentials->remove_set(charon->credentials, &this->creds->credential_set);
+ charon->bus->remove_listener(charon->bus, &this->listener->listener);
+ this->config->destroy(this->config);
+ this->creds->destroy(this->creds);
+ this->listener->destroy(this->listener);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_load_tester_plugin_t *this = malloc_thing(private_load_tester_plugin_t);
+ int i;
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ this->config = load_tester_config_create();
+ this->creds = load_tester_creds_create();
+ this->listener = load_tester_listener_create();
+ charon->backends->add_backend(charon->backends, &this->config->backend);
+ charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+ if (lib->settings->get_bool(lib->settings,
+ "charon.plugins.load_tester.fake_kernel", FALSE))
+ {
+ charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
+ (kernel_ipsec_constructor_t)load_tester_ipsec_create);
+ }
+ this->delay = lib->settings->get_int(lib->settings,
+ "charon.plugins.load_tester.delay", 0);
+ this->iterations = lib->settings->get_int(lib->settings,
+ "charon.plugins.load_tester.iterations", 1);
+ this->initiators = lib->settings->get_int(lib->settings,
+ "charon.plugins.load_tester.initiators", 0);
+ for (i = 0; i < this->initiators; i++)
+ {
+ charon->processor->queue_job(charon->processor,
+ (job_t*)callback_job_create((callback_job_cb_t)do_load_test,
+ this, NULL, NULL));
+ }
+ return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.h b/src/charon/plugins/load_tester/load_tester_plugin.h
new file mode 100644
index 000000000..10088bfa2
--- /dev/null
+++ b/src/charon/plugins/load_tester/load_tester_plugin.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup load_tester load_tester
+ * @ingroup cplugins
+ *
+ * @defgroup load_tester_plugin load_tester_plugin
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_PLUGIN_H_
+#define LOAD_TESTER_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct load_tester_plugin_t load_tester_plugin_t;
+
+/**
+ * Load tester plugin to inspect system core under high load.
+ *
+ * This plugin
+ */
+struct load_tester_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a load_tester_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* LOAD_TESTER_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/medcli/medcli_listener.c b/src/charon/plugins/medcli/medcli_listener.c
index 3b4156903..c057ea2b5 100644
--- a/src/charon/plugins/medcli/medcli_listener.c
+++ b/src/charon/plugins/medcli/medcli_listener.c
@@ -51,36 +51,55 @@ struct private_medcli_listener_t {
/**
* Implementation of bus_listener_t.signal.
*/
-static bool signal_(private_medcli_listener_t *this, signal_t signal,
- level_t level, int thread, ike_sa_t* ike_sa, void *data,
- char *format, va_list args)
+static void set_state(private_medcli_listener_t *this, char *alias,
+ mediated_state_t state)
{
- mediated_state_t state;
-
- if (!ike_sa)
+ this->db->execute(this->db, NULL,
+ "UPDATE Connection SET Status = ? WHERE Alias = ?",
+ DB_UINT, state, DB_TEXT, alias);
+}
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(private_medcli_listener_t *this,
+ ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+ if (ike_sa)
{
- return TRUE;
+ switch (state)
+ {
+ case IKE_CONNECTING:
+ set_state(this, ike_sa->get_name(ike_sa), STATE_CONNECTING);
+ break;
+ case IKE_DESTROYING:
+ set_state(this, ike_sa->get_name(ike_sa), STATE_DOWN);
+ default:
+ break;
+ }
}
+ return TRUE;
+}
- switch (signal)
+/**
+ * Implementation of listener_t.child_state_change
+ */
+static bool child_state_change(private_medcli_listener_t *this,
+ ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state)
+{
+ if (ike_sa && child_sa)
{
- case IKE_UP_START:
- state = STATE_CONNECTING;
- break;
- case IKE_UP_FAILED:
- case IKE_DOWN_SUCCESS:
- case IKE_DOWN_FAILED:
- state = STATE_DOWN;
- break;
- case IKE_UP_SUCCESS:
- state = STATE_UP;
- break;
- default:
- return TRUE;
+ switch (state)
+ {
+ case CHILD_INSTALLED:
+ set_state(this, child_sa->get_name(child_sa), STATE_UP);
+ break;
+ case CHILD_DESTROYING:
+ set_state(this, child_sa->get_name(child_sa), STATE_DOWN);
+ break;
+ default:
+ break;
+ }
}
- this->db->execute(this->db, NULL,
- "UPDATE Connection SET Status = ? WHERE Alias = ?",
- DB_UINT, state, DB_TEXT, ike_sa->get_name(ike_sa));
return TRUE;
}
@@ -91,7 +110,7 @@ static void destroy(private_medcli_listener_t *this)
{
this->db->execute(this->db, NULL, "UPDATE Connection SET Status = ?",
DB_UINT, STATE_DOWN);
- free(this);
+ free(this);
}
/**
@@ -100,8 +119,11 @@ static void destroy(private_medcli_listener_t *this)
medcli_listener_t *medcli_listener_create(database_t *db)
{
private_medcli_listener_t *this = malloc_thing(private_medcli_listener_t);
-
- this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
+
+ memset(&this->public.listener, 0, sizeof(listener_t));
+
+ this->public.listener.ike_state_change = (void*)ike_state_change;
+ this->public.listener.child_state_change = (void*)child_state_change;
this->public.destroy = (void (*)(medcli_listener_t*))destroy;
this->db = db;
diff --git a/src/charon/plugins/medcli/medcli_listener.h b/src/charon/plugins/medcli/medcli_listener.h
index f07218d78..4cec3caad 100644
--- a/src/charon/plugins/medcli/medcli_listener.h
+++ b/src/charon/plugins/medcli/medcli_listener.h
@@ -36,7 +36,7 @@ struct medcli_listener_t {
/**
* Implements bus_listener_t interface
*/
- bus_listener_t listener;
+ listener_t listener;
/**
* Destroy the credentials databse.
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index 107ca1a31..bb5436443 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -25,4 +25,4 @@ EXTRA_DIST = gnome/configure gnome/po/LINGUAS gnome/po/POTFILES.in gnome/po/Make
gnome/config.sub gnome/missing
gnome/configure : gnome/configure.in
- cd gnome && ./autogen.sh; cd ..
+ (cd `dirname $<` && ./autogen.sh)
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index 46e4ab851..4f75da14f 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -513,7 +513,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
gnome/configure : gnome/configure.in
- cd gnome && ./autogen.sh; cd ..
+ (cd `dirname $<` && ./autogen.sh)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index f165653ae..e7cd640a7 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -15,12 +15,10 @@
* $Id$
*/
-#define _GNU_SOURCE
-#include <pthread.h>
-
#include "nm_creds.h"
#include <daemon.h>
+#include <utils/mutex.h>
typedef struct private_nm_creds_t private_nm_creds_t;
@@ -62,7 +60,7 @@ struct private_nm_creds_t {
/**
* read/write lock
*/
- pthread_rwlock_t lock;
+ rwlock_t *lock;
};
/**
@@ -91,10 +89,10 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
}
public->destroy(public);
}
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_cleaner(
enumerator_create_single(this->usercert, NULL),
- (void*)pthread_rwlock_unlock, &this->lock);
+ (void*)this->lock->unlock, this->lock);
}
/**
@@ -138,9 +136,9 @@ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
}
public->destroy(public);
}
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL),
- (void*)pthread_rwlock_unlock, &this->lock);
+ (void*)this->lock->unlock, this->lock);
}
/**
@@ -167,9 +165,9 @@ static enumerator_t* create_private_enumerator(private_nm_creds_t *this,
return NULL;
}
}
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_cleaner(enumerator_create_single(this->key, NULL),
- (void*)pthread_rwlock_unlock, &this->lock);
+ (void*)this->lock->unlock, this->lock);
}
/**
@@ -205,7 +203,7 @@ static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
static void shared_destroy(shared_enumerator_t *this)
{
this->key->destroy(this->key);
- pthread_rwlock_unlock(&this->this->lock);
+ this->this->lock->unlock(this->this->lock);
free(this);
}
/**
@@ -235,7 +233,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
enumerator->public.destroy = (void*)shared_destroy;
enumerator->this = this;
enumerator->done = FALSE;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
enumerator->key = shared_key_create(type,
chunk_clone(chunk_create(this->pass,
strlen(this->pass))));
@@ -247,10 +245,10 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
*/
static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
{
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
DESTROY_IF(this->cert);
this->cert = cert;
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
}
/**
@@ -259,14 +257,14 @@ static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
static void set_username_password(private_nm_creds_t *this, identification_t *id,
char *password)
{
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
DESTROY_IF(this->user);
/* for EAP authentication, we use always use ID_EAP type */
this->user = identification_create_from_encoding(ID_EAP,
id->get_encoding(id));
free(this->pass);
this->pass = password ? strdup(password) : NULL;
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
}
/**
@@ -275,12 +273,12 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
private_key_t *key)
{
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
DESTROY_IF(this->key);
DESTROY_IF(this->usercert);
this->key = key;
this->usercert = cert;
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
}
/**
@@ -306,7 +304,7 @@ static void clear(private_nm_creds_t *this)
static void destroy(private_nm_creds_t *this)
{
clear(this);
- pthread_rwlock_destroy(&this->lock);
+ this->lock->destroy(this->lock);
free(this);
}
@@ -328,7 +326,7 @@ nm_creds_t *nm_creds_create()
this->public.clear = (void(*)(nm_creds_t*))clear;
this->public.destroy = (void(*)(nm_creds_t*))destroy;
- pthread_rwlock_init(&this->lock, NULL);
+ this->lock = rwlock_create(RWLOCK_DEFAULT);
this->cert = NULL;
this->user = NULL;
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index fbc094a3b..f90bfa448 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -34,7 +34,7 @@ G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
* Private data of NMStrongswanPlugin
*/
typedef struct {
- bus_listener_t listener;
+ listener_t listener;
ike_sa_t *ike_sa;
NMVPNPlugin *plugin;
nm_creds_t *creds;
@@ -45,109 +45,88 @@ typedef struct {
NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
/**
- * convert a traffic selector address range to subnet and its mask.
+ * signal IPv4 config to NM, set connection as established
*/
-static u_int ts2subnet(traffic_selector_t* ts, u_int8_t *mask)
+static void signal_ipv4_config(NMVPNPlugin *plugin,
+ ike_sa_t *ike_sa, child_sa_t *child_sa)
{
- /* there is no way to do this cleanly, as the address range may
- * be anything else but a subnet. We use from_addr as subnet
- * and try to calculate a usable subnet mask.
- */
- int byte, bit, net;
- bool found = FALSE;
- chunk_t from, to;
- size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+ GValue *val;
+ GHashTable *config;
+ host_t *me, *other;
- from = ts->get_from_address(ts);
- to = ts->get_to_address(ts);
+ config = g_hash_table_new(g_str_hash, g_str_equal);
+ me = ike_sa->get_my_host(ike_sa);
+ other = ike_sa->get_other_host(ike_sa);
- *mask = (size * 8);
- /* go trough all bits of the addresses, beginning in the front.
- * as long as they are equal, the subnet gets larger
- */
- for (byte = 0; byte < size; byte++)
- {
- for (bit = 7; bit >= 0; bit--)
- {
- if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
- {
- *mask = ((7 - bit) + (byte * 8));
- found = TRUE;
- break;
- }
- }
- if (found)
- {
- break;
- }
- }
- net = *(u_int32_t*)from.ptr;
- chunk_free(&from);
- chunk_free(&to);
- return net;
+ /* NM requires a tundev, but netkey does not use one. Passing an invalid
+ * iface makes NM complain, but it accepts it without fiddling on eth0. */
+ val = g_slice_new0 (GValue);
+ g_value_init (val, G_TYPE_STRING);
+ g_value_set_string (val, "none");
+ g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
+
+ val = g_slice_new0(GValue);
+ g_value_init(val, G_TYPE_UINT);
+ g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
+ g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
+
+ val = g_slice_new0(GValue);
+ g_value_init(val, G_TYPE_UINT);
+ g_value_set_uint(val, me->get_address(me).len * 8);
+ g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
+
+ nm_vpn_plugin_set_ip4_config(plugin, config);
}
/**
- * signal IPv4 config to NM, set connection as established
+ * signal failure to NM, connecting failed
*/
-static void signal_ipv4_config(NMVPNPlugin *plugin, child_sa_t *child_sa)
+static void signal_failure(NMVPNPlugin *plugin)
{
- linked_list_t *list;
- traffic_selector_t *ts = NULL;
- enumerator_t *enumerator;
+ /* TODO: NM does not handle this failure!?
+ nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); */
+ nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
+ ike_sa_state_t state)
+{
+ NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
- list = child_sa->get_traffic_selectors(child_sa, FALSE);
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, &ts))
+ if (private->ike_sa == ike_sa)
{
- GValue *val;
- GHashTable *config;
- u_int8_t mask;
-
- config = g_hash_table_new(g_str_hash, g_str_equal);
-
- val = g_slice_new0(GValue);
- g_value_init(val, G_TYPE_UINT);
- g_value_set_uint(val, ts2subnet(ts, &mask));
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
-
- val = g_slice_new0(GValue);
- g_value_init(val, G_TYPE_UINT);
- g_value_set_uint(val, mask);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
-
- nm_vpn_plugin_set_ip4_config(plugin, config);
+ switch (state)
+ {
+ case IKE_DESTROYING:
+ signal_failure(private->plugin);
+ return FALSE;
+ default:
+ break;
+ }
}
- enumerator->destroy(enumerator);
+ return TRUE;
}
/**
- * Bus listen function to wait for SA establishing
+ * Implementation of listener_t.child_state_change
*/
-bool listen_bus(bus_listener_t *listener, signal_t signal, level_t level,
- int thread, ike_sa_t *ike_sa, void *data,
- char* format, va_list args)
+static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
+ child_sa_t *child_sa, child_sa_state_t state)
{
NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
+
if (private->ike_sa == ike_sa)
{
- switch (signal)
+ switch (state)
{
- case CHD_UP_SUCCESS:
- if (data)
- {
- signal_ipv4_config(private->plugin, (child_sa_t*)data);
- return FALSE;
- }
- /* FALL */
- case IKE_UP_FAILED:
- case CHD_UP_FAILED:
- /* TODO: NM does not handle this failure!?
- nm_vpn_plugin_failure(private->plugin,
- NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); */
- nm_vpn_plugin_set_state(private->plugin,
- NM_VPN_SERVICE_STATE_STOPPED);
+ case CHILD_INSTALLED:
+ signal_ipv4_config(private->plugin, ike_sa, child_sa);
+ return FALSE;
+ case CHILD_DESTROYING:
+ signal_failure(private->plugin);
return FALSE;
default:
break;
@@ -462,8 +441,13 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
*/
static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
{
- NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->plugin = NM_VPN_PLUGIN(plugin);
- NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener.signal = listen_bus;
+ NMStrongswanPluginPrivate *private;
+
+ private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+ private->plugin = NM_VPN_PLUGIN(plugin);
+ memset(&private->listener.log, 0, sizeof(listener_t));
+ private->listener.ike_state_change = ike_state_change;
+ private->listener.child_state_change = child_state_change;
}
/**
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
index 0870cad4c..237e9d86a 100644
--- a/src/charon/plugins/smp/smp.c
+++ b/src/charon/plugins/smp/smp.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: smp.c 4358 2008-09-25 13:56:23Z tobias $
+ * $Id: smp.c 4446 2008-10-15 12:24:44Z martin $
*/
#include <stdlib.h>
@@ -181,19 +181,13 @@ static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool loca
*/
static void write_child(xmlTextWriterPtr writer, child_sa_t *child)
{
- ipsec_mode_t mode;
- encryption_algorithm_t encr;
- integrity_algorithm_t int_algo;
- size_t encr_len, int_len;
- u_int32_t rekey, use_in, use_out, use_fwd;
child_cfg_t *config;
config = child->get_config(child);
- child->get_stats(child, &mode, &encr, &encr_len, &int_algo, &int_len,
- &rekey, &use_in, &use_out, &use_fwd);
xmlTextWriterStartElement(writer, "childsa");
- xmlTextWriterWriteFormatElement(writer, "reqid", "%d", child->get_reqid(child));
+ xmlTextWriterWriteFormatElement(writer, "reqid", "%d",
+ child->get_reqid(child));
xmlTextWriterWriteFormatElement(writer, "childconfig", "%s",
config->get_name(config));
xmlTextWriterStartElement(writer, "local");
@@ -359,15 +353,15 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
/**
* callback which logs to a XML writer
*/
-static bool xml_callback(xmlTextWriterPtr writer, signal_t signal, level_t level,
- ike_sa_t* ike_sa, void *data, char* format, va_list args)
+static bool xml_callback(xmlTextWriterPtr writer, debug_t group, level_t level,
+ ike_sa_t* ike_sa, char* format, va_list args)
{
if (level <= 1)
{
/* <item> */
xmlTextWriterStartElement(writer, "item");
xmlTextWriterWriteFormatAttribute(writer, "level", "%d", level);
- xmlTextWriterWriteFormatAttribute(writer, "source", "%N", signal_names, signal);
+ xmlTextWriterWriteFormatAttribute(writer, "source", "%N", debug_names, group);
xmlTextWriterWriteFormatAttribute(writer, "thread", "%u", pthread_self());
xmlTextWriterWriteVFormatString(writer, format, args);
xmlTextWriterEndElement(writer);
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index b3ad72ab2..8f5dc54dd 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -36,14 +36,6 @@ database_t *db;
host_t *start = NULL, *end = NULL;
/**
- * create a host from a blob
- */
-static host_t *host_create_from_blob(chunk_t blob)
-{
- return host_create_from_chunk(blob.len == 4 ? AF_INET : AF_INET6, blob, 0);
-}
-
-/**
* calculate the size of a pool using start and end address chunk
*/
static u_int get_pool_size(chunk_t start, chunk_t end)
@@ -132,8 +124,8 @@ static void status(void)
found = TRUE;
}
- start = host_create_from_blob(start_chunk);
- end = host_create_from_blob(end_chunk);
+ start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
+ end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
size = get_pool_size(start_chunk, end_chunk);
printf("%8s %15H %15H ", name, start, end);
if (timeout)
@@ -541,7 +533,7 @@ static void leases(char *filter, bool utc)
printf("%-8s %-15s %-7s %-*s %-*s %s\n",
"name", "address", "status", len, "start", len, "end", "identity");
}
- address = host_create_from_blob(address_chunk);
+ address = host_create_from_chunk(AF_UNSPEC, address_chunk, 0);
identity = identification_create_from_encoding(identity_type, identity_chunk);
printf("%-8s %-15H ", name, address);
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 1e5c28966..486a432ca 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -17,6 +17,8 @@
#include "sql_attribute.h"
+#include <time.h>
+
#include <daemon.h>
typedef struct private_sql_attribute_t private_sql_attribute_t;
@@ -43,22 +45,6 @@ struct private_sql_attribute_t {
};
/**
- * read a host_t address from the addresses table
- */
-static host_t *host_from_chunk(chunk_t chunk)
-{
- switch (chunk.len)
- {
- case 4:
- return host_create_from_chunk(AF_INET, chunk, 0);
- case 16:
- return host_create_from_chunk(AF_INET6, chunk, 0);
- default:
- return NULL;
- }
-}
-
-/**
* lookup/insert an identity
*/
static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
@@ -143,7 +129,7 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
"WHERE id = ? AND identity = ? AND released != 0",
DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
{
- host = host_from_chunk(address);
+ host = host_create_from_chunk(AF_UNSPEC, address, 0);
if (host)
{
DBG1(DBG_CFG, "acquired existing lease "
@@ -175,7 +161,7 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
DB_UINT, now, DB_UINT, identity,
DB_UINT, id, DB_UINT, now - timeout) > 0)
{
- host = host_from_chunk(address);
+ host = host_create_from_chunk(AF_UNSPEC, address, 0);
if (host)
{
DBG1(DBG_CFG, "acquired new lease "
diff --git a/src/charon/plugins/sql/sql_logger.c b/src/charon/plugins/sql/sql_logger.c
index 6a87f9f1d..4cbaaa3e6 100644
--- a/src/charon/plugins/sql/sql_logger.c
+++ b/src/charon/plugins/sql/sql_logger.c
@@ -49,13 +49,11 @@ struct private_sql_logger_t {
bool recursive;
};
-
/**
- * Implementation of bus_listener_t.signal.
+ * Implementation of bus_listener_t.log.
*/
-static bool signal_(private_sql_logger_t *this, signal_t signal, level_t level,
- int thread, ike_sa_t* ike_sa, void *data,
- char *format, va_list args)
+static bool log_(private_sql_logger_t *this, debug_t group, level_t level,
+ int thread, ike_sa_t* ike_sa, char *format, va_list args)
{
if (this->recursive)
{
@@ -111,7 +109,7 @@ static bool signal_(private_sql_logger_t *this, signal_t signal, level_t level,
DB_BLOB, remote_host->get_address(remote_host));
this->db->execute(this->db, NULL, "INSERT INTO logs ("
"local_spi, signal, level, msg) VALUES (?, ?, ?, ?)",
- DB_BLOB, local_spi, DB_INT, signal, DB_INT, level,
+ DB_BLOB, local_spi, DB_INT, group, DB_INT, level,
DB_TEXT, buffer);
}
this->recursive = FALSE;
@@ -134,7 +132,8 @@ sql_logger_t *sql_logger_create(database_t *db)
{
private_sql_logger_t *this = malloc_thing(private_sql_logger_t);
- this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,void*,char*,va_list))signal_;
+ memset(&this->public.listener, 0, sizeof(listener_t));
+ this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
this->public.destroy = (void(*)(sql_logger_t*))destroy;
this->db = db;
diff --git a/src/charon/plugins/sql/sql_logger.h b/src/charon/plugins/sql/sql_logger.h
index 30507bcaf..a2c6fb5e9 100644
--- a/src/charon/plugins/sql/sql_logger.h
+++ b/src/charon/plugins/sql/sql_logger.h
@@ -36,7 +36,7 @@ struct sql_logger_t {
/**
* Implements bus_listener_t interface
*/
- bus_listener_t listener;
+ listener_t listener;
/**
* Destry the backend.
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index 8569f49c3..54356436f 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -16,12 +16,10 @@
* $Id$
*/
-#define _GNU_SOURCE
-#include <pthread.h>
-
#include "stroke_ca.h"
#include "stroke_cred.h"
+#include <utils/mutex.h>
#include <utils/linked_list.h>
#include <crypto/hashers/hasher.h>
@@ -42,7 +40,7 @@ struct private_stroke_ca_t {
/**
* read-write lock to lists
*/
- pthread_rwlock_t lock;
+ rwlock_t *lock;
/**
* list of starters CA sections and its certificates (ca_section_t)
@@ -136,7 +134,7 @@ typedef struct {
*/
static void cdp_data_destroy(cdp_data_t *data)
{
- pthread_rwlock_unlock(&data->this->lock);
+ data->this->lock->unlock(data->this->lock);
free(data);
}
@@ -236,7 +234,7 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
data->type = type;
data->id = id;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_nested(this->sections->create_enumerator(this->sections),
(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
data, (void*)cdp_data_destroy);
@@ -278,9 +276,9 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
{
ca->certuribase = strdup(msg->add_ca.certuribase);
}
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
this->sections->insert_last(this->sections, ca);
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
}
}
@@ -293,7 +291,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
enumerator_t *enumerator;
ca_section_t *ca = NULL;
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, &ca))
{
@@ -305,7 +303,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
ca = NULL;
}
enumerator->destroy(enumerator);
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
if (ca == NULL)
{
DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name);
@@ -356,7 +354,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
return;
}
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, (void**)&section))
{
@@ -372,7 +370,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
}
}
enumerator->destroy(enumerator);
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
hasher->destroy(hasher);
}
@@ -386,7 +384,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
ca_section_t *section;
enumerator_t *enumerator;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, (void**)&section))
{
@@ -419,7 +417,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
}
}
enumerator->destroy(enumerator);
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
}
/**
@@ -428,7 +426,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
static void destroy(private_stroke_ca_t *this)
{
this->sections->destroy_function(this->sections, (void*)ca_section_destroy);
- pthread_rwlock_destroy(&this->lock);
+ this->lock->destroy(this->lock);
free(this);
}
@@ -451,7 +449,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
this->public.destroy = (void(*)(stroke_ca_t*))destroy;
this->sections = linked_list_create();
- pthread_rwlock_init(&this->lock, NULL);
+ this->lock = rwlock_create(RWLOCK_DEFAULT);
this->cred = cred;
return &this->public;
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index f10fe2051..cb91ecb72 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -19,6 +19,7 @@
#include <daemon.h>
#include <utils/mutex.h>
+#include <utils/lexparser.h>
typedef struct private_stroke_config_t private_stroke_config_t;
@@ -774,7 +775,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100,
msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);
-
+ child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
+ msg->add_conn.install_policy);
add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index ed9dd7b16..08d50519c 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -55,8 +55,8 @@ struct stroke_log_info_t {
/**
* logging to the stroke interface
*/
-static bool stroke_log(stroke_log_info_t *info, signal_t signal, level_t level,
- ike_sa_t *ike_sa, void *data, char *format, va_list args)
+static bool stroke_log(stroke_log_info_t *info, debug_t group, level_t level,
+ ike_sa_t *ike_sa, char *format, va_list args)
{
if (level <= info->level)
{
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index c699a083e..23a6f99b0 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -15,8 +15,6 @@
* $Id$
*/
-#define _GNU_SOURCE
-#include <pthread.h>
#include <sys/stat.h>
#include <limits.h>
@@ -28,6 +26,7 @@
#include <credentials/certificates/ac.h>
#include <utils/linked_list.h>
#include <utils/lexparser.h>
+#include <utils/mutex.h>
#include <asn1/pem.h>
#include <daemon.h>
@@ -73,7 +72,7 @@ struct private_stroke_cred_t {
/**
* read-write lock to lists
*/
- pthread_rwlock_t lock;
+ rwlock_t *lock;
/**
* cache CRLs to disk?
@@ -94,7 +93,7 @@ typedef struct {
*/
static void id_data_destroy(id_data_t *data)
{
- pthread_rwlock_unlock(&data->this->lock);
+ data->this->lock->unlock(data->this->lock);
free(data);
}
@@ -140,7 +139,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
data->this = this;
data->id = id;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_filter(this->private->create_enumerator(this->private),
(void*)private_filter, data,
(void*)id_data_destroy);
@@ -241,7 +240,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
data->this = this;
data->id = id;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_filter(this->certs->create_enumerator(this->certs),
(cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
data, (void*)id_data_destroy);
@@ -254,7 +253,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
data->this = this;
data->id = id;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_filter(this->certs->create_enumerator(this->certs),
(void*)certs_filter, data,
(void*)id_data_destroy);
@@ -272,7 +271,7 @@ typedef struct {
*/
static void shared_data_destroy(shared_data_t *data)
{
- pthread_rwlock_unlock(&data->this->lock);
+ data->this->lock->unlock(data->this->lock);
free(data);
}
@@ -324,7 +323,7 @@ static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
data->me = me;
data->other = other;
data->type = type;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
return enumerator_create_filter(this->shared->create_enumerator(this->shared),
(void*)shared_filter, data,
(void*)shared_data_destroy);
@@ -339,7 +338,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
enumerator_t *enumerator;
bool new = TRUE;
- pthread_rwlock_rdlock(&this->lock);
+ this->lock->read_lock(this->lock);
enumerator = this->certs->create_enumerator(this->certs);
while (enumerator->enumerate(enumerator, (void**)&current))
{
@@ -358,7 +357,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
{
this->certs->insert_last(this->certs, cert);
}
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
return cert;
}
@@ -400,7 +399,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
enumerator_t *enumerator;
bool new = TRUE, found = FALSE;
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
enumerator = this->certs->create_enumerator(this->certs);
while (enumerator->enumerate(enumerator, (void**)&current))
{
@@ -448,7 +447,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
{
this->certs->insert_last(this->certs, cert);
}
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
return new;
}
@@ -459,9 +458,9 @@ static bool add_ac(private_stroke_cred_t *this, ac_t* ac)
{
certificate_t *cert = &ac->certificate;
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
this->certs->insert_last(this->certs, cert);
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
return TRUE;
}
@@ -698,7 +697,7 @@ static void load_secrets(private_stroke_cred_t *this)
fclose(fd);
src = chunk;
- pthread_rwlock_wrlock(&this->lock);
+ this->lock->write_lock(this->lock);
while (this->shared->remove_last(this->shared,
(void**)&shared) == SUCCESS)
{
@@ -868,7 +867,7 @@ static void load_secrets(private_stroke_cred_t *this)
}
}
error:
- pthread_rwlock_unlock(&this->lock);
+ this->lock->unlock(this->lock);
chunk_clear(&chunk);
}
@@ -949,7 +948,7 @@ static void destroy(private_stroke_cred_t *this)
this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy));
this->private->destroy_offset(this->private, offsetof(private_key_t, destroy));
- pthread_rwlock_destroy(&this->lock);
+ this->lock->destroy(this->lock);
free(this);
}
@@ -974,7 +973,7 @@ stroke_cred_t *stroke_cred_create()
this->certs = linked_list_create();
this->shared = linked_list_create();
this->private = linked_list_create();
- pthread_rwlock_init(&this->lock, NULL);
+ this->lock = rwlock_create(RWLOCK_DEFAULT);
load_certs(this);
load_secrets(this);
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index d531dca47..7d0ad4557 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -17,6 +17,8 @@
#include "stroke_list.h"
+#include <time.h>
+
#include <daemon.h>
#include <utils/linked_list.h>
#include <credentials/certificates/x509.h>
@@ -79,25 +81,32 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
if (all)
{
- char *ike_proposal = ike_sa->get_proposal(ike_sa);
-
+ proposal_t *ike_proposal;
+
+ ike_proposal = ike_sa->get_proposal(ike_sa);
+
fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
-
-
+
+
if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
{
- u_int32_t rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY_TIME);
- u_int32_t reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH_TIME);
-
+ u_int32_t rekey, reauth, now;
+
+ now = time(NULL);
+ rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
+ reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
+
if (rekey)
{
+ rekey -= now;
fprintf(out, ", rekeying in %V", &rekey);
}
if (reauth)
{
+ reauth -= now;
fprintf(out, ", %N reauthentication in %V", auth_class_names,
get_auth_class(ike_sa->get_peer_cfg(ike_sa)), &reauth);
}
@@ -107,13 +116,16 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
}
}
fprintf(out, "\n");
-
+
if (ike_proposal)
{
+ char buf[BUF_LEN];
+
+ snprintf(buf, BUF_LEN, "%P", ike_proposal);
fprintf(out, "%12s[%d]: IKE proposal: %s\n",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
- ike_proposal);
- }
+ buf+4);
+ }
}
}
@@ -123,68 +135,67 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
u_int32_t rekey, now = time(NULL);
- u_int32_t use_in, use_out, use_fwd;
- encryption_algorithm_t encr_alg;
- integrity_algorithm_t int_alg;
- size_t encr_len, int_len;
- ipsec_mode_t mode;
-
- child_sa->get_stats(child_sa, &mode, &encr_alg, &encr_len,
- &int_alg, &int_len, &rekey, &use_in, &use_out,
- &use_fwd);
+ u_int32_t use_in, use_out;
+ proposal_t *proposal;
+ child_cfg_t *config = child_sa->get_config(child_sa);
- fprintf(out, "%12s{%d}: %N, %N",
+ fprintf(out, "%12s{%d}: %N, %N%s",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
child_sa_state_names, child_sa->get_state(child_sa),
- ipsec_mode_names, mode);
+ ipsec_mode_names, child_sa->get_mode(child_sa),
+ config->use_proxy_mode(config) ? "_PROXY" : "");
if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
{
- u_int16_t my_cpi = child_sa->get_cpi(child_sa, TRUE);
- u_int16_t other_cpi = child_sa->get_cpi(child_sa, FALSE);
-
- fprintf(out, ", %N SPIs: %.8x_i %.8x_o",
+ fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o",
protocol_id_names, child_sa->get_protocol(child_sa),
+ child_sa->has_encap(child_sa) ? " in UDP" : "",
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)));
-
- /* Is IPCOMP activated ? */
- if (my_cpi && other_cpi)
+
+ if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
{
fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
- ntohs(my_cpi), ntohs(other_cpi));
+ ntohs(child_sa->get_cpi(child_sa, TRUE)),
+ ntohs(child_sa->get_cpi(child_sa, FALSE)));
}
-
+
if (all)
{
fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa),
child_sa->get_reqid(child_sa));
-
- if (child_sa->get_protocol(child_sa) == PROTO_ESP)
+ proposal = child_sa->get_proposal(child_sa);
+ if (proposal)
{
- fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+ u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
+ u_int16_t encr_size = 0, int_size = 0;
- if (encr_len)
+ proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+ &encr_alg, &encr_size);
+ proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+ &int_alg, &int_size);
+
+ if (encr_alg != ENCR_UNDEFINED)
{
- fprintf(out, "-%d", encr_len);
+ fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+ if (encr_size)
+ {
+ fprintf(out, "-%d", encr_size);
+ }
}
if (int_alg != AUTH_UNDEFINED)
{
- fprintf(out, "/");
- }
- }
-
- if (int_alg != AUTH_UNDEFINED)
- {
- fprintf(out, "%N", integrity_algorithm_names, int_alg);
- if (int_len)
- {
- fprintf(out, "-%d", int_len);
+ fprintf(out, "/%N", integrity_algorithm_names, int_alg);
+ if (int_size)
+ {
+ fprintf(out, "-%d", int_size);
+ }
}
}
fprintf(out, ", rekeying ");
+ rekey = child_sa->get_lifetime(child_sa, FALSE);
if (rekey)
{
fprintf(out, "in %#V", &now, &rekey);
@@ -195,7 +206,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
}
fprintf(out, ", last use: ");
- use_in = max(use_in, use_fwd);
+ use_in = child_sa->get_usetime(child_sa, TRUE);
if (use_in)
{
fprintf(out, "%ds_i ", now - use_in);
@@ -204,6 +215,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
fprintf(out, "no_i ");
}
+ use_out = child_sa->get_usetime(child_sa, FALSE);
if (use_out)
{
fprintf(out, "%ds_o ", now - use_out);
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 175322aa8..8c4ab7804 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -25,6 +25,7 @@
#include <sys/fcntl.h>
#include <unistd.h>
#include <errno.h>
+#include <pthread.h>
#include <processing/jobs/callback_job.h>
#include <daemon.h>
@@ -336,9 +337,9 @@ static void stroke_purge(private_stroke_socket_t *this,
CERT_X509_OCSP_RESPONSE);
}
-signal_t get_signal_from_logtype(char *type)
+debug_t get_group_from_name(char *type)
{
- if (strcasecmp(type, "any") == 0) return SIG_ANY;
+ if (strcasecmp(type, "any") == 0) return DBG_ANY;
else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
@@ -354,29 +355,44 @@ signal_t get_signal_from_logtype(char *type)
/**
* set the verbosity debug output
*/
-static void stroke_loglevel(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+static void stroke_loglevel(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
{
- signal_t signal;
+ enumerator_t *enumerator;
+ sys_logger_t *sys_logger;
+ file_logger_t *file_logger;
+ debug_t group;
pop_string(msg, &(msg->loglevel.type));
DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
msg->loglevel.level, msg->loglevel.type);
- signal = get_signal_from_logtype(msg->loglevel.type);
- if (signal < 0)
+ group = get_group_from_name(msg->loglevel.type);
+ if (group < 0)
{
fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
return;
}
-
- charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level);
- charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
+ /* we set the loglevel on ALL sys- and file-loggers */
+ enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
+ while (enumerator->enumerate(enumerator, &sys_logger))
+ {
+ sys_logger->set_level(sys_logger, group, msg->loglevel.level);
+ }
+ enumerator->destroy(enumerator);
+ enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
+ while (enumerator->enumerate(enumerator, &file_logger))
+ {
+ file_logger->set_level(file_logger, group, msg->loglevel.level);
+ }
+ enumerator->destroy(enumerator);
}
/**
* set various config options
*/
-static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+static void stroke_config(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
{
this->cred->cachecrl(this->cred, msg->config.cachecrl);
}
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
index 5d5295bea..40334335d 100644
--- a/src/charon/plugins/unit_tester/tests/test_pool.c
+++ b/src/charon/plugins/unit_tester/tests/test_pool.c
@@ -15,6 +15,7 @@
#include <sys/time.h>
#include <time.h>
+#include <pthread.h>
#include <library.h>
#include <daemon.h>
diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am
new file mode 100644
index 000000000..de60d9fbf
--- /dev/null
+++ b/src/charon/plugins/updown/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-updown.la
+libstrongswan_updown_la_SOURCES = \
+ updown_plugin.h updown_plugin.c \
+ updown_listener.h updown_listener.c
+libstrongswan_updown_la_LDFLAGS = -module
+
+
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
new file mode 100644
index 000000000..603000a09
--- /dev/null
+++ b/src/charon/plugins/updown/Makefile.in
@@ -0,0 +1,501 @@
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/updown
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_updown_la_LIBADD =
+am_libstrongswan_updown_la_OBJECTS = updown_plugin.lo \
+ updown_listener.lo
+libstrongswan_updown_la_OBJECTS = \
+ $(am_libstrongswan_updown_la_OBJECTS)
+libstrongswan_updown_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_updown_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_updown_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_updown_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-updown.la
+libstrongswan_updown_la_SOURCES = \
+ updown_plugin.h updown_plugin.c \
+ updown_listener.h updown_listener.c
+
+libstrongswan_updown_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+ && exit 0; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/updown/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/updown/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES)
+ $(libstrongswan_updown_la_LINK) -rpath $(plugindir) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c
new file mode 100644
index 000000000..7dfb874cb
--- /dev/null
+++ b/src/charon/plugins/updown/updown_listener.c
@@ -0,0 +1,320 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "updown_listener.h"
+
+#include <daemon.h>
+#include <config/child_cfg.h>
+
+typedef struct private_updown_listener_t private_updown_listener_t;
+
+/**
+ * Private data of an updown_listener_t object.
+ */
+struct private_updown_listener_t {
+
+ /**
+ * Public updown_listener_t interface.
+ */
+ updown_listener_t public;
+
+ /**
+ * List of cached interface names
+ */
+ linked_list_t *iface_cache;
+};
+
+typedef struct cache_entry_t cache_entry_t;
+
+/**
+ * Cache line in the interface name cache.
+ */
+struct cache_entry_t {
+ /** requid of the CHILD_SA */
+ u_int32_t reqid;
+ /** cached interface name */
+ char *iface;
+};
+
+/**
+ * Insert an interface name to the cache
+ */
+static void cache_iface(private_updown_listener_t *this, u_int32_t reqid,
+ char *iface)
+{
+ cache_entry_t *entry = malloc_thing(cache_entry_t);
+
+ entry->reqid = reqid;
+ entry->iface = strdup(iface);
+
+ this->iface_cache->insert_first(this->iface_cache, entry);
+}
+
+/**
+ * Remove a cached interface name and return it.
+ */
+static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
+{
+ enumerator_t *enumerator;
+ cache_entry_t *entry;
+ char *iface = NULL;
+
+ enumerator = this->iface_cache->create_enumerator(this->iface_cache);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->reqid == reqid)
+ {
+ this->iface_cache->remove_at(this->iface_cache, enumerator);
+ iface = entry->iface;
+ free(entry);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return iface;
+}
+
+/**
+ * Run the up/down script
+ */
+static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
+ child_sa_t *child_sa, bool up)
+{
+ traffic_selector_t *my_ts, *other_ts;
+ enumerator_t *enumerator;
+ child_cfg_t *config;
+ host_t *vip, *me, *other;
+ char *script;
+
+ config = child_sa->get_config(child_sa);
+ vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
+ script = config->get_updown(config);
+ me = ike_sa->get_my_host(ike_sa);
+ other = ike_sa->get_other_host(ike_sa);
+
+ if (script == NULL)
+ {
+ return;
+ }
+
+ enumerator = child_sa->create_policy_enumerator(child_sa);
+ while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+ {
+ char command[1024];
+ char *my_client, *other_client, *my_client_mask, *other_client_mask;
+ char *pos, *virtual_ip, *iface;
+ FILE *shell;
+
+ /* get subnet/bits from string */
+ if (asprintf(&my_client, "%R", my_ts) < 0)
+ {
+ my_client = NULL;
+ }
+ pos = strchr(my_client, '/');
+ *pos = '\0';
+ my_client_mask = pos + 1;
+ pos = strchr(my_client_mask, '[');
+ if (pos)
+ {
+ *pos = '\0';
+ }
+ if (asprintf(&other_client, "%R", other_ts) < 0)
+ {
+ other_client = NULL;
+ }
+ pos = strchr(other_client, '/');
+ *pos = '\0';
+ other_client_mask = pos + 1;
+ pos = strchr(other_client_mask, '[');
+ if (pos)
+ {
+ *pos = '\0';
+ }
+
+ if (vip)
+ {
+ if (asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ", vip) < 0)
+ {
+ virtual_ip = NULL;
+ }
+ }
+ else
+ {
+ if (asprintf(&virtual_ip, "") < 0)
+ {
+ virtual_ip = NULL;
+ }
+ }
+
+ if (up)
+ {
+ iface = charon->kernel_interface->get_interface(
+ charon->kernel_interface, me);
+ if (iface)
+ {
+ cache_iface(this, child_sa->get_reqid(child_sa), iface);
+ }
+ }
+ else
+ {
+ iface = uncache_iface(this, child_sa->get_reqid(child_sa));
+ }
+
+ /* build the command with all env variables.
+ * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
+ */
+ snprintf(command, sizeof(command),
+ "2>&1 "
+ "PLUTO_VERSION='1.1' "
+ "PLUTO_VERB='%s%s%s' "
+ "PLUTO_CONNECTION='%s' "
+ "PLUTO_INTERFACE='%s' "
+ "PLUTO_REQID='%u' "
+ "PLUTO_ME='%H' "
+ "PLUTO_MY_ID='%D' "
+ "PLUTO_MY_CLIENT='%s/%s' "
+ "PLUTO_MY_CLIENT_NET='%s' "
+ "PLUTO_MY_CLIENT_MASK='%s' "
+ "PLUTO_MY_PORT='%u' "
+ "PLUTO_MY_PROTOCOL='%u' "
+ "PLUTO_PEER='%H' "
+ "PLUTO_PEER_ID='%D' "
+ "PLUTO_PEER_CLIENT='%s/%s' "
+ "PLUTO_PEER_CLIENT_NET='%s' "
+ "PLUTO_PEER_CLIENT_MASK='%s' "
+ "PLUTO_PEER_PORT='%u' "
+ "PLUTO_PEER_PROTOCOL='%u' "
+ "%s"
+ "%s"
+ "%s",
+ up ? "up" : "down",
+ my_ts->is_host(my_ts, me) ? "-host" : "-client",
+ me->get_family(me) == AF_INET ? "" : "-v6",
+ config->get_name(config),
+ iface ? iface : "unknown",
+ child_sa->get_reqid(child_sa),
+ me, ike_sa->get_my_id(ike_sa),
+ my_client, my_client_mask,
+ my_client, my_client_mask,
+ my_ts->get_from_port(my_ts),
+ my_ts->get_protocol(my_ts),
+ other, ike_sa->get_other_id(ike_sa),
+ other_client, other_client_mask,
+ other_client, other_client_mask,
+ other_ts->get_from_port(other_ts),
+ other_ts->get_protocol(other_ts),
+ virtual_ip,
+ config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
+ script);
+ free(my_client);
+ free(other_client);
+ free(virtual_ip);
+ free(iface);
+
+ DBG3(DBG_CHD, "running updown script: %s", command);
+ shell = popen(command, "r");
+
+ if (shell == NULL)
+ {
+ DBG1(DBG_CHD, "could not execute updown script '%s'", script);
+ return;
+ }
+
+ while (TRUE)
+ {
+ char resp[128];
+
+ if (fgets(resp, sizeof(resp), shell) == NULL)
+ {
+ if (ferror(shell))
+ {
+ DBG1(DBG_CHD, "error reading output from updown script");
+ return;
+ }
+ else
+ {
+ break;
+ }
+ }
+ else
+ {
+ char *e = resp + strlen(resp);
+ if (e > resp && e[-1] == '\n')
+ { /* trim trailing '\n' */
+ e[-1] = '\0';
+ }
+ DBG1(DBG_CHD, "updown: %s", resp);
+ }
+ }
+ pclose(shell);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * Listener implementation
+ */
+static bool child_state_change(private_updown_listener_t *this, ike_sa_t *ike_sa,
+ child_sa_t *child_sa, child_sa_state_t state)
+{
+ child_sa_state_t old;
+
+ if (ike_sa)
+ {
+ old = child_sa->get_state(child_sa);
+
+ if ((old == CHILD_INSTALLED && state != CHILD_REKEYING ) ||
+ (old == CHILD_DELETING && state == CHILD_DESTROYING))
+ {
+ updown(this, ike_sa, child_sa, FALSE);
+ }
+ else if (state == CHILD_INSTALLED)
+ {
+ updown(this, ike_sa, child_sa, TRUE);
+ }
+ }
+ return TRUE;
+}
+
+/**
+ * Implementation of updown_listener_t.destroy.
+ */
+static void destroy(private_updown_listener_t *this)
+{
+ this->iface_cache->destroy(this->iface_cache);
+ free(this);
+}
+
+/**
+ * See header
+ */
+updown_listener_t *updown_listener_create()
+{
+ private_updown_listener_t *this = malloc_thing(private_updown_listener_t);
+
+ memset(&this->public.listener, 0, sizeof(listener_t));
+ this->public.listener.child_state_change = (void*)child_state_change;
+ this->public.destroy = (void(*)(updown_listener_t*))destroy;
+
+ this->iface_cache = linked_list_create();
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/updown/updown_listener.h b/src/charon/plugins/updown/updown_listener.h
new file mode 100644
index 000000000..569d5817e
--- /dev/null
+++ b/src/charon/plugins/updown/updown_listener.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup updown_listener updown_listener
+ * @{ @ingroup updown
+ */
+
+#ifndef UPDOWN_LISTENER_H_
+#define UPDOWN_LISTENER_H_
+
+#include <bus/bus.h>
+
+typedef struct updown_listener_t updown_listener_t;
+
+/**
+ * Listener which invokes the scripts on CHILD_SA up/down.
+ */
+struct updown_listener_t {
+
+ /**
+ * Implements listener_t.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy a updown_listener_t.
+ */
+ void (*destroy)(updown_listener_t *this);
+};
+
+/**
+ * Create a updown_listener instance.
+ */
+updown_listener_t *updown_listener_create();
+
+#endif /* UPDOWN_LISTENER_ @}*/
diff --git a/src/charon/plugins/updown/updown_plugin.c b/src/charon/plugins/updown/updown_plugin.c
new file mode 100644
index 000000000..2e5884222
--- /dev/null
+++ b/src/charon/plugins/updown/updown_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "updown_plugin.h"
+#include "updown_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_updown_plugin_t private_updown_plugin_t;
+
+/**
+ * private data of updown plugin
+ */
+struct private_updown_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ updown_plugin_t public;
+
+ /**
+ * Listener interface, listens to CHILD_SA state changes
+ */
+ updown_listener_t *listener;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_updown_plugin_t *this)
+{
+ charon->bus->remove_listener(charon->bus, &this->listener->listener);
+ this->listener->destroy(this->listener);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_updown_plugin_t *this = malloc_thing(private_updown_plugin_t);
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ this->listener = updown_listener_create();
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+ return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/updown/updown_plugin.h b/src/charon/plugins/updown/updown_plugin.h
new file mode 100644
index 000000000..4d0a930c2
--- /dev/null
+++ b/src/charon/plugins/updown/updown_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup updown updown
+ * @ingroup cplugins
+ *
+ * @defgroup updown_plugin updown_plugin
+ * @{ @ingroup updown
+ */
+
+#ifndef UPDOWN_PLUGIN_H_
+#define UPDOWN_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct updown_plugin_t updown_plugin_t;
+
+/**
+ * Updown firewall script invocation plugin, compatible to pluto ones.
+ */
+struct updown_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a updown_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /* UPDOWN_PLUGIN_H_ @}*/