summaryrefslogtreecommitdiff
path: root/src/libcharon/plugins/kernel_pfkey
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/plugins/kernel_pfkey')
-rw-r--r--src/libcharon/plugins/kernel_pfkey/Makefile.am19
-rw-r--r--src/libcharon/plugins/kernel_pfkey/Makefile.in782
-rw-r--r--src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c3094
-rw-r--r--src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h46
-rw-r--r--src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c80
-rw-r--r--src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h42
6 files changed, 4063 insertions, 0 deletions
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.am b/src/libcharon/plugins/kernel_pfkey/Makefile.am
new file mode 100644
index 000000000..8fdca93a5
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+ -I${linux_headers} \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+endif
+
+libstrongswan_kernel_pfkey_la_SOURCES = \
+ kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
new file mode 100644
index 000000000..f2876a272
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -0,0 +1,782 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_pfkey
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfkey_la_LIBADD =
+am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
+ kernel_pfkey_ipsec.lo
+libstrongswan_kernel_pfkey_la_OBJECTS = \
+ $(am_libstrongswan_kernel_pfkey_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfkey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfkey_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I${linux_headers} \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
+libstrongswan_kernel_pfkey_la_SOURCES = \
+ kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfkey_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pluginLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
new file mode 100644
index 000000000..d505f1c33
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -0,0 +1,3094 @@
+/*
+ * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+/*
+ * Copyright (C) 2014 Nanoteq Pty Ltd
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#ifdef __FreeBSD__
+#include <limits.h> /* for LONG_MAX */
+#endif
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
+#include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#elif defined(HAVE_NETINET6_IPSEC_H)
+#include <netinet6/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_LINUX_UDP_H
+#include <linux/udp.h>
+#else
+#include <netinet/udp.h>
+#endif /*HAVE_LINUX_UDP_H*/
+#endif /*HAVE_NATT*/
+
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+#ifdef __APPLE__
+#include <sys/sysctl.h>
+#endif
+
+#include "kernel_pfkey_ipsec.h"
+
+#include <daemon.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
+
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#ifdef IPPROTO_IPCOMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8)
+#define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8
+#define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12
+#define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
+/** from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif
+
+/** missing on uclibc */
+#ifndef IPV6_IPSEC_POLICY
+#define IPV6_IPSEC_POLICY 34
+#endif
+
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif
+
+/* this is not defined on some platforms */
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
+/** base priority for installed policies */
+#define PRIO_BASE 384
+
+#ifdef __APPLE__
+/** from xnu/bsd/net/pfkeyv2.h */
+#define SADB_X_EXT_NATT 0x002
+ struct sadb_sa_2 {
+ struct sadb_sa sa;
+ u_int16_t sadb_sa_natt_port;
+ u_int16_t sadb_reserved0;
+ u_int32_t sadb_reserved1;
+ };
+#endif
+
+/** buffer size for PF_KEY messages */
+#define PFKEY_BUFFER_SIZE 4096
+
+/** PF_KEY messages are 64 bit aligned */
+#define PFKEY_ALIGNMENT 8
+/** aligns len to 64 bits */
+#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
+/** calculates the properly padded length in 64 bit chunks */
+#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
+/** calculates user mode length i.e. in bytes */
+#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
+
+/** given a PF_KEY message header and an extension this updates the length in the header */
+#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
+/** given a PF_KEY message header this returns a pointer to the next extension */
+#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
+/** copy an extension and append it to a PF_KEY message */
+#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
+/** given a PF_KEY extension this returns a pointer to the next extension */
+#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
+/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
+#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
+/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
+#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+ (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
+ (ext)->sadb_ext_len <= (len))
+
+typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
+
+/**
+ * Private variables and functions of kernel_pfkey class.
+ */
+struct private_kernel_pfkey_ipsec_t
+{
+ /**
+ * Public part of the kernel_pfkey_t object.
+ */
+ kernel_pfkey_ipsec_t public;
+
+ /**
+ * mutex to lock access to various lists
+ */
+ mutex_t *mutex;
+
+ /**
+ * List of installed policies (policy_entry_t)
+ */
+ linked_list_t *policies;
+
+ /**
+ * List of exclude routes (exclude_route_t)
+ */
+ linked_list_t *excludes;
+
+ /**
+ * Hash table of IPsec SAs using policies (ipsec_sa_t)
+ */
+ hashtable_t *sas;
+
+ /**
+ * whether to install routes along policies
+ */
+ bool install_routes;
+
+ /**
+ * mutex to lock access to the PF_KEY socket
+ */
+ mutex_t *mutex_pfkey;
+
+ /**
+ * PF_KEY socket to communicate with the kernel
+ */
+ int socket;
+
+ /**
+ * PF_KEY socket to receive acquire and expire events
+ */
+ int socket_events;
+
+ /**
+ * sequence number for messages sent to the kernel
+ */
+ int seq;
+};
+
+typedef struct exclude_route_t exclude_route_t;
+
+/**
+ * Exclude route definition
+ */
+struct exclude_route_t {
+ /** destination address of exclude */
+ host_t *dst;
+ /** source address for route */
+ host_t *src;
+ /** nexthop exclude has been installed */
+ host_t *gtw;
+ /** references to this route */
+ int refs;
+};
+
+/**
+ * clean up a route exclude entry
+ */
+static void exclude_route_destroy(exclude_route_t *this)
+{
+ this->dst->destroy(this->dst);
+ this->src->destroy(this->src);
+ this->gtw->destroy(this->gtw);
+ free(this);
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+ /** name of the interface the route is bound to */
+ char *if_name;
+
+ /** source ip of the route */
+ host_t *src_ip;
+
+ /** gateway for this route */
+ host_t *gateway;
+
+ /** destination net */
+ chunk_t dst_net;
+
+ /** destination net prefixlen */
+ u_int8_t prefixlen;
+
+ /** reference to exclude route, if any */
+ exclude_route_t *exclude;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+ free(this->if_name);
+ DESTROY_IF(this->src_ip);
+ DESTROY_IF(this->gateway);
+ chunk_free(&this->dst_net);
+ free(this);
+}
+
+/**
+ * compare two route_entry_t objects
+ */
+static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
+{
+ return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+ a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+ a->gateway && b->gateway &&
+ a->gateway->ip_equals(a->gateway, b->gateway) &&
+ chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
+}
+
+typedef struct ipsec_sa_t ipsec_sa_t;
+
+/**
+ * IPsec SA assigned to a policy.
+ */
+struct ipsec_sa_t {
+ /** Source address of this SA */
+ host_t *src;
+
+ /** Destination address of this SA */
+ host_t *dst;
+
+ /** Description of this SA */
+ ipsec_sa_cfg_t cfg;
+
+ /** Reference count for this SA */
+ refcount_t refcount;
+};
+
+/**
+ * Hash function for ipsec_sa_t objects
+ */
+static u_int ipsec_sa_hash(ipsec_sa_t *sa)
+{
+ return chunk_hash_inc(sa->src->get_address(sa->src),
+ chunk_hash_inc(sa->dst->get_address(sa->dst),
+ chunk_hash(chunk_from_thing(sa->cfg))));
+}
+
+/**
+ * Equality function for ipsec_sa_t objects
+ */
+static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
+{
+ return sa->src->ip_equals(sa->src, other_sa->src) &&
+ sa->dst->ip_equals(sa->dst, other_sa->dst) &&
+ memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
+}
+
+/**
+ * Allocate or reference an IPsec SA object
+ */
+static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
+ ipsec_sa_cfg_t *cfg)
+{
+ ipsec_sa_t *sa, *found;
+ INIT(sa,
+ .src = src,
+ .dst = dst,
+ .cfg = *cfg,
+ );
+ found = this->sas->get(this->sas, sa);
+ if (!found)
+ {
+ sa->src = src->clone(src);
+ sa->dst = dst->clone(dst);
+ this->sas->put(this->sas, sa, sa);
+ }
+ else
+ {
+ free(sa);
+ sa = found;
+ }
+ ref_get(&sa->refcount);
+ return sa;
+}
+
+/**
+ * Release and destroy an IPsec SA object
+ */
+static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
+ ipsec_sa_t *sa)
+{
+ if (ref_put(&sa->refcount))
+ {
+ this->sas->remove(this->sas, sa);
+ DESTROY_IF(sa->src);
+ DESTROY_IF(sa->dst);
+ free(sa);
+ }
+}
+
+typedef struct policy_sa_t policy_sa_t;
+typedef struct policy_sa_in_t policy_sa_in_t;
+
+/**
+ * Mapping between a policy and an IPsec SA.
+ */
+struct policy_sa_t {
+ /** Priority assigned to the policy when installed with this SA */
+ u_int32_t priority;
+
+ /** Type of the policy */
+ policy_type_t type;
+
+ /** Assigned SA */
+ ipsec_sa_t *sa;
+};
+
+/**
+ * For input policies we also cache the traffic selectors in order to install
+ * the route.
+ */
+struct policy_sa_in_t {
+ /** Generic interface */
+ policy_sa_t generic;
+
+ /** Source traffic selector of this policy */
+ traffic_selector_t *src_ts;
+
+ /** Destination traffic selector of this policy */
+ traffic_selector_t *dst_ts;
+};
+
+/**
+ * Create a policy_sa(_in)_t object
+ */
+static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
+ policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg)
+{
+ policy_sa_t *policy;
+
+ if (dir == POLICY_IN)
+ {
+ policy_sa_in_t *in;
+ INIT(in,
+ .src_ts = src_ts->clone(src_ts),
+ .dst_ts = dst_ts->clone(dst_ts),
+ );
+ policy = &in->generic;
+ }
+ else
+ {
+ INIT(policy, .priority = 0);
+ }
+ policy->type = type;
+ policy->sa = ipsec_sa_create(this, src, dst, cfg);
+ return policy;
+}
+
+/**
+ * Destroy a policy_sa(_in)_t object
+ */
+static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
+ private_kernel_pfkey_ipsec_t *this)
+{
+ if (*dir == POLICY_IN)
+ {
+ policy_sa_in_t *in = (policy_sa_in_t*)policy;
+ in->src_ts->destroy(in->src_ts);
+ in->dst_ts->destroy(in->dst_ts);
+ }
+ ipsec_sa_destroy(this, policy->sa);
+ free(policy);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+ /** Index assigned by the kernel */
+ u_int32_t index;
+
+ /** Direction of this policy: in, out, forward */
+ u_int8_t direction;
+
+ /** Parameters of installed policy */
+ struct {
+ /** Subnet and port */
+ host_t *net;
+ /** Subnet mask */
+ u_int8_t mask;
+ /** Protocol */
+ u_int8_t proto;
+ } src, dst;
+
+ /** Associated route installed for this policy */
+ route_entry_t *route;
+
+ /** List of SAs this policy is used by, ordered by priority */
+ linked_list_t *used_by;
+};
+
+/**
+ * Create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t dir)
+{
+ policy_entry_t *policy;
+ INIT(policy,
+ .direction = dir,
+ );
+ u_int16_t port;
+ u_int8_t proto;
+
+ src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
+ dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
+
+ /* src or dest proto may be "any" (0), use more restrictive one */
+ proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
+ /* map the ports to ICMP type/code how the Linux kernel expects them, that
+ * is, type in src, code in dst */
+ if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
+ {
+ port = max(policy->src.net->get_port(policy->src.net),
+ policy->dst.net->get_port(policy->dst.net));
+ policy->src.net->set_port(policy->src.net,
+ traffic_selector_icmp_type(port));
+ policy->dst.net->set_port(policy->dst.net,
+ traffic_selector_icmp_code(port));
+ }
+ else if (!proto)
+ {
+ proto = IPSEC_PROTO_ANY;
+ }
+ policy->src.proto = policy->dst.proto = proto;
+
+ return policy;
+}
+
+/**
+ * Destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *policy,
+ private_kernel_pfkey_ipsec_t *this)
+{
+ if (policy->route)
+ {
+ route_entry_destroy(policy->route);
+ }
+ if (policy->used_by)
+ {
+ policy->used_by->invoke_function(policy->used_by,
+ (linked_list_invoke_t)policy_sa_destroy,
+ &policy->direction, this);
+ policy->used_by->destroy(policy->used_by);
+ }
+ DESTROY_IF(policy->src.net);
+ DESTROY_IF(policy->dst.net);
+ free(policy);
+}
+
+/**
+ * compares two policy_entry_t
+ */
+static inline bool policy_entry_equals(policy_entry_t *current,
+ policy_entry_t *policy)
+{
+ return current->direction == policy->direction &&
+ current->src.proto == policy->src.proto &&
+ current->dst.proto == policy->dst.proto &&
+ current->src.mask == policy->src.mask &&
+ current->dst.mask == policy->dst.mask &&
+ current->src.net->equals(current->src.net, policy->src.net) &&
+ current->dst.net->equals(current->dst.net, policy->dst.net);
+}
+
+/**
+ * compare the given kernel index with that of a policy
+ */
+static inline bool policy_entry_match_byindex(policy_entry_t *current,
+ u_int32_t *index)
+{
+ return current->index == *index;
+}
+
+/**
+ * Calculate the priority of a policy
+ */
+static inline u_int32_t get_priority(policy_entry_t *policy,
+ policy_priority_t prio)
+{
+ u_int32_t priority = PRIO_BASE;
+ switch (prio)
+ {
+ case POLICY_PRIORITY_FALLBACK:
+ priority <<= 1;
+ /* fall-through */
+ case POLICY_PRIORITY_ROUTED:
+ priority <<= 1;
+ /* fall-through */
+ case POLICY_PRIORITY_DEFAULT:
+ priority <<= 1;
+ /* fall-trough */
+ case POLICY_PRIORITY_PASS:
+ break;
+ }
+ /* calculate priority based on selector size, small size = high prio */
+ priority -= policy->src.mask;
+ priority -= policy->dst.mask;
+ priority <<= 2; /* make some room for the two flags */
+ priority += policy->src.net->get_port(policy->src.net) ||
+ policy->dst.net->get_port(policy->dst.net) ?
+ 0 : 2;
+ priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
+ return priority;
+}
+
+typedef struct pfkey_msg_t pfkey_msg_t;
+
+struct pfkey_msg_t
+{
+ /**
+ * PF_KEY message base
+ */
+ struct sadb_msg *msg;
+
+ /**
+ * PF_KEY message extensions
+ */
+ union {
+ struct sadb_ext *ext[SADB_EXT_MAX + 1];
+ struct {
+ struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
+ struct sadb_sa *sa; /* SADB_EXT_SA */
+ struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
+ struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
+ struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
+ struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
+ struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
+ struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
+ struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
+ struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
+ struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
+ struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
+ struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
+ struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
+ struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
+ struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
+ struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
+ struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
+ struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
+ struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
+ struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
+ struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
+ struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
+ struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
+ struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
+ struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
+ } __attribute__((__packed__));
+ };
+};
+
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
+ "SADB_EXT_RESERVED",
+ "SADB_EXT_SA",
+ "SADB_EXT_LIFETIME_CURRENT",
+ "SADB_EXT_LIFETIME_HARD",
+ "SADB_EXT_LIFETIME_SOFT",
+ "SADB_EXT_ADDRESS_SRC",
+ "SADB_EXT_ADDRESS_DST",
+ "SADB_EXT_ADDRESS_PROXY",
+ "SADB_EXT_KEY_AUTH",
+ "SADB_EXT_KEY_ENCRYPT",
+ "SADB_EXT_IDENTITY_SRC",
+ "SADB_EXT_IDENTITY_DST",
+ "SADB_EXT_SENSITIVITY",
+ "SADB_EXT_PROPOSAL",
+ "SADB_EXT_SUPPORTED_AUTH",
+ "SADB_EXT_SUPPORTED_ENCRYPT",
+ "SADB_EXT_SPIRANGE",
+ "SADB_X_EXT_KMPRIVATE",
+ "SADB_X_EXT_POLICY",
+ "SADB_X_EXT_SA2",
+ "SADB_X_EXT_NAT_T_TYPE",
+ "SADB_X_EXT_NAT_T_SPORT",
+ "SADB_X_EXT_NAT_T_DPORT",
+ "SADB_X_EXT_NAT_T_OA",
+ "SADB_X_EXT_SEC_CTX",
+ "SADB_X_EXT_KMADDRESS"
+);
+
+/**
+ * convert a protocol identifier to the PF_KEY sa type
+ */
+static u_int8_t proto2satype(u_int8_t proto)
+{
+ switch (proto)
+ {
+ case IPPROTO_ESP:
+ return SADB_SATYPE_ESP;
+ case IPPROTO_AH:
+ return SADB_SATYPE_AH;
+ case IPPROTO_COMP:
+ return SADB_X_SATYPE_IPCOMP;
+ default:
+ return proto;
+ }
+}
+
+/**
+ * convert a PF_KEY sa type to a protocol identifier
+ */
+static u_int8_t satype2proto(u_int8_t satype)
+{
+ switch (satype)
+ {
+ case SADB_SATYPE_ESP:
+ return IPPROTO_ESP;
+ case SADB_SATYPE_AH:
+ return IPPROTO_AH;
+ case SADB_X_SATYPE_IPCOMP:
+ return IPPROTO_COMP;
+ default:
+ return satype;
+ }
+}
+
+/**
+ * convert the general ipsec mode to the one defined in ipsec.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+ switch (mode)
+ {
+ case MODE_TRANSPORT:
+ return IPSEC_MODE_TRANSPORT;
+ case MODE_TUNNEL:
+ return IPSEC_MODE_TUNNEL;
+#ifdef HAVE_IPSEC_MODE_BEET
+ case MODE_BEET:
+ return IPSEC_MODE_BEET;
+#endif
+ default:
+ return mode;
+ }
+}
+
+/**
+ * convert the general policy direction to the one defined in ipsec.h
+ */
+static u_int8_t dir2kernel(policy_dir_t dir)
+{
+ switch (dir)
+ {
+ case POLICY_IN:
+ return IPSEC_DIR_INBOUND;
+ case POLICY_OUT:
+ return IPSEC_DIR_OUTBOUND;
+#ifdef HAVE_IPSEC_DIR_FWD
+ case POLICY_FWD:
+ return IPSEC_DIR_FWD;
+#endif
+ default:
+ return IPSEC_DIR_INVALID;
+ }
+}
+
+/**
+ * convert the policy type to the one defined in ipsec.h
+ */
+static inline u_int16_t type2kernel(policy_type_t type)
+{
+ switch (type)
+ {
+ case POLICY_IPSEC:
+ return IPSEC_POLICY_IPSEC;
+ case POLICY_PASS:
+ return IPSEC_POLICY_NONE;
+ case POLICY_DROP:
+ return IPSEC_POLICY_DISCARD;
+ }
+ return type;
+}
+
+#ifdef SADB_X_MIGRATE
+/**
+ * convert the policy direction in ipsec.h to the general one.
+ */
+static policy_dir_t kernel2dir(u_int8_t dir)
+{
+ switch (dir)
+ {
+ case IPSEC_DIR_INBOUND:
+ return POLICY_IN;
+ case IPSEC_DIR_OUTBOUND:
+ return POLICY_OUT;
+#ifdef HAVE_IPSEC_DIR_FWD
+ case IPSEC_DIR_FWD:
+ return POLICY_FWD;
+#endif
+ default:
+ return dir;
+ }
+}
+#endif /*SADB_X_MIGRATE*/
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKEv2 algorithms to PF_KEY algorithms
+ */
+struct kernel_algorithm_t {
+ /**
+ * Identifier specified in IKEv2
+ */
+ int ikev2;
+
+ /**
+ * Identifier as defined in pfkeyv2.h
+ */
+ int kernel;
+};
+
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+static kernel_algorithm_t encryption_algs[] = {
+/* {ENCR_DES_IV64, 0 }, */
+ {ENCR_DES, SADB_EALG_DESCBC },
+ {ENCR_3DES, SADB_EALG_3DESCBC },
+/* {ENCR_RC5, 0 }, */
+/* {ENCR_IDEA, 0 }, */
+ {ENCR_CAST, SADB_X_EALG_CASTCBC },
+ {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
+/* {ENCR_3IDEA, 0 }, */
+/* {ENCR_DES_IV32, 0 }, */
+ {ENCR_NULL, SADB_EALG_NULL },
+ {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
+#ifdef SADB_X_EALG_AESCTR
+ {ENCR_AES_CTR, SADB_X_EALG_AESCTR },
+#endif
+/* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
+/* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
+/* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
+#ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */
+ {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 },
+ {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 },
+ {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 },
+#endif
+#ifdef SADB_X_EALG_CAMELLIACBC
+ {ENCR_CAMELLIA_CBC, SADB_X_EALG_CAMELLIACBC },
+#endif
+ {END_OF_LIST, 0 },
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+static kernel_algorithm_t integrity_algs[] = {
+ {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
+ {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
+ {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
+ {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
+ {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
+/* {AUTH_DES_MAC, 0, }, */
+/* {AUTH_KPDK_MD5, 0, }, */
+#ifdef SADB_X_AALG_AES_XCBC_MAC
+ {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
+#endif
+ {END_OF_LIST, 0, },
+};
+
+/**
+ * Algorithms for IPComp, unused yet
+ */
+static kernel_algorithm_t compression_algs[] = {
+/* {IPCOMP_OUI, 0 }, */
+ {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
+#ifdef SADB_X_CALG_LZS
+ {IPCOMP_LZS, SADB_X_CALG_LZS },
+#endif
+#ifdef SADB_X_CALG_LZJH
+ {IPCOMP_LZJH, SADB_X_CALG_LZJH },
+#endif
+ {END_OF_LIST, 0 },
+};
+
+/**
+ * Look up a kernel algorithm ID and its key size
+ */
+static int lookup_algorithm(transform_type_t type, int ikev2)
+{
+ kernel_algorithm_t *list;
+ u_int16_t alg = 0;
+
+ switch (type)
+ {
+ case ENCRYPTION_ALGORITHM:
+ list = encryption_algs;
+ break;
+ case INTEGRITY_ALGORITHM:
+ list = integrity_algs;
+ break;
+ case COMPRESSION_ALGORITHM:
+ list = compression_algs;
+ break;
+ default:
+ return 0;
+ }
+ while (list->ikev2 != END_OF_LIST)
+ {
+ if (ikev2 == list->ikev2)
+ {
+ return list->kernel;
+ }
+ list++;
+ }
+ charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, &alg, NULL);
+ return alg;
+}
+
+/**
+ * Helper to set a port in a sockaddr_t, the port has to be in host order
+ */
+static void set_port(sockaddr_t *addr, u_int16_t port)
+{
+ switch (addr->sa_family)
+ {
+ case AF_INET:
+ {
+ struct sockaddr_in *sin = (struct sockaddr_in*)addr;
+ sin->sin_port = htons(port);
+ break;
+ }
+ case AF_INET6:
+ {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
+ sin6->sin6_port = htons(port);
+ break;
+ }
+ }
+}
+
+/**
+ * Copy a host_t as sockaddr_t to the given memory location.
+ * @return the number of bytes copied
+ */
+static size_t hostcpy(void *dest, host_t *host, bool include_port)
+{
+ sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
+ socklen_t *len = host->get_sockaddr_len(host);
+
+ memcpy(dest, addr, *len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ dest_addr->sa_len = *len;
+#endif
+ if (!include_port)
+ {
+ set_port(dest_addr, 0);
+ }
+ return *len;
+}
+
+/**
+ * add a host to the given sadb_msg
+ */
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
+ u_int8_t proto, u_int8_t prefixlen, bool include_port)
+{
+ struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ size_t len;
+
+ addr->sadb_address_exttype = type;
+ addr->sadb_address_proto = proto;
+ addr->sadb_address_prefixlen = prefixlen;
+ len = hostcpy(addr + 1, host, include_port);
+ addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+ PFKEY_EXT_ADD(msg, addr);
+}
+
+/**
+ * adds an empty address extension to the given sadb_msg
+ */
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+{
+ socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
+ sizeof(struct sockaddr_in6);
+ struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
+ addr->sadb_address_exttype = type;
+ sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
+ saddr->sa_family = family;
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ saddr->sa_len = len;
+#endif
+ addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+ PFKEY_EXT_ADD(msg, addr);
+}
+
+#ifdef HAVE_NATT
+/**
+ * add udp encap extensions to a sadb_msg
+ */
+static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
+{
+ struct sadb_x_nat_t_type* nat_type;
+ struct sadb_x_nat_t_port* nat_port;
+
+ nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+ nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
+ nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+ PFKEY_EXT_ADD(msg, nat_type);
+
+ nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+ nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
+ nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
+ PFKEY_EXT_ADD(msg, nat_port);
+
+ nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
+ nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+ nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
+ nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
+ PFKEY_EXT_ADD(msg, nat_port);
+}
+#endif /*HAVE_NATT*/
+
+/**
+ * Convert a sadb_address to a traffic_selector
+ */
+static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
+{
+ traffic_selector_t *ts;
+ host_t *host;
+ u_int8_t proto;
+
+ proto = address->sadb_address_proto;
+ proto = proto == IPSEC_PROTO_ANY ? 0 : proto;
+
+ /* The Linux 2.6 kernel does not set the protocol and port information
+ * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
+ */
+ host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
+ ts = traffic_selector_create_from_subnet(host,
+ address->sadb_address_prefixlen,
+ proto, host->get_port(host),
+ host->get_port(host) ?: 65535);
+ return ts;
+}
+
+/**
+ * Parses a pfkey message received from the kernel
+ */
+static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
+{
+ struct sadb_ext* ext;
+ size_t len;
+
+ memset(out, 0, sizeof(pfkey_msg_t));
+ out->msg = msg;
+
+ len = msg->sadb_msg_len;
+ len -= PFKEY_LEN(sizeof(struct sadb_msg));
+
+ ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
+
+ while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
+ {
+ DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
+ if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
+ ext->sadb_ext_len > len)
+ {
+ DBG1(DBG_KNL, "length of %N extension is invalid",
+ sadb_ext_type_names, ext->sadb_ext_type);
+ break;
+ }
+
+ if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
+ {
+ DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
+ ext->sadb_ext_type);
+ break;
+ }
+
+ if (out->ext[ext->sadb_ext_type])
+ {
+ DBG1(DBG_KNL, "duplicate %N extension",
+ sadb_ext_type_names, ext->sadb_ext_type);
+ break;
+ }
+
+ out->ext[ext->sadb_ext_type] = ext;
+ ext = PFKEY_EXT_NEXT_LEN(ext, len);
+ }
+
+ if (len)
+ {
+ DBG1(DBG_KNL, "PF_KEY message length is invalid");
+ return FAILED;
+ }
+
+ return SUCCESS;
+}
+
+/**
+ * Send a message to a specific PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
+ struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
+{
+ unsigned char buf[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg;
+ int in_len, len;
+
+ this->mutex_pfkey->lock(this->mutex_pfkey);
+
+ /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
+ * in particular the behavior in response to an SADB_ACQUIRE. */
+ in->sadb_msg_seq = ++this->seq;
+ in->sadb_msg_pid = getpid();
+
+ in_len = PFKEY_USER_LEN(in->sadb_msg_len);
+
+ while (TRUE)
+ {
+ len = send(socket, in, in_len, 0);
+
+ if (len != in_len)
+ {
+ if (errno == EINTR)
+ {
+ /* interrupted, try again */
+ continue;
+ }
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
+ strerror(errno));
+ return FAILED;
+ }
+ break;
+ }
+
+ while (TRUE)
+ {
+ msg = (struct sadb_msg*)buf;
+
+ len = recv(socket, buf, sizeof(buf), 0);
+
+ if (len < 0)
+ {
+ if (errno == EINTR)
+ {
+ DBG1(DBG_KNL, "got interrupted");
+ /* interrupted, try again */
+ continue;
+ }
+ DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
+ strerror(errno));
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (len < sizeof(struct sadb_msg) ||
+ msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+ {
+ DBG1(DBG_KNL, "received corrupted PF_KEY message");
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+ {
+ DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
+ "message");
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ if (msg->sadb_msg_pid != in->sadb_msg_pid)
+ {
+ DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
+ continue;
+ }
+ if (msg->sadb_msg_seq != this->seq)
+ {
+ DBG2(DBG_KNL, "received PF_KEY message with unexpected sequence "
+ "number, was %d expected %d", msg->sadb_msg_seq,
+ this->seq);
+ if (msg->sadb_msg_seq == 0)
+ {
+ /* FreeBSD and Mac OS X do this for the response to
+ * SADB_X_SPDGET (but not for the response to SADB_GET).
+ * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
+ }
+ else if (msg->sadb_msg_seq < this->seq)
+ {
+ continue;
+ }
+ else
+ {
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
+ }
+ if (msg->sadb_msg_type != in->sadb_msg_type)
+ {
+ DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
+ "was %d expected %d, ignoring", msg->sadb_msg_type,
+ in->sadb_msg_type);
+ }
+ break;
+ }
+
+ *out_len = len;
+ *out = (struct sadb_msg*)malloc(len);
+ memcpy(*out, buf, len);
+
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return SUCCESS;
+}
+
+/**
+ * Send a message to the default PF_KEY socket and handle the response.
+ */
+static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
+ struct sadb_msg *in, struct sadb_msg **out,
+ size_t *out_len)
+{
+ return pfkey_send_socket(this, this->socket, in, out, out_len);
+}
+
+/**
+ * Process a SADB_ACQUIRE message from the kernel
+ */
+static void process_acquire(private_kernel_pfkey_ipsec_t *this,
+ struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ u_int32_t index, reqid = 0;
+ traffic_selector_t *src_ts, *dst_ts;
+ policy_entry_t *policy;
+ policy_sa_t *sa;
+
+ switch (msg->sadb_msg_satype)
+ {
+ case SADB_SATYPE_UNSPEC:
+ case SADB_SATYPE_ESP:
+ case SADB_SATYPE_AH:
+ break;
+ default:
+ /* acquire for AH/ESP only */
+ return;
+ }
+ DBG2(DBG_KNL, "received an SADB_ACQUIRE");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
+ return;
+ }
+
+ index = response.x_policy->sadb_x_policy_id;
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_match_byindex,
+ (void**)&policy, &index) == SUCCESS &&
+ policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
+ {
+ reqid = sa->sa->cfg.reqid;
+ }
+ else
+ {
+ DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
+ "matching policy found", index);
+ }
+ this->mutex->unlock(this->mutex);
+
+ src_ts = sadb_address2ts(response.src);
+ dst_ts = sadb_address2ts(response.dst);
+
+ charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
+}
+
+/**
+ * Process a SADB_EXPIRE message from the kernel
+ */
+static void process_expire(private_kernel_pfkey_ipsec_t *this,
+ struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ u_int8_t protocol;
+ u_int32_t spi;
+ host_t *dst;
+ bool hard;
+
+ DBG2(DBG_KNL, "received an SADB_EXPIRE");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
+ return;
+ }
+
+ protocol = satype2proto(msg->sadb_msg_satype);
+ spi = response.sa->sadb_sa_spi;
+ hard = response.lft_hard != NULL;
+
+ if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
+ {
+ dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
+ if (dst)
+ {
+ charon->kernel->expire(charon->kernel, protocol, spi, dst, hard);
+ dst->destroy(dst);
+ }
+ }
+}
+
+#ifdef SADB_X_MIGRATE
+/**
+ * Process a SADB_X_MIGRATE message from the kernel
+ */
+static void process_migrate(private_kernel_pfkey_ipsec_t *this,
+ struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ traffic_selector_t *src_ts, *dst_ts;
+ policy_dir_t dir;
+ u_int32_t reqid = 0;
+ host_t *local = NULL, *remote = NULL;
+
+ DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
+ return;
+ }
+ src_ts = sadb_address2ts(response.src);
+ dst_ts = sadb_address2ts(response.dst);
+ dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
+ DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
+ policy_dir_names, dir);
+
+ /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
+ if (response.x_kmaddress)
+ {
+ sockaddr_t *local_addr, *remote_addr;
+ u_int32_t local_len;
+
+ local_addr = (sockaddr_t*)&response.x_kmaddress[1];
+ local = host_create_from_sockaddr(local_addr);
+ local_len = (local_addr->sa_family == AF_INET6)?
+ sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
+ remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
+ remote = host_create_from_sockaddr(remote_addr);
+ DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
+ }
+
+ if (src_ts && dst_ts && local && remote)
+ {
+ charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
+ local, remote);
+ }
+ else
+ {
+ DESTROY_IF(src_ts);
+ DESTROY_IF(dst_ts);
+ DESTROY_IF(local);
+ DESTROY_IF(remote);
+ }
+}
+#endif /*SADB_X_MIGRATE*/
+
+#ifdef SADB_X_NAT_T_NEW_MAPPING
+/**
+ * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
+ */
+static void process_mapping(private_kernel_pfkey_ipsec_t *this,
+ struct sadb_msg* msg)
+{
+ pfkey_msg_t response;
+ u_int32_t spi;
+ sockaddr_t *sa;
+ host_t *dst, *new;
+
+ DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
+
+ if (parse_pfkey_message(msg, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
+ return;
+ }
+
+ if (!response.x_sa2)
+ {
+ DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
+ "information");
+ return;
+ }
+
+ spi = response.sa->sadb_sa_spi;
+
+ if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
+ {
+ return;
+ }
+
+ sa = (sockaddr_t*)(response.dst + 1);
+ dst = host_create_from_sockaddr(sa);
+ switch (sa->sa_family)
+ {
+ case AF_INET:
+ {
+ struct sockaddr_in *sin = (struct sockaddr_in*)sa;
+ sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+ break;
+ }
+ case AF_INET6:
+ {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
+ sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+ break;
+ }
+ default:
+ break;
+ }
+ if (dst)
+ {
+ new = host_create_from_sockaddr(sa);
+ if (new)
+ {
+ charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst, new);
+ new->destroy(new);
+ }
+ dst->destroy(dst);
+ }
+}
+#endif /*SADB_X_NAT_T_NEW_MAPPING*/
+
+/**
+ * Receives events from kernel
+ */
+static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
+ watcher_event_t event)
+{
+ unsigned char buf[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg = (struct sadb_msg*)buf;
+ int len;
+
+ len = recvfrom(this->socket_events, buf, sizeof(buf), MSG_DONTWAIT, NULL, 0);
+ if (len < 0)
+ {
+ switch (errno)
+ {
+ case EINTR:
+ /* interrupted, try again */
+ return TRUE;
+ case EAGAIN:
+ /* no data ready, select again */
+ return TRUE;
+ default:
+ DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
+ sleep(1);
+ return TRUE;
+ }
+ }
+
+ if (len < sizeof(struct sadb_msg) ||
+ msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
+ {
+ DBG2(DBG_KNL, "received corrupted PF_KEY message");
+ return TRUE;
+ }
+ if (msg->sadb_msg_pid != 0)
+ { /* not from kernel. not interested, try another one */
+ return TRUE;
+ }
+ if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
+ {
+ DBG1(DBG_KNL, "buffer was too small to receive the complete "
+ "PF_KEY message");
+ return TRUE;
+ }
+
+ switch (msg->sadb_msg_type)
+ {
+ case SADB_ACQUIRE:
+ process_acquire(this, msg);
+ break;
+ case SADB_EXPIRE:
+ process_expire(this, msg);
+ break;
+#ifdef SADB_X_MIGRATE
+ case SADB_X_MIGRATE:
+ process_migrate(this, msg);
+ break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef SADB_X_NAT_T_NEW_MAPPING
+ case SADB_X_NAT_T_NEW_MAPPING:
+ process_mapping(this, msg);
+ break;
+#endif /*SADB_X_NAT_T_NEW_MAPPING*/
+ default:
+ break;
+ }
+
+ return TRUE;
+}
+
+/**
+ * Get an SPI for a specific protocol from the kernel.
+ */
+
+static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
+ u_int32_t *spi)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_spirange *range;
+ pfkey_msg_t response;
+ u_int32_t received_spi = 0;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_GETSPI;
+ msg->sadb_msg_satype = proto2satype(proto);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+
+ range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
+ range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+ range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+ range->sadb_spirange_min = min;
+ range->sadb_spirange_max = max;
+ PFKEY_EXT_ADD(msg, range);
+
+ if (pfkey_send(this, msg, &out, &len) == SUCCESS)
+ {
+ if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ }
+ else if (parse_pfkey_message(out, &response) == SUCCESS)
+ {
+ received_spi = response.sa->sadb_sa_spi;
+ }
+ free(out);
+ }
+
+ if (received_spi == 0)
+ {
+ return FAILED;
+ }
+
+ *spi = received_spi;
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+ u_int8_t protocol, u_int32_t *spi)
+{
+ if (get_spi_internal(this, src, dst, protocol,
+ 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to get SPI");
+ return FAILED;
+ }
+
+ DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+ u_int16_t *cpi)
+{
+ u_int32_t received_spi = 0;
+
+ DBG2(DBG_KNL, "getting CPI");
+
+ if (get_spi_internal(this, src, dst, IPPROTO_COMP,
+ 0x100, 0xEFFF, &received_spi) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to get CPI");
+ return FAILED;
+ }
+
+ *cpi = htons((u_int16_t)ntohl(received_spi));
+
+ DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
+ u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
+ lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+ u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+ u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ struct sadb_x_sa2 *sa2;
+ struct sadb_lifetime *lft;
+ struct sadb_key *key;
+ size_t len;
+
+ /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
+ * we are in the recursive call below */
+ if (ipcomp != IPCOMP_NONE && cpi != 0)
+ {
+ lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
+ add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
+ tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
+ chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound,
+ update, NULL, NULL);
+ ipcomp = IPCOMP_NONE;
+ /* use transport mode ESP SA, IPComp uses tunnel mode */
+ mode = MODE_TRANSPORT;
+ }
+
+ if (update)
+ {
+ /* As we didn't know the reqid during SPI allocation, we used reqid
+ * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we
+ * have to delete the SPI allocation state manually. The reqid
+ * selector does not count for that, therefore we have to delete
+ * that state before installing the new SA to avoid deleting the
+ * the new state after installing it. */
+ mark_t zeromark = {0, 0};
+
+ if (this->public.interface.del_sa(&this->public.interface,
+ src, dst, spi, protocol, 0, zeromark) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "deleting SPI allocation SA failed");
+ }
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
+ ntohl(spi), reqid);
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_ADD;
+ msg->sadb_msg_satype = proto2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+#ifdef __APPLE__
+ if (encap)
+ {
+ struct sadb_sa_2 *sa_2;
+ sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+ sa_2->sadb_sa_natt_port = dst->get_port(dst);
+ sa = &sa_2->sa;
+ sa->sadb_sa_flags |= SADB_X_EXT_NATT;
+ len = sizeof(struct sadb_sa_2);
+ }
+ else
+#endif
+ {
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ len = sizeof(struct sadb_sa);
+ }
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(len);
+ sa->sadb_sa_spi = spi;
+ if (protocol == IPPROTO_COMP)
+ {
+ sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
+ }
+ else
+ {
+ /* Linux interprets sadb_sa_replay as number of packets/bits in the
+ * replay window, whereas on BSD it's the size of the window in bytes */
+#ifdef __linux__
+ sa->sadb_sa_replay = min(replay_window, 32);
+#else
+ sa->sadb_sa_replay = (replay_window + 7) / 8;
+#endif
+ sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
+ sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
+ }
+ PFKEY_EXT_ADD(msg, sa);
+
+ sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
+ sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+ sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
+ sa2->sadb_x_sa2_mode = mode2kernel(mode);
+ sa2->sadb_x_sa2_reqid = reqid;
+ PFKEY_EXT_ADD(msg, sa2);
+
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+
+ lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+ lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
+ lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_allocations = lifetime->packets.rekey;
+ lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
+ lft->sadb_lifetime_addtime = lifetime->time.rekey;
+ lft->sadb_lifetime_usetime = 0; /* we only use addtime */
+ PFKEY_EXT_ADD(msg, lft);
+
+ lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+ lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+ lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_allocations = lifetime->packets.life;
+ lft->sadb_lifetime_bytes = lifetime->bytes.life;
+ lft->sadb_lifetime_addtime = lifetime->time.life;
+ lft->sadb_lifetime_usetime = 0; /* we only use addtime */
+ PFKEY_EXT_ADD(msg, lft);
+
+ if (enc_alg != ENCR_UNDEFINED)
+ {
+ if (!sa->sadb_sa_encrypt)
+ {
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ encryption_algorithm_names, enc_alg);
+ return FAILED;
+ }
+ DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
+ encryption_algorithm_names, enc_alg, enc_key.len * 8);
+
+ key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+ key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+ key->sadb_key_bits = enc_key.len * 8;
+ key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
+ memcpy(key + 1, enc_key.ptr, enc_key.len);
+
+ PFKEY_EXT_ADD(msg, key);
+ }
+
+ if (int_alg != AUTH_UNDEFINED)
+ {
+ if (!sa->sadb_sa_auth)
+ {
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ integrity_algorithm_names, int_alg);
+ return FAILED;
+ }
+ DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
+ integrity_algorithm_names, int_alg, int_key.len * 8);
+
+ key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
+ key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
+ key->sadb_key_bits = int_key.len * 8;
+ key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
+ memcpy(key + 1, int_key.ptr, int_key.len);
+
+ PFKEY_EXT_ADD(msg, key);
+ }
+
+#ifdef HAVE_NATT
+ if (encap)
+ {
+ add_encap_ext(msg, src, dst);
+ }
+#endif /*HAVE_NATT*/
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+
+ free(out);
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+ private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+ u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+ bool encap, bool new_encap, mark_t mark)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ pfkey_msg_t response;
+ size_t len;
+
+ /* we can't update the SA if any of the ip addresses have changed.
+ * that's because we can't use SADB_UPDATE and by deleting and readding the
+ * SA the sequence numbers would get lost */
+ if (!src->ip_equals(src, new_src) ||
+ !dst->ip_equals(dst, new_dst))
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
+ "changes are not supported", ntohl(spi));
+ return NOT_SUPPORTED;
+ }
+
+ /* if IPComp is used, we first update the IPComp SA */
+ if (cpi)
+ {
+ update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
+ src, dst, new_src, new_dst, FALSE, FALSE, mark);
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_GET;
+ msg->sadb_msg_satype = proto2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ PFKEY_EXT_ADD(msg, sa);
+
+ /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
+ * it is not used for anything. */
+ add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno),
+ out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
+ "response from kernel failed", ntohl(spi));
+ free(out);
+ return FAILED;
+ }
+
+ DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+ ntohl(spi), src, dst, new_src, new_dst);
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_UPDATE;
+ msg->sadb_msg_satype = proto2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+#ifdef __APPLE__
+ {
+ struct sadb_sa_2 *sa_2;
+ sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+ sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
+ memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
+ if (encap)
+ {
+ sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
+ sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
+ }
+ }
+#else
+ PFKEY_EXT_COPY(msg, response.sa);
+#endif
+ PFKEY_EXT_COPY(msg, response.x_sa2);
+
+ PFKEY_EXT_COPY(msg, response.src);
+ PFKEY_EXT_COPY(msg, response.dst);
+
+ PFKEY_EXT_COPY(msg, response.lft_soft);
+ PFKEY_EXT_COPY(msg, response.lft_hard);
+
+ if (response.key_encr)
+ {
+ PFKEY_EXT_COPY(msg, response.key_encr);
+ }
+
+ if (response.key_auth)
+ {
+ PFKEY_EXT_COPY(msg, response.key_auth);
+ }
+
+#ifdef HAVE_NATT
+ if (new_encap)
+ {
+ add_encap_ext(msg, new_src, new_dst);
+ }
+#endif /*HAVE_NATT*/
+
+ free(out);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno),
+ out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, u_int8_t protocol, mark_t mark,
+ u_int64_t *bytes, u_int64_t *packets, time_t *time)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ pfkey_msg_t response;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_GET;
+ msg->sadb_msg_satype = proto2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ PFKEY_EXT_ADD(msg, sa);
+
+ /* the Linux Kernel doesn't care for the src address, but other systems do
+ * (e.g. FreeBSD)
+ */
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno),
+ out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+ free(out);
+ return FAILED;
+ }
+ if (bytes)
+ {
+ *bytes = response.lft_current->sadb_lifetime_bytes;
+ }
+ if (packets)
+ {
+ /* at least on Linux and FreeBSD this contains the number of packets */
+ *packets = response.lft_current->sadb_lifetime_allocations;
+ }
+ if (time)
+ {
+#ifdef __APPLE__
+ /* OS X uses the "last" time of use in usetime */
+ *time = response.lft_current->sadb_lifetime_usetime;
+#else /* !__APPLE__ */
+ /* on Linux, sadb_lifetime_usetime is set to the "first" time of use,
+ * which is actually correct according to PF_KEY. We have to query
+ * policies for the last usetime. */
+ *time = 0;
+#endif /* !__APPLE__ */
+ }
+
+ free(out);
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ size_t len;
+
+ /* if IPComp was used, we first delete the additional IPComp SA */
+ if (cpi)
+ {
+ del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_satype = proto2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ PFKEY_EXT_ADD(msg, sa);
+
+ /* the Linux Kernel doesn't care for the src address, but other systems do
+ * (e.g. FreeBSD)
+ */
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno),
+ out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+
+ DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+ free(out);
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, flush_sas, status_t,
+ private_kernel_pfkey_ipsec_t *this)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct {
+ u_int8_t proto;
+ char *name;
+ } protos[] = {
+ { SADB_SATYPE_AH, "AH" },
+ { SADB_SATYPE_ESP, "ESP" },
+ { SADB_X_SATYPE_IPCOMP, "IPComp" },
+ };
+ size_t len;
+ int i;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_FLUSH;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ for (i = 0; i < countof(protos); i++)
+ {
+ DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
+
+ msg->sadb_msg_satype = protos[i].proto;
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to flush %s SAD entries: %s (%d)",
+ protos[i].name, strerror(out->sadb_msg_errno),
+ out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+ }
+ return SUCCESS;
+}
+
+/**
+ * Add an explicit exclude route to a routing entry
+ */
+static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
+ route_entry_t *route, host_t *src, host_t *dst)
+{
+ enumerator_t *enumerator;
+ exclude_route_t *exclude;
+ host_t *gtw;
+
+ enumerator = this->excludes->create_enumerator(this->excludes);
+ while (enumerator->enumerate(enumerator, &exclude))
+ {
+ if (dst->ip_equals(dst, exclude->dst))
+ {
+ route->exclude = exclude;
+ exclude->refs++;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!route->exclude)
+ {
+ DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
+ gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL);
+ if (gtw)
+ {
+ char *if_name = NULL;
+
+ if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
+ charon->kernel->add_route(charon->kernel,
+ dst->get_address(dst),
+ dst->get_family(dst) == AF_INET ? 32 : 128,
+ gtw, src, if_name) == SUCCESS)
+ {
+ INIT(exclude,
+ .dst = dst->clone(dst),
+ .src = src->clone(src),
+ .gtw = gtw->clone(gtw),
+ .refs = 1,
+ );
+ route->exclude = exclude;
+ this->excludes->insert_last(this->excludes, exclude);
+ }
+ else
+ {
+ DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
+ }
+ gtw->destroy(gtw);
+ free(if_name);
+ }
+ else
+ {
+ DBG1(DBG_KNL, "gateway lookup for for %H failed", dst);
+ }
+ }
+}
+
+/**
+ * Remove an exclude route attached to a routing entry
+ */
+static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this,
+ route_entry_t *route)
+{
+ if (route->exclude)
+ {
+ enumerator_t *enumerator;
+ exclude_route_t *exclude;
+ bool removed = FALSE;
+ host_t *dst;
+
+ enumerator = this->excludes->create_enumerator(this->excludes);
+ while (enumerator->enumerate(enumerator, &exclude))
+ {
+ if (route->exclude == exclude)
+ {
+ if (--exclude->refs == 0)
+ {
+ this->excludes->remove_at(this->excludes, enumerator);
+ removed = TRUE;
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (removed)
+ {
+ char *if_name = NULL;
+
+ dst = route->exclude->dst;
+ DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
+ dst, route->exclude->src);
+ if (charon->kernel->get_interface(
+ charon->kernel,
+ route->exclude->src, &if_name) &&
+ charon->kernel->del_route(charon->kernel,
+ dst->get_address(dst),
+ dst->get_family(dst) == AF_INET ? 32 : 128,
+ route->exclude->gtw, route->exclude->src,
+ if_name) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
+ }
+ exclude_route_destroy(route->exclude);
+ free(if_name);
+ }
+ route->exclude = NULL;
+ }
+}
+
+/**
+ * Try to install a route to the given inbound policy
+ */
+static bool install_route(private_kernel_pfkey_ipsec_t *this,
+ policy_entry_t *policy, policy_sa_in_t *in)
+{
+ route_entry_t *route, *old;
+ host_t *host, *src, *dst;
+ bool is_virtual;
+
+ if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts, &host,
+ &is_virtual) != SUCCESS)
+ {
+ return FALSE;
+ }
+
+ /* switch src/dst, as we handle an IN policy */
+ src = in->generic.sa->dst;
+ dst = in->generic.sa->src;
+
+ INIT(route,
+ .prefixlen = policy->src.mask,
+ .src_ip = host,
+ .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
+ );
+
+ if (!dst->is_anyaddr(dst))
+ {
+ route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1,
+ src);
+
+ /* if the IP is virtual, we install the route over the interface it has
+ * been installed on. Otherwise we use the interface we use for IKE, as
+ * this is required for example on Linux. */
+ if (is_virtual)
+ {
+ src = route->src_ip;
+ }
+ }
+ else
+ { /* for shunt policies */
+ route->gateway = charon->kernel->get_nexthop(charon->kernel,
+ policy->src.net, policy->src.mask,
+ route->src_ip);
+
+ /* we don't have a source address, use the address we found */
+ src = route->src_ip;
+ }
+
+ /* get interface for route, using source address */
+ if (!charon->kernel->get_interface(charon->kernel, src, &route->if_name))
+ {
+ route_entry_destroy(route);
+ return FALSE;
+ }
+
+ if (policy->route)
+ {
+ old = policy->route;
+
+ if (route_entry_equals(old, route))
+ { /* such a route already exists */
+ route_entry_destroy(route);
+ return TRUE;
+ }
+ /* uninstall previously installed route */
+ if (charon->kernel->del_route(charon->kernel, old->dst_net,
+ old->prefixlen, old->gateway,
+ old->src_ip, old->if_name) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "error uninstalling route installed with policy "
+ "%R === %R %N", in->src_ts, in->dst_ts,
+ policy_dir_names, policy->direction);
+ }
+ route_entry_destroy(old);
+ policy->route = NULL;
+ }
+
+ /* if remote traffic selector covers the IKE peer, add an exclude route */
+ if (charon->kernel->get_features(charon->kernel) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
+ {
+ if (in->src_ts->is_host(in->src_ts, dst))
+ {
+ DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts "
+ "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names,
+ policy->direction);
+ route_entry_destroy(route);
+ return FALSE;
+ }
+ if (in->src_ts->includes(in->src_ts, dst))
+ {
+ add_exclude_route(this, route, in->generic.sa->dst, dst);
+ }
+ }
+
+ DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
+ in->src_ts, route->gateway, route->src_ip, route->if_name);
+
+ switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+ route->prefixlen, route->gateway,
+ route->src_ip, route->if_name))
+ {
+ case ALREADY_DONE:
+ /* route exists, do not uninstall */
+ remove_exclude_route(this, route);
+ route_entry_destroy(route);
+ return TRUE;
+ case SUCCESS:
+ /* cache the installed route */
+ policy->route = route;
+ return TRUE;
+ default:
+ DBG1(DBG_KNL, "installing route failed: %R via %H src %H dev %s",
+ in->src_ts, route->gateway, route->src_ip, route->if_name);
+ remove_exclude_route(this, route);
+ route_entry_destroy(route);
+ return FALSE;
+ }
+}
+
+/**
+ * Add or update a policy in the kernel.
+ *
+ * Note: The mutex has to be locked when entering this function.
+ */
+static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
+ policy_entry_t *policy, policy_sa_t *mapping, bool update)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_x_policy *pol;
+ struct sadb_x_ipsecrequest *req;
+ ipsec_sa_t *ipsec = mapping->sa;
+ pfkey_msg_t response;
+ size_t len;
+ ipsec_mode_t proto_mode;
+ status_t status;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
+ msg->sadb_msg_satype = 0;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+ pol->sadb_x_policy_id = 0;
+ pol->sadb_x_policy_dir = dir2kernel(policy->direction);
+ pol->sadb_x_policy_type = type2kernel(mapping->type);
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
+ pol->sadb_x_policy_priority = mapping->priority;
+#endif
+
+ /* one or more sadb_x_ipsecrequest extensions are added to the
+ * sadb_x_policy extension */
+ proto_mode = ipsec->cfg.mode;
+
+ req = (struct sadb_x_ipsecrequest*)(pol + 1);
+
+ if (ipsec->cfg.ipcomp.transform != IPCOMP_NONE)
+ {
+ req->sadb_x_ipsecrequest_proto = IPPROTO_COMP;
+
+ /* !!! the length here MUST be in octets instead of 64 bit words */
+ req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+ req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
+ req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
+ req->sadb_x_ipsecrequest_level = (policy->direction == POLICY_OUT) ?
+ IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_USE;
+ if (ipsec->cfg.mode == MODE_TUNNEL)
+ {
+ len = hostcpy(req + 1, ipsec->src, FALSE);
+ req->sadb_x_ipsecrequest_len += len;
+ len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
+ req->sadb_x_ipsecrequest_len += len;
+ /* use transport mode for other SAs */
+ proto_mode = MODE_TRANSPORT;
+ }
+
+ pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
+ req = (struct sadb_x_ipsecrequest*)((char*)(req) +
+ req->sadb_x_ipsecrequest_len);
+ }
+
+ req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
+ : IPPROTO_AH;
+ /* !!! the length here MUST be in octets instead of 64 bit words */
+ req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+ req->sadb_x_ipsecrequest_mode = mode2kernel(proto_mode);
+ req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
+ req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
+ if (proto_mode == MODE_TUNNEL)
+ {
+ len = hostcpy(req + 1, ipsec->src, FALSE);
+ req->sadb_x_ipsecrequest_len += len;
+ len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
+ req->sadb_x_ipsecrequest_len += len;
+ }
+
+ pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
+ PFKEY_EXT_ADD(msg, pol);
+
+ add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+ policy->src.mask, TRUE);
+ add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+ policy->dst.mask, TRUE);
+
+#ifdef __FreeBSD__
+ { /* on FreeBSD a lifetime has to be defined to be able to later query
+ * the current use time. */
+ struct sadb_lifetime *lft;
+ lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+ lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+ lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_addtime = LONG_MAX;
+ PFKEY_EXT_ADD(msg, lft);
+ }
+#endif
+
+ this->mutex->unlock(this->mutex);
+
+ status = pfkey_send(this, msg, &out, &len);
+ if (status == SUCCESS && !update && out->sadb_msg_errno == EEXIST)
+ {
+ DBG1(DBG_KNL, "policy already exists, try to update it");
+ free(out);
+ msg->sadb_msg_type = SADB_X_SPDUPDATE;
+ status = pfkey_send(this, msg, &out, &len);
+ }
+ if (status != SUCCESS)
+ {
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to %s policy: %s (%d)",
+ update ? "update" : "add", strerror(out->sadb_msg_errno),
+ out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel "
+ "failed", update ? "update" : "add");
+ free(out);
+ return FAILED;
+ }
+
+ /* we try to find the policy again and update the kernel index */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies, NULL,
+ (void**)&policy) != SUCCESS)
+ {
+ DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
+ "ignoring");
+ this->mutex->unlock(this->mutex);
+ free(out);
+ return SUCCESS;
+ }
+ policy->index = response.x_policy->sadb_x_policy_id;
+ free(out);
+
+ /* install a route, if:
+ * - this is an inbound policy (to just get one for each child)
+ * - we are in tunnel mode or install a bypass policy
+ * - routing is not disabled via strongswan.conf
+ */
+ if (policy->direction == POLICY_IN && this->install_routes &&
+ (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
+ {
+ install_route(this, policy, (policy_sa_in_t*)mapping);
+ }
+ this->mutex->unlock(this->mutex);
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+ mark_t mark, policy_priority_t priority)
+{
+ policy_entry_t *policy, *found = NULL;
+ policy_sa_t *assigned_sa, *current_sa;
+ enumerator_t *enumerator;
+ bool update = TRUE;
+
+ if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+ { /* FWD policies are not supported on all platforms */
+ return SUCCESS;
+ }
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals,
+ (void**)&found, policy) == SUCCESS)
+ { /* use existing policy */
+ DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
+ "refcount", src_ts, dst_ts, policy_dir_names, direction);
+ policy_entry_destroy(policy, this);
+ policy = found;
+ }
+ else
+ { /* use the new one, if we have no such policy */
+ this->policies->insert_first(this->policies, policy);
+ policy->used_by = linked_list_create();
+ }
+
+ /* cache the assigned IPsec SA */
+ assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
+ dst_ts, sa);
+ assigned_sa->priority = get_priority(policy, priority);
+
+ /* insert the SA according to its priority */
+ enumerator = policy->used_by->create_enumerator(policy->used_by);
+ while (enumerator->enumerate(enumerator, (void**)&current_sa))
+ {
+ if (current_sa->priority >= assigned_sa->priority)
+ {
+ break;
+ }
+ update = FALSE;
+ }
+ policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
+ enumerator->destroy(enumerator);
+
+ if (!update)
+ { /* we don't update the policy if the priority is lower than that of the
+ * currently installed one */
+ this->mutex->unlock(this->mutex);
+ return SUCCESS;
+ }
+
+ DBG2(DBG_KNL, "%s policy %R === %R %N",
+ found ? "updating" : "adding", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
+ found ? "update" : "add", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+ private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+ time_t *use_time)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_x_policy *pol;
+ policy_entry_t *policy, *found = NULL;
+ pfkey_msg_t response;
+ size_t len;
+
+ if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+ { /* FWD policies are not supported on all platforms */
+ return NOT_FOUND;
+ }
+
+ DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals,
+ (void**)&found, policy) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
+ dst_ts, policy_dir_names, direction);
+ policy_entry_destroy(policy, this);
+ this->mutex->unlock(this->mutex);
+ return NOT_FOUND;
+ }
+ policy_entry_destroy(policy, this);
+ policy = found;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_SPDGET;
+ msg->sadb_msg_satype = 0;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_id = policy->index;
+ pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+ pol->sadb_x_policy_dir = dir2kernel(direction);
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+ PFKEY_EXT_ADD(msg, pol);
+
+ add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+ policy->src.mask, TRUE);
+ add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+ policy->dst.mask, TRUE);
+
+ this->mutex->unlock(this->mutex);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
+ dst_ts, policy_dir_names, direction,
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
+ "from kernel failed", src_ts, dst_ts, policy_dir_names,
+ direction);
+ free(out);
+ return FAILED;
+ }
+ else if (response.lft_current == NULL)
+ {
+ DBG2(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+ "use time", src_ts, dst_ts, policy_dir_names, direction);
+ free(out);
+ return FAILED;
+ }
+
+ /* we need the monotonic time, but the kernel returns system time. */
+ if (response.lft_current->sadb_lifetime_usetime)
+ {
+ *use_time = time_monotonic(NULL) -
+ (time(NULL) - response.lft_current->sadb_lifetime_usetime);
+ }
+ else
+ {
+ *use_time = 0;
+ }
+ free(out);
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+ mark_t mark, policy_priority_t prio)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_x_policy *pol;
+ policy_entry_t *policy, *found = NULL;
+ policy_sa_t *mapping, *to_remove = NULL;
+ enumerator_t *enumerator;
+ bool first = TRUE, is_installed = TRUE;
+ u_int32_t priority;
+ size_t len;
+ ipsec_sa_t assigned_sa = {
+ .src = src,
+ .dst = dst,
+ .cfg = *sa,
+ };
+
+ if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+ { /* FWD policies are not supported on all platforms */
+ return SUCCESS;
+ }
+
+ DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+
+ /* create a policy */
+ policy = create_policy_entry(src_ts, dst_ts, direction);
+
+ /* find a matching policy */
+ this->mutex->lock(this->mutex);
+ if (this->policies->find_first(this->policies,
+ (linked_list_match_t)policy_entry_equals,
+ (void**)&found, policy) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
+ dst_ts, policy_dir_names, direction);
+ policy_entry_destroy(policy, this);
+ this->mutex->unlock(this->mutex);
+ return NOT_FOUND;
+ }
+ policy_entry_destroy(policy, this);
+ policy = found;
+
+ /* remove mapping to SA by reqid and priority, if multiple match, which
+ * could happen when rekeying due to an address change, remove the oldest */
+ priority = get_priority(policy, prio);
+ enumerator = policy->used_by->create_enumerator(policy->used_by);
+ while (enumerator->enumerate(enumerator, (void**)&mapping))
+ {
+ if (priority == mapping->priority &&
+ ipsec_sa_equals(mapping->sa, &assigned_sa))
+ {
+ to_remove = mapping;
+ is_installed = first;
+ }
+ else if (priority < mapping->priority)
+ {
+ break;
+ }
+ first = FALSE;
+ }
+ enumerator->destroy(enumerator);
+ if (!to_remove)
+ { /* sanity check */
+ this->mutex->unlock(this->mutex);
+ return SUCCESS;
+ }
+ policy->used_by->remove(policy->used_by, to_remove, NULL);
+ mapping = to_remove;
+
+ if (policy->used_by->get_count(policy->used_by) > 0)
+ { /* policy is used by more SAs, keep in kernel */
+ DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+ policy_sa_destroy(mapping, &direction, this);
+
+ if (!is_installed)
+ { /* no need to update as the policy was not installed for this SA */
+ this->mutex->unlock(this->mutex);
+ return SUCCESS;
+ }
+
+ DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ policy->used_by->get_first(policy->used_by, (void**)&mapping);
+ if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to update policy %R === %R %N",
+ src_ts, dst_ts, policy_dir_names, direction);
+ return FAILED;
+ }
+ return SUCCESS;
+ }
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_SPDDELETE;
+ msg->sadb_msg_satype = 0;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
+ pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
+ pol->sadb_x_policy_dir = dir2kernel(direction);
+ pol->sadb_x_policy_type = type2kernel(mapping->type);
+ PFKEY_EXT_ADD(msg, pol);
+
+ add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
+ policy->src.mask, TRUE);
+ add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
+ policy->dst.mask, TRUE);
+
+ if (policy->route)
+ {
+ route_entry_t *route = policy->route;
+ if (charon->kernel->del_route(charon->kernel, route->dst_net,
+ route->prefixlen, route->gateway,
+ route->src_ip, route->if_name) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "error uninstalling route installed with "
+ "policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ }
+ remove_exclude_route(this, route);
+ }
+
+ this->policies->remove(this->policies, found, NULL);
+ policy_sa_destroy(mapping, &direction, this);
+ policy_entry_destroy(policy, this);
+ this->mutex->unlock(this->mutex);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
+ policy_dir_names, direction);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
+ dst_ts, policy_dir_names, direction,
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, flush_policies, status_t,
+ private_kernel_pfkey_ipsec_t *this)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "flushing all policies from SPD");
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_X_SPDFLUSH;
+ msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to flush SPD entries");
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to flush SPD entries: %s (%d)",
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+ return SUCCESS;
+}
+
+/**
+ * Register a socket for ACQUIRE/EXPIRE messages
+ */
+static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
+ u_int8_t satype)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_REGISTER;
+ msg->sadb_msg_satype = satype;
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to register PF_KEY socket");
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
+ strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ free(out);
+ return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+ private_kernel_pfkey_ipsec_t *this, int fd, int family)
+{
+ struct sadb_x_policy policy;
+ u_int sol, ipsec_policy;
+
+ switch (family)
+ {
+ case AF_INET:
+ {
+ sol = SOL_IP;
+ ipsec_policy = IP_IPSEC_POLICY;
+ break;
+ }
+ case AF_INET6:
+ {
+ sol = SOL_IPV6;
+ ipsec_policy = IPV6_IPSEC_POLICY;
+ break;
+ }
+ default:
+ return FALSE;
+ }
+
+ memset(&policy, 0, sizeof(policy));
+ policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+ policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+
+ policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ return FALSE;
+ }
+ policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+ private_kernel_pfkey_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+#ifndef __APPLE__
+ int type = UDP_ENCAP_ESPINUDP;
+
+ if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
+ return FALSE;
+ }
+#else /* __APPLE__ */
+ int intport = port;
+
+ if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &intport,
+ sizeof(intport)) != 0)
+ {
+ DBG1(DBG_KNL, "could not set net.inet.ipsec.esp_port to %d: %s",
+ port, strerror(errno));
+ return FALSE;
+ }
+#endif /* __APPLE__ */
+
+ return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+ private_kernel_pfkey_ipsec_t *this)
+{
+ if (this->socket > 0)
+ {
+ close(this->socket);
+ }
+ if (this->socket_events > 0)
+ {
+ lib->watcher->remove(lib->watcher, this->socket_events);
+ close(this->socket_events);
+ }
+ this->policies->invoke_function(this->policies,
+ (linked_list_invoke_t)policy_entry_destroy,
+ this);
+ this->policies->destroy(this->policies);
+ this->excludes->destroy(this->excludes);
+ this->sas->destroy(this->sas);
+ this->mutex->destroy(this->mutex);
+ this->mutex_pfkey->destroy(this->mutex_pfkey);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
+{
+ private_kernel_pfkey_ipsec_t *this;
+ bool register_for_events = TRUE;
+ int rcv_buffer;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .get_spi = _get_spi,
+ .get_cpi = _get_cpi,
+ .add_sa = _add_sa,
+ .update_sa = _update_sa,
+ .query_sa = _query_sa,
+ .del_sa = _del_sa,
+ .flush_sas = _flush_sas,
+ .add_policy = _add_policy,
+ .query_policy = _query_policy,
+ .del_policy = _del_policy,
+ .flush_policies = _flush_policies,
+ .bypass_socket = _bypass_socket,
+ .enable_udp_decap = _enable_udp_decap,
+ .destroy = _destroy,
+ },
+ },
+ .policies = linked_list_create(),
+ .excludes = linked_list_create(),
+ .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
+ (hashtable_equals_t)ipsec_sa_equals, 32),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
+ .install_routes = lib->settings->get_bool(lib->settings,
+ "%s.install_routes", TRUE,
+ lib->ns),
+ );
+
+ if (streq(lib->ns, "starter"))
+ { /* starter has no threads, so we do not register for kernel events */
+ register_for_events = FALSE;
+ }
+
+ /* create a PF_KEY socket to communicate with the kernel */
+ this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (this->socket <= 0)
+ {
+ DBG1(DBG_KNL, "unable to create PF_KEY socket");
+ destroy(this);
+ return NULL;
+ }
+
+ if (register_for_events)
+ {
+ /* create a PF_KEY socket for ACQUIRE & EXPIRE */
+ this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (this->socket_events <= 0)
+ {
+ DBG1(DBG_KNL, "unable to create PF_KEY event socket");
+ destroy(this);
+ return NULL;
+ }
+
+ rcv_buffer = lib->settings->get_int(lib->settings,
+ "%s.plugins.kernel-pfkey.events_buffer_size", 0, lib->ns);
+ if (rcv_buffer > 0)
+ {
+ if (setsockopt(this->socket_events, SOL_SOCKET, SO_RCVBUF,
+ &rcv_buffer, sizeof(rcv_buffer)) == -1)
+ {
+ DBG1(DBG_KNL, "unable to set receive buffer size on PF_KEY "
+ "event socket: %s", strerror(errno));
+ }
+ }
+
+ /* register the event socket */
+ if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+ register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to register PF_KEY event socket");
+ destroy(this);
+ return NULL;
+ }
+
+ lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ,
+ (watcher_cb_t)receive_events, this);
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
new file mode 100644
index 000000000..649f93733
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_IPSEC_H_
+#define KERNEL_PFKEY_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using PF_KEY.
+ */
+struct kernel_pfkey_ipsec_t {
+
+ /**
+ * Implements kernel_ipsec_t interface
+ */
+ kernel_ipsec_t interface;
+};
+
+/**
+ * Create a PF_KEY kernel ipsec interface instance.
+ *
+ * @return kernel_pfkey_ipsec_t instance
+ */
+kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create();
+
+#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
new file mode 100644
index 000000000..d49fe2422
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_pfkey_plugin.h"
+
+#include "kernel_pfkey_ipsec.h"
+
+typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
+
+/**
+ * private data of kernel PF_KEY plugin
+ */
+struct private_kernel_pfkey_plugin_t {
+ /**
+ * implements plugin interface
+ */
+ kernel_pfkey_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_kernel_pfkey_plugin_t *this)
+{
+ return "kernel-pfkey";
+}
+
+METHOD(plugin_t, get_features, int,
+ private_kernel_pfkey_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK(kernel_ipsec_register, kernel_pfkey_ipsec_create),
+ PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_kernel_pfkey_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_pfkey_plugin_create()
+{
+ private_kernel_pfkey_plugin_t *this;
+
+ if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
+ { /* required to open PF_KEY sockets */
+ DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
new file mode 100644
index 000000000..ecccc6303
--- /dev/null
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfkey kernel_pfkey
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
+ * @{ @ingroup kernel_pfkey
+ */
+
+#ifndef KERNEL_PFKEY_PLUGIN_H_
+#define KERNEL_PFKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t;
+
+/**
+ * PF_KEY kernel interface plugin
+ */
+struct kernel_pfkey_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-25 11:46:55 +0000