diff options
Diffstat (limited to 'src/libhydra/plugins/kernel_pfkey')
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/Makefile.am | 19 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/Makefile.in | 780 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 3102 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h | 46 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c | 82 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h | 42 |
6 files changed, 0 insertions, 4071 deletions
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.am b/src/libhydra/plugins/kernel_pfkey/Makefile.am deleted file mode 100644 index f645528d9..000000000 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.am +++ /dev/null @@ -1,19 +0,0 @@ -AM_CPPFLAGS = \ - -I${linux_headers} \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la -else -plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la -endif - -libstrongswan_kernel_pfkey_la_SOURCES = \ - kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ - kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c - -libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in deleted file mode 100644 index 177d2f23f..000000000 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ /dev/null @@ -1,780 +0,0 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2013 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/libhydra/plugins/kernel_pfkey -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/split-package-version.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_kernel_pfkey_la_LIBADD = -am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \ - kernel_pfkey_ipsec.lo -libstrongswan_kernel_pfkey_la_OBJECTS = \ - $(am_libstrongswan_kernel_pfkey_la_OBJECTS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) \ - $(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfkey_la_rpath = -rpath \ -@MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfkey_la_rpath = -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = -SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES) -DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES) -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -# Read a list of newline-separated strings from the standard input, -# and print each of them once, without duplicates. Input order is -# *not* preserved. -am__uniquify_input = $(AWK) '\ - BEGIN { nonempty = 0; } \ - { items[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in items) print i; }; } \ -' -# Make sure the list of sources is unique. This is necessary because, -# e.g., the same source file might be shared among _SOURCES variables -# for different programs/libraries. -am__define_uniq_tagged_files = \ - list='$(am__tagged_files)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BFDLIB = @BFDLIB@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ -COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -EASY_INSTALL = @EASY_INSTALL@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GEM = @GEM@ -GENHTML = @GENHTML@ -GPERF = @GPERF@ -GPRBUILD = @GPRBUILD@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LCOV = @LCOV@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_LIB = @OPENSSL_LIB@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ -PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ -PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ -PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ -PTHREADLIB = @PTHREADLIB@ -PYTHON = @PYTHON@ -PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -PY_TEST = @PY_TEST@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -UNWINDLIB = @UNWINDLIB@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -aikgen_plugins = @aikgen_plugins@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -attest_plugins = @attest_plugins@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -c_plugins = @c_plugins@ -charon_natt_port = @charon_natt_port@ -charon_plugins = @charon_plugins@ -charon_udp_port = @charon_udp_port@ -clearsilver_LIBS = @clearsilver_LIBS@ -cmd_plugins = @cmd_plugins@ -datadir = @datadir@ -datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ -dev_headers = @dev_headers@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -fips_mode = @fips_mode@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -imcvdir = @imcvdir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsec_script = @ipsec_script@ -ipsec_script_upper = @ipsec_script_upper@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipseclibdir = @ipseclibdir@ -ipsecuser = @ipsecuser@ -json_CFLAGS = @json_CFLAGS@ -json_LIBS = @json_LIBS@ -libdir = @libdir@ -libexecdir = @libexecdir@ -libiptc_CFLAGS = @libiptc_CFLAGS@ -libiptc_LIBS = @libiptc_LIBS@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ -manager_plugins = @manager_plugins@ -mandir = @mandir@ -medsrv_plugins = @medsrv_plugins@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -nm_plugins = @nm_plugins@ -oldincludedir = @oldincludedir@ -pcsclite_CFLAGS = @pcsclite_CFLAGS@ -pcsclite_LIBS = @pcsclite_LIBS@ -pdfdir = @pdfdir@ -piddir = @piddir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -pki_plugins = @pki_plugins@ -plugindir = @plugindir@ -pool_plugins = @pool_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -pyexecdir = @pyexecdir@ -pythondir = @pythondir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -s_plugins = @s_plugins@ -sbindir = @sbindir@ -scepclient_plugins = @scepclient_plugins@ -scripts_plugins = @scripts_plugins@ -sharedstatedir = @sharedstatedir@ -soup_CFLAGS = @soup_CFLAGS@ -soup_LIBS = @soup_LIBS@ -srcdir = @srcdir@ -starter_plugins = @starter_plugins@ -strongswan_conf = @strongswan_conf@ -strongswan_options = @strongswan_options@ -swanctldir = @swanctldir@ -sysconfdir = @sysconfdir@ -systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ -systemd_daemon_LIBS = @systemd_daemon_LIBS@ -systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ -systemd_journal_LIBS = @systemd_journal_LIBS@ -systemdsystemunitdir = @systemdsystemunitdir@ -t_plugins = @t_plugins@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -AM_CPPFLAGS = \ - -I${linux_headers} \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la -libstrongswan_kernel_pfkey_la_SOURCES = \ - kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ - kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c - -libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ - } - -uninstall-pluginLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ - done - -clean-pluginLTLIBRARIES: - -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) - @list='$(plugin_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfkey_la_DEPENDENCIES) - $(AM_V_CCLD)$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< - -.c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(am__tagged_files) - $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am -TAGS: tags - -tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - set x; \ - here=`pwd`; \ - $(am__define_uniq_tagged_files); \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: ctags-am - -CTAGS: ctags -ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - $(am__define_uniq_tagged_files); \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am - -cscopelist-am: $(am__tagged_files) - list='$(am__tagged_files)'; \ - case "$(srcdir)" in \ - [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ - *) sdir=$(subdir)/$(srcdir) ;; \ - esac; \ - for i in $$list; do \ - if test -f "$$i"; then \ - echo "$(subdir)/$$i"; \ - else \ - echo "$$sdir/$$i"; \ - fi; \ - done >> $(top_builddir)/cscope.files - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) -installdirs: - for dir in "$(DESTDIR)$(plugindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-pluginLTLIBRARIES mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-pluginLTLIBRARIES - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-pluginLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-pluginLTLIBRARIES install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-pluginLTLIBRARIES - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c deleted file mode 100644 index a2fccd1d3..000000000 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ /dev/null @@ -1,3102 +0,0 @@ -/* - * Copyright (C) 2008-2015 Tobias Brunner - * Copyright (C) 2008 Andreas Steffen - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ -/* - * Copyright (C) 2014 Nanoteq Pty Ltd - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -#include <stdint.h> -#include <sys/types.h> -#include <sys/socket.h> - -#ifdef __FreeBSD__ -#include <limits.h> /* for LONG_MAX */ -#endif - -#ifdef HAVE_NET_PFKEYV2_H -#include <net/pfkeyv2.h> -#else -#include <linux/pfkeyv2.h> -#endif - -#ifdef SADB_X_EXT_NAT_T_TYPE -#define HAVE_NATT -#endif - -#ifdef HAVE_NETIPSEC_IPSEC_H -#include <netipsec/ipsec.h> -#elif defined(HAVE_NETINET6_IPSEC_H) -#include <netinet6/ipsec.h> -#else -#include <linux/ipsec.h> -#endif - -#ifdef HAVE_NATT -#ifdef HAVE_LINUX_UDP_H -#include <linux/udp.h> -#else -#include <netinet/udp.h> -#endif /*HAVE_LINUX_UDP_H*/ -#endif /*HAVE_NATT*/ - -#include <unistd.h> -#include <time.h> -#include <errno.h> -#ifdef __APPLE__ -#include <sys/sysctl.h> -#endif - -#include "kernel_pfkey_ipsec.h" - -#include <hydra.h> -#include <utils/debug.h> -#include <networking/host.h> -#include <collections/linked_list.h> -#include <collections/hashtable.h> -#include <threading/mutex.h> - -/** non linux specific */ -#ifndef IPPROTO_COMP -#ifdef IPPROTO_IPCOMP -#define IPPROTO_COMP IPPROTO_IPCOMP -#endif -#endif - -#ifndef SADB_X_AALG_SHA2_256HMAC -#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256 -#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384 -#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512 -#endif - -#ifndef SADB_X_EALG_AESCBC -#define SADB_X_EALG_AESCBC SADB_X_EALG_AES -#endif - -#ifndef SADB_X_EALG_CASTCBC -#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC -#endif - -#if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8) -#define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8 -#define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12 -#define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16 -#endif - -#ifndef SOL_IP -#define SOL_IP IPPROTO_IP -#define SOL_IPV6 IPPROTO_IPV6 -#endif - -/** from linux/in.h */ -#ifndef IP_IPSEC_POLICY -#define IP_IPSEC_POLICY 16 -#endif - -/** missing on uclibc */ -#ifndef IPV6_IPSEC_POLICY -#define IPV6_IPSEC_POLICY 34 -#endif - -/* from linux/udp.h */ -#ifndef UDP_ENCAP -#define UDP_ENCAP 100 -#endif - -#ifndef UDP_ENCAP_ESPINUDP -#define UDP_ENCAP_ESPINUDP 2 -#endif - -/* this is not defined on some platforms */ -#ifndef SOL_UDP -#define SOL_UDP IPPROTO_UDP -#endif - -/** base priority for installed policies */ -#define PRIO_BASE 384 - -#ifdef __APPLE__ -/** from xnu/bsd/net/pfkeyv2.h */ -#define SADB_X_EXT_NATT 0x002 - struct sadb_sa_2 { - struct sadb_sa sa; - u_int16_t sadb_sa_natt_port; - u_int16_t sadb_reserved0; - u_int32_t sadb_reserved1; - }; -#endif - -/** buffer size for PF_KEY messages */ -#define PFKEY_BUFFER_SIZE 4096 - -/** PF_KEY messages are 64 bit aligned */ -#define PFKEY_ALIGNMENT 8 -/** aligns len to 64 bits */ -#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1)) -/** calculates the properly padded length in 64 bit chunks */ -#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT)) -/** calculates user mode length i.e. in bytes */ -#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT) - -/** given a PF_KEY message header and an extension this updates the length in the header */ -#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len) -/** given a PF_KEY message header this returns a pointer to the next extension */ -#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len))) -/** copy an extension and append it to a PF_KEY message */ -#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))) -/** given a PF_KEY extension this returns a pointer to the next extension */ -#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))) -/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */ -#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext)) -/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */ -#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \ - (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \ - (ext)->sadb_ext_len <= (len)) - -typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t; - -/** - * Private variables and functions of kernel_pfkey class. - */ -struct private_kernel_pfkey_ipsec_t -{ - /** - * Public part of the kernel_pfkey_t object. - */ - kernel_pfkey_ipsec_t public; - - /** - * mutex to lock access to various lists - */ - mutex_t *mutex; - - /** - * List of installed policies (policy_entry_t) - */ - linked_list_t *policies; - - /** - * List of exclude routes (exclude_route_t) - */ - linked_list_t *excludes; - - /** - * Hash table of IPsec SAs using policies (ipsec_sa_t) - */ - hashtable_t *sas; - - /** - * whether to install routes along policies - */ - bool install_routes; - - /** - * mutex to lock access to the PF_KEY socket - */ - mutex_t *mutex_pfkey; - - /** - * PF_KEY socket to communicate with the kernel - */ - int socket; - - /** - * PF_KEY socket to receive acquire and expire events - */ - int socket_events; - - /** - * sequence number for messages sent to the kernel - */ - int seq; -}; - -typedef struct exclude_route_t exclude_route_t; - -/** - * Exclude route definition - */ -struct exclude_route_t { - /** destination address of exclude */ - host_t *dst; - /** source address for route */ - host_t *src; - /** nexthop exclude has been installed */ - host_t *gtw; - /** references to this route */ - int refs; -}; - -/** - * clean up a route exclude entry - */ -static void exclude_route_destroy(exclude_route_t *this) -{ - this->dst->destroy(this->dst); - this->src->destroy(this->src); - this->gtw->destroy(this->gtw); - free(this); -} - -typedef struct route_entry_t route_entry_t; - -/** - * installed routing entry - */ -struct route_entry_t { - /** name of the interface the route is bound to */ - char *if_name; - - /** source ip of the route */ - host_t *src_ip; - - /** gateway for this route */ - host_t *gateway; - - /** destination net */ - chunk_t dst_net; - - /** destination net prefixlen */ - u_int8_t prefixlen; - - /** reference to exclude route, if any */ - exclude_route_t *exclude; -}; - -/** - * destroy an route_entry_t object - */ -static void route_entry_destroy(route_entry_t *this) -{ - free(this->if_name); - DESTROY_IF(this->src_ip); - DESTROY_IF(this->gateway); - chunk_free(&this->dst_net); - free(this); -} - -/** - * compare two route_entry_t objects - */ -static bool route_entry_equals(route_entry_t *a, route_entry_t *b) -{ - return a->if_name && b->if_name && streq(a->if_name, b->if_name) && - a->src_ip->ip_equals(a->src_ip, b->src_ip) && - a->gateway && b->gateway && - a->gateway->ip_equals(a->gateway, b->gateway) && - chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen; -} - -typedef struct ipsec_sa_t ipsec_sa_t; - -/** - * IPsec SA assigned to a policy. - */ -struct ipsec_sa_t { - /** Source address of this SA */ - host_t *src; - - /** Destination address of this SA */ - host_t *dst; - - /** Description of this SA */ - ipsec_sa_cfg_t cfg; - - /** Reference count for this SA */ - refcount_t refcount; -}; - -/** - * Hash function for ipsec_sa_t objects - */ -static u_int ipsec_sa_hash(ipsec_sa_t *sa) -{ - return chunk_hash_inc(sa->src->get_address(sa->src), - chunk_hash_inc(sa->dst->get_address(sa->dst), - chunk_hash(chunk_from_thing(sa->cfg)))); -} - -/** - * Equality function for ipsec_sa_t objects - */ -static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa) -{ - return sa->src->ip_equals(sa->src, other_sa->src) && - sa->dst->ip_equals(sa->dst, other_sa->dst) && - memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t)); -} - -/** - * Allocate or reference an IPsec SA object - */ -static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, - ipsec_sa_cfg_t *cfg) -{ - ipsec_sa_t *sa, *found; - INIT(sa, - .src = src, - .dst = dst, - .cfg = *cfg, - ); - found = this->sas->get(this->sas, sa); - if (!found) - { - sa->src = src->clone(src); - sa->dst = dst->clone(dst); - this->sas->put(this->sas, sa, sa); - } - else - { - free(sa); - sa = found; - } - ref_get(&sa->refcount); - return sa; -} - -/** - * Release and destroy an IPsec SA object - */ -static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this, - ipsec_sa_t *sa) -{ - if (ref_put(&sa->refcount)) - { - this->sas->remove(this->sas, sa); - DESTROY_IF(sa->src); - DESTROY_IF(sa->dst); - free(sa); - } -} - -typedef struct policy_sa_t policy_sa_t; -typedef struct policy_sa_in_t policy_sa_in_t; - -/** - * Mapping between a policy and an IPsec SA. - */ -struct policy_sa_t { - /** Priority assigned to the policy when installed with this SA */ - u_int32_t priority; - - /** Type of the policy */ - policy_type_t type; - - /** Assigned SA */ - ipsec_sa_t *sa; -}; - -/** - * For input policies we also cache the traffic selectors in order to install - * the route. - */ -struct policy_sa_in_t { - /** Generic interface */ - policy_sa_t generic; - - /** Source traffic selector of this policy */ - traffic_selector_t *src_ts; - - /** Destination traffic selector of this policy */ - traffic_selector_t *dst_ts; -}; - -/** - * Create a policy_sa(_in)_t object - */ -static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this, - policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg) -{ - policy_sa_t *policy; - - if (dir == POLICY_IN) - { - policy_sa_in_t *in; - INIT(in, - .src_ts = src_ts->clone(src_ts), - .dst_ts = dst_ts->clone(dst_ts), - ); - policy = &in->generic; - } - else - { - INIT(policy, .priority = 0); - } - policy->type = type; - policy->sa = ipsec_sa_create(this, src, dst, cfg); - return policy; -} - -/** - * Destroy a policy_sa(_in)_t object - */ -static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir, - private_kernel_pfkey_ipsec_t *this) -{ - if (*dir == POLICY_IN) - { - policy_sa_in_t *in = (policy_sa_in_t*)policy; - in->src_ts->destroy(in->src_ts); - in->dst_ts->destroy(in->dst_ts); - } - ipsec_sa_destroy(this, policy->sa); - free(policy); -} - -typedef struct policy_entry_t policy_entry_t; - -/** - * installed kernel policy. - */ -struct policy_entry_t { - /** Index assigned by the kernel */ - u_int32_t index; - - /** Direction of this policy: in, out, forward */ - u_int8_t direction; - - /** Parameters of installed policy */ - struct { - /** Subnet and port */ - host_t *net; - /** Subnet mask */ - u_int8_t mask; - /** Protocol */ - u_int8_t proto; - } src, dst; - - /** Associated route installed for this policy */ - route_entry_t *route; - - /** List of SAs this policy is used by, ordered by priority */ - linked_list_t *used_by; -}; - -/** - * Create a policy_entry_t object - */ -static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t dir) -{ - policy_entry_t *policy; - INIT(policy, - .direction = dir, - ); - u_int16_t port; - u_int8_t proto; - - src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask); - dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask); - - /* src or dest proto may be "any" (0), use more restrictive one */ - proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts)); - /* map the ports to ICMP type/code how the Linux kernel expects them, that - * is, type in src, code in dst */ - if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) - { - port = max(policy->src.net->get_port(policy->src.net), - policy->dst.net->get_port(policy->dst.net)); - policy->src.net->set_port(policy->src.net, - traffic_selector_icmp_type(port)); - policy->dst.net->set_port(policy->dst.net, - traffic_selector_icmp_code(port)); - } - else if (!proto) - { - proto = IPSEC_PROTO_ANY; - } - policy->src.proto = policy->dst.proto = proto; - - return policy; -} - -/** - * Destroy a policy_entry_t object - */ -static void policy_entry_destroy(policy_entry_t *policy, - private_kernel_pfkey_ipsec_t *this) -{ - if (policy->route) - { - route_entry_destroy(policy->route); - } - if (policy->used_by) - { - policy->used_by->invoke_function(policy->used_by, - (linked_list_invoke_t)policy_sa_destroy, - &policy->direction, this); - policy->used_by->destroy(policy->used_by); - } - DESTROY_IF(policy->src.net); - DESTROY_IF(policy->dst.net); - free(policy); -} - -/** - * compares two policy_entry_t - */ -static inline bool policy_entry_equals(policy_entry_t *current, - policy_entry_t *policy) -{ - return current->direction == policy->direction && - current->src.proto == policy->src.proto && - current->dst.proto == policy->dst.proto && - current->src.mask == policy->src.mask && - current->dst.mask == policy->dst.mask && - current->src.net->equals(current->src.net, policy->src.net) && - current->dst.net->equals(current->dst.net, policy->dst.net); -} - -/** - * compare the given kernel index with that of a policy - */ -static inline bool policy_entry_match_byindex(policy_entry_t *current, - u_int32_t *index) -{ - return current->index == *index; -} - -/** - * Calculate the priority of a policy - */ -static inline u_int32_t get_priority(policy_entry_t *policy, - policy_priority_t prio) -{ - u_int32_t priority = PRIO_BASE; - switch (prio) - { - case POLICY_PRIORITY_FALLBACK: - priority <<= 1; - /* fall-through */ - case POLICY_PRIORITY_ROUTED: - priority <<= 1; - /* fall-through */ - case POLICY_PRIORITY_DEFAULT: - priority <<= 1; - /* fall-trough */ - case POLICY_PRIORITY_PASS: - break; - } - /* calculate priority based on selector size, small size = high prio */ - priority -= policy->src.mask; - priority -= policy->dst.mask; - priority <<= 2; /* make some room for the two flags */ - priority += policy->src.net->get_port(policy->src.net) || - policy->dst.net->get_port(policy->dst.net) ? - 0 : 2; - priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1; - return priority; -} - -typedef struct pfkey_msg_t pfkey_msg_t; - -struct pfkey_msg_t -{ - /** - * PF_KEY message base - */ - struct sadb_msg *msg; - - /** - * PF_KEY message extensions - */ - union { - struct sadb_ext *ext[SADB_EXT_MAX + 1]; - struct { - struct sadb_ext *reserved; /* SADB_EXT_RESERVED */ - struct sadb_sa *sa; /* SADB_EXT_SA */ - struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */ - struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */ - struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */ - struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */ - struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */ - struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */ - struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */ - struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */ - struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */ - struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */ - struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */ - struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */ - struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */ - struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */ - struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */ - struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */ - struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */ - struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */ - struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */ - struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */ - struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */ - struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */ - struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */ - struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */ - } __attribute__((__packed__)); - }; -}; - -ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, - "SADB_EXT_RESERVED", - "SADB_EXT_SA", - "SADB_EXT_LIFETIME_CURRENT", - "SADB_EXT_LIFETIME_HARD", - "SADB_EXT_LIFETIME_SOFT", - "SADB_EXT_ADDRESS_SRC", - "SADB_EXT_ADDRESS_DST", - "SADB_EXT_ADDRESS_PROXY", - "SADB_EXT_KEY_AUTH", - "SADB_EXT_KEY_ENCRYPT", - "SADB_EXT_IDENTITY_SRC", - "SADB_EXT_IDENTITY_DST", - "SADB_EXT_SENSITIVITY", - "SADB_EXT_PROPOSAL", - "SADB_EXT_SUPPORTED_AUTH", - "SADB_EXT_SUPPORTED_ENCRYPT", - "SADB_EXT_SPIRANGE", - "SADB_X_EXT_KMPRIVATE", - "SADB_X_EXT_POLICY", - "SADB_X_EXT_SA2", - "SADB_X_EXT_NAT_T_TYPE", - "SADB_X_EXT_NAT_T_SPORT", - "SADB_X_EXT_NAT_T_DPORT", - "SADB_X_EXT_NAT_T_OA", - "SADB_X_EXT_SEC_CTX", - "SADB_X_EXT_KMADDRESS" -); - -/** - * convert a protocol identifier to the PF_KEY sa type - */ -static u_int8_t proto2satype(u_int8_t proto) -{ - switch (proto) - { - case IPPROTO_ESP: - return SADB_SATYPE_ESP; - case IPPROTO_AH: - return SADB_SATYPE_AH; - case IPPROTO_COMP: - return SADB_X_SATYPE_IPCOMP; - default: - return proto; - } -} - -/** - * convert a PF_KEY sa type to a protocol identifier - */ -static u_int8_t satype2proto(u_int8_t satype) -{ - switch (satype) - { - case SADB_SATYPE_ESP: - return IPPROTO_ESP; - case SADB_SATYPE_AH: - return IPPROTO_AH; - case SADB_X_SATYPE_IPCOMP: - return IPPROTO_COMP; - default: - return satype; - } -} - -/** - * convert the general ipsec mode to the one defined in ipsec.h - */ -static u_int8_t mode2kernel(ipsec_mode_t mode) -{ - switch (mode) - { - case MODE_TRANSPORT: - return IPSEC_MODE_TRANSPORT; - case MODE_TUNNEL: - return IPSEC_MODE_TUNNEL; -#ifdef HAVE_IPSEC_MODE_BEET - case MODE_BEET: - return IPSEC_MODE_BEET; -#endif - default: - return mode; - } -} - -/** - * convert the general policy direction to the one defined in ipsec.h - */ -static u_int8_t dir2kernel(policy_dir_t dir) -{ - switch (dir) - { - case POLICY_IN: - return IPSEC_DIR_INBOUND; - case POLICY_OUT: - return IPSEC_DIR_OUTBOUND; -#ifdef HAVE_IPSEC_DIR_FWD - case POLICY_FWD: - return IPSEC_DIR_FWD; -#endif - default: - return IPSEC_DIR_INVALID; - } -} - -/** - * convert the policy type to the one defined in ipsec.h - */ -static inline u_int16_t type2kernel(policy_type_t type) -{ - switch (type) - { - case POLICY_IPSEC: - return IPSEC_POLICY_IPSEC; - case POLICY_PASS: - return IPSEC_POLICY_NONE; - case POLICY_DROP: - return IPSEC_POLICY_DISCARD; - } - return type; -} - -#ifdef SADB_X_MIGRATE -/** - * convert the policy direction in ipsec.h to the general one. - */ -static policy_dir_t kernel2dir(u_int8_t dir) -{ - switch (dir) - { - case IPSEC_DIR_INBOUND: - return POLICY_IN; - case IPSEC_DIR_OUTBOUND: - return POLICY_OUT; -#ifdef HAVE_IPSEC_DIR_FWD - case IPSEC_DIR_FWD: - return POLICY_FWD; -#endif - default: - return dir; - } -} -#endif /*SADB_X_MIGRATE*/ - -typedef struct kernel_algorithm_t kernel_algorithm_t; - -/** - * Mapping of IKEv2 algorithms to PF_KEY algorithms - */ -struct kernel_algorithm_t { - /** - * Identifier specified in IKEv2 - */ - int ikev2; - - /** - * Identifier as defined in pfkeyv2.h - */ - int kernel; -}; - -#define END_OF_LIST -1 - -/** - * Algorithms for encryption - */ -static kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, 0 }, */ - {ENCR_DES, SADB_EALG_DESCBC }, - {ENCR_3DES, SADB_EALG_3DESCBC }, -/* {ENCR_RC5, 0 }, */ -/* {ENCR_IDEA, 0 }, */ - {ENCR_CAST, SADB_X_EALG_CASTCBC }, - {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, -/* {ENCR_3IDEA, 0 }, */ -/* {ENCR_DES_IV32, 0 }, */ - {ENCR_NULL, SADB_EALG_NULL }, - {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, -#ifdef SADB_X_EALG_AESCTR - {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, -#endif -/* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ -/* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ -/* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ -#ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */ - {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, - {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, - {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, -#endif -#ifdef SADB_X_EALG_CAMELLIACBC - {ENCR_CAMELLIA_CBC, SADB_X_EALG_CAMELLIACBC }, -#endif - {END_OF_LIST, 0 }, -}; - -/** - * Algorithms for integrity protection - */ -static kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, - {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC }, - {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC }, - {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC }, - {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC }, -/* {AUTH_DES_MAC, 0, }, */ -/* {AUTH_KPDK_MD5, 0, }, */ -#ifdef SADB_X_AALG_AES_XCBC_MAC - {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, }, -#endif - {END_OF_LIST, 0, }, -}; - -/** - * Algorithms for IPComp, unused yet - */ -static kernel_algorithm_t compression_algs[] = { -/* {IPCOMP_OUI, 0 }, */ - {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE }, -#ifdef SADB_X_CALG_LZS - {IPCOMP_LZS, SADB_X_CALG_LZS }, -#endif -#ifdef SADB_X_CALG_LZJH - {IPCOMP_LZJH, SADB_X_CALG_LZJH }, -#endif - {END_OF_LIST, 0 }, -}; - -/** - * Look up a kernel algorithm ID and its key size - */ -static int lookup_algorithm(transform_type_t type, int ikev2) -{ - kernel_algorithm_t *list; - u_int16_t alg = 0; - - switch (type) - { - case ENCRYPTION_ALGORITHM: - list = encryption_algs; - break; - case INTEGRITY_ALGORITHM: - list = integrity_algs; - break; - case COMPRESSION_ALGORITHM: - list = compression_algs; - break; - default: - return 0; - } - while (list->ikev2 != END_OF_LIST) - { - if (ikev2 == list->ikev2) - { - return list->kernel; - } - list++; - } - hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2, - type, &alg, NULL); - return alg; -} - -/** - * Helper to set a port in a sockaddr_t, the port has to be in host order - */ -static void set_port(sockaddr_t *addr, u_int16_t port) -{ - switch (addr->sa_family) - { - case AF_INET: - { - struct sockaddr_in *sin = (struct sockaddr_in*)addr; - sin->sin_port = htons(port); - break; - } - case AF_INET6: - { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr; - sin6->sin6_port = htons(port); - break; - } - } -} - -/** - * Copy a host_t as sockaddr_t to the given memory location. - * @return the number of bytes copied - */ -static size_t hostcpy(void *dest, host_t *host, bool include_port) -{ - sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest; - socklen_t *len = host->get_sockaddr_len(host); - - memcpy(dest, addr, *len); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - dest_addr->sa_len = *len; -#endif - if (!include_port) - { - set_port(dest_addr, 0); - } - return *len; -} - -/** - * add a host to the given sadb_msg - */ -static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type, - u_int8_t proto, u_int8_t prefixlen, bool include_port) -{ - struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg); - size_t len; - - addr->sadb_address_exttype = type; - addr->sadb_address_proto = proto; - addr->sadb_address_prefixlen = prefixlen; - len = hostcpy(addr + 1, host, include_port); - addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); - PFKEY_EXT_ADD(msg, addr); -} - -/** - * adds an empty address extension to the given sadb_msg - */ -static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type) -{ - socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) : - sizeof(struct sockaddr_in6); - struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg); - addr->sadb_address_exttype = type; - sockaddr_t *saddr = (sockaddr_t*)(addr + 1); - saddr->sa_family = family; -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - saddr->sa_len = len; -#endif - addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); - PFKEY_EXT_ADD(msg, addr); -} - -#ifdef HAVE_NATT -/** - * add udp encap extensions to a sadb_msg - */ -static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst) -{ - struct sadb_x_nat_t_type* nat_type; - struct sadb_x_nat_t_port* nat_port; - - nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg); - nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; - nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type)); - nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP; - PFKEY_EXT_ADD(msg, nat_type); - - nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg); - nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT; - nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port)); - nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src)); - PFKEY_EXT_ADD(msg, nat_port); - - nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg); - nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT; - nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port)); - nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst)); - PFKEY_EXT_ADD(msg, nat_port); -} -#endif /*HAVE_NATT*/ - -/** - * Convert a sadb_address to a traffic_selector - */ -static traffic_selector_t* sadb_address2ts(struct sadb_address *address) -{ - traffic_selector_t *ts; - host_t *host; - u_int8_t proto; - - proto = address->sadb_address_proto; - proto = proto == IPSEC_PROTO_ANY ? 0 : proto; - - /* The Linux 2.6 kernel does not set the protocol and port information - * in the src and dst sadb_address extensions of the SADB_ACQUIRE message. - */ - host = host_create_from_sockaddr((sockaddr_t*)&address[1]); - ts = traffic_selector_create_from_subnet(host, - address->sadb_address_prefixlen, - proto, host->get_port(host), - host->get_port(host) ?: 65535); - return ts; -} - -/** - * Parses a pfkey message received from the kernel - */ -static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) -{ - struct sadb_ext* ext; - size_t len; - - memset(out, 0, sizeof(pfkey_msg_t)); - out->msg = msg; - - len = msg->sadb_msg_len; - len -= PFKEY_LEN(sizeof(struct sadb_msg)); - - ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg)); - - while (len >= PFKEY_LEN(sizeof(struct sadb_ext))) - { - DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); - if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) || - ext->sadb_ext_len > len) - { - DBG1(DBG_KNL, "length of %N extension is invalid", - sadb_ext_type_names, ext->sadb_ext_type); - break; - } - - if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type)) - { - DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", - ext->sadb_ext_type); - break; - } - - if (out->ext[ext->sadb_ext_type]) - { - DBG1(DBG_KNL, "duplicate %N extension", - sadb_ext_type_names, ext->sadb_ext_type); - break; - } - - out->ext[ext->sadb_ext_type] = ext; - ext = PFKEY_EXT_NEXT_LEN(ext, len); - } - - if (len) - { - DBG1(DBG_KNL, "PF_KEY message length is invalid"); - return FAILED; - } - - return SUCCESS; -} - -/** - * Send a message to a specific PF_KEY socket and handle the response. - */ -static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket, - struct sadb_msg *in, struct sadb_msg **out, size_t *out_len) -{ - unsigned char buf[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg; - int in_len, len; - - this->mutex_pfkey->lock(this->mutex_pfkey); - - /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367, - * in particular the behavior in response to an SADB_ACQUIRE. */ - in->sadb_msg_seq = ++this->seq; - in->sadb_msg_pid = getpid(); - - in_len = PFKEY_USER_LEN(in->sadb_msg_len); - - while (TRUE) - { - len = send(socket, in, in_len, 0); - - if (len != in_len) - { - if (errno == EINTR) - { - /* interrupted, try again */ - continue; - } - this->mutex_pfkey->unlock(this->mutex_pfkey); - DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", - strerror(errno)); - return FAILED; - } - break; - } - - while (TRUE) - { - msg = (struct sadb_msg*)buf; - - len = recv(socket, buf, sizeof(buf), 0); - - if (len < 0) - { - if (errno == EINTR) - { - DBG1(DBG_KNL, "got interrupted"); - /* interrupted, try again */ - continue; - } - DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", - strerror(errno)); - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - if (len < sizeof(struct sadb_msg) || - msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg))) - { - DBG1(DBG_KNL, "received corrupted PF_KEY message"); - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT) - { - DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY " - "message"); - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - if (msg->sadb_msg_pid != in->sadb_msg_pid) - { - DBG2(DBG_KNL, "received PF_KEY message is not intended for us"); - continue; - } - if (msg->sadb_msg_seq != this->seq) - { - DBG2(DBG_KNL, "received PF_KEY message with unexpected sequence " - "number, was %d expected %d", msg->sadb_msg_seq, - this->seq); - if (msg->sadb_msg_seq == 0) - { - /* FreeBSD and Mac OS X do this for the response to - * SADB_X_SPDGET (but not for the response to SADB_GET). - * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */ - } - else if (msg->sadb_msg_seq < this->seq) - { - continue; - } - else - { - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - } - if (msg->sadb_msg_type != in->sadb_msg_type) - { - DBG2(DBG_KNL, "received PF_KEY message of wrong type, " - "was %d expected %d, ignoring", msg->sadb_msg_type, - in->sadb_msg_type); - } - break; - } - - *out_len = len; - *out = (struct sadb_msg*)malloc(len); - memcpy(*out, buf, len); - - this->mutex_pfkey->unlock(this->mutex_pfkey); - return SUCCESS; -} - -/** - * Send a message to the default PF_KEY socket and handle the response. - */ -static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this, - struct sadb_msg *in, struct sadb_msg **out, - size_t *out_len) -{ - return pfkey_send_socket(this, this->socket, in, out, out_len); -} - -/** - * Process a SADB_ACQUIRE message from the kernel - */ -static void process_acquire(private_kernel_pfkey_ipsec_t *this, - struct sadb_msg* msg) -{ - pfkey_msg_t response; - u_int32_t index, reqid = 0; - traffic_selector_t *src_ts, *dst_ts; - policy_entry_t *policy; - policy_sa_t *sa; - - switch (msg->sadb_msg_satype) - { - case SADB_SATYPE_UNSPEC: - case SADB_SATYPE_ESP: - case SADB_SATYPE_AH: - break; - default: - /* acquire for AH/ESP only */ - return; - } - DBG2(DBG_KNL, "received an SADB_ACQUIRE"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed"); - return; - } - - index = response.x_policy->sadb_x_policy_id; - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_match_byindex, - (void**)&policy, &index) == SUCCESS && - policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS) - { - reqid = sa->sa->cfg.reqid; - } - else - { - DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no " - "matching policy found", index); - } - this->mutex->unlock(this->mutex); - - src_ts = sadb_address2ts(response.src); - dst_ts = sadb_address2ts(response.dst); - - hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts, - dst_ts); -} - -/** - * Process a SADB_EXPIRE message from the kernel - */ -static void process_expire(private_kernel_pfkey_ipsec_t *this, - struct sadb_msg* msg) -{ - pfkey_msg_t response; - u_int8_t protocol; - u_int32_t spi; - host_t *dst; - bool hard; - - DBG2(DBG_KNL, "received an SADB_EXPIRE"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed"); - return; - } - - protocol = satype2proto(msg->sadb_msg_satype); - spi = response.sa->sadb_sa_spi; - hard = response.lft_hard != NULL; - - if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH) - { - dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1)); - if (dst) - { - hydra->kernel_interface->expire(hydra->kernel_interface, protocol, - spi, dst, hard); - dst->destroy(dst); - } - } -} - -#ifdef SADB_X_MIGRATE -/** - * Process a SADB_X_MIGRATE message from the kernel - */ -static void process_migrate(private_kernel_pfkey_ipsec_t *this, - struct sadb_msg* msg) -{ - pfkey_msg_t response; - traffic_selector_t *src_ts, *dst_ts; - policy_dir_t dir; - u_int32_t reqid = 0; - host_t *local = NULL, *remote = NULL; - - DBG2(DBG_KNL, "received an SADB_X_MIGRATE"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed"); - return; - } - src_ts = sadb_address2ts(response.src); - dst_ts = sadb_address2ts(response.dst); - dir = kernel2dir(response.x_policy->sadb_x_policy_dir); - DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts, - policy_dir_names, dir); - - /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ - if (response.x_kmaddress) - { - sockaddr_t *local_addr, *remote_addr; - u_int32_t local_len; - - local_addr = (sockaddr_t*)&response.x_kmaddress[1]; - local = host_create_from_sockaddr(local_addr); - local_len = (local_addr->sa_family == AF_INET6)? - sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in); - remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len); - remote = host_create_from_sockaddr(remote_addr); - DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote); - } - - if (src_ts && dst_ts && local && remote) - { - hydra->kernel_interface->migrate(hydra->kernel_interface, reqid, - src_ts, dst_ts, dir, local, remote); - } - else - { - DESTROY_IF(src_ts); - DESTROY_IF(dst_ts); - DESTROY_IF(local); - DESTROY_IF(remote); - } -} -#endif /*SADB_X_MIGRATE*/ - -#ifdef SADB_X_NAT_T_NEW_MAPPING -/** - * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel - */ -static void process_mapping(private_kernel_pfkey_ipsec_t *this, - struct sadb_msg* msg) -{ - pfkey_msg_t response; - u_int32_t spi; - sockaddr_t *sa; - host_t *dst, *new; - - DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed"); - return; - } - - if (!response.x_sa2) - { - DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required " - "information"); - return; - } - - spi = response.sa->sadb_sa_spi; - - if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP) - { - return; - } - - sa = (sockaddr_t*)(response.dst + 1); - dst = host_create_from_sockaddr(sa); - switch (sa->sa_family) - { - case AF_INET: - { - struct sockaddr_in *sin = (struct sockaddr_in*)sa; - sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port); - break; - } - case AF_INET6: - { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa; - sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port); - break; - } - default: - break; - } - if (dst) - { - new = host_create_from_sockaddr(sa); - if (new) - { - hydra->kernel_interface->mapping(hydra->kernel_interface, - IPPROTO_ESP, spi, dst, new); - new->destroy(new); - } - dst->destroy(dst); - } -} -#endif /*SADB_X_NAT_T_NEW_MAPPING*/ - -/** - * Receives events from kernel - */ -static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd, - watcher_event_t event) -{ - unsigned char buf[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg = (struct sadb_msg*)buf; - int len; - - len = recvfrom(this->socket_events, buf, sizeof(buf), MSG_DONTWAIT, NULL, 0); - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return TRUE; - case EAGAIN: - /* no data ready, select again */ - return TRUE; - default: - DBG1(DBG_KNL, "unable to receive from PF_KEY event socket"); - sleep(1); - return TRUE; - } - } - - if (len < sizeof(struct sadb_msg) || - msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg))) - { - DBG2(DBG_KNL, "received corrupted PF_KEY message"); - return TRUE; - } - if (msg->sadb_msg_pid != 0) - { /* not from kernel. not interested, try another one */ - return TRUE; - } - if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT) - { - DBG1(DBG_KNL, "buffer was too small to receive the complete " - "PF_KEY message"); - return TRUE; - } - - switch (msg->sadb_msg_type) - { - case SADB_ACQUIRE: - process_acquire(this, msg); - break; - case SADB_EXPIRE: - process_expire(this, msg); - break; -#ifdef SADB_X_MIGRATE - case SADB_X_MIGRATE: - process_migrate(this, msg); - break; -#endif /*SADB_X_MIGRATE*/ -#ifdef SADB_X_NAT_T_NEW_MAPPING - case SADB_X_NAT_T_NEW_MAPPING: - process_mapping(this, msg); - break; -#endif /*SADB_X_NAT_T_NEW_MAPPING*/ - default: - break; - } - - return TRUE; -} - -/** - * Get an SPI for a specific protocol from the kernel. - */ - -static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max, - u_int32_t *spi) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_spirange *range; - pfkey_msg_t response; - u_int32_t received_spi = 0; - size_t len; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_GETSPI; - msg->sadb_msg_satype = proto2satype(proto); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE); - - range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg); - range->sadb_spirange_exttype = SADB_EXT_SPIRANGE; - range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange)); - range->sadb_spirange_min = min; - range->sadb_spirange_max = max; - PFKEY_EXT_ADD(msg, range); - - if (pfkey_send(this, msg, &out, &len) == SUCCESS) - { - if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - } - else if (parse_pfkey_message(out, &response) == SUCCESS) - { - received_spi = response.sa->sadb_sa_spi; - } - free(out); - } - - if (received_spi == 0) - { - return FAILED; - } - - *spi = received_spi; - return SUCCESS; -} - -METHOD(kernel_ipsec_t, get_spi, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t *spi) -{ - if (get_spi_internal(this, src, dst, protocol, - 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS) - { - DBG1(DBG_KNL, "unable to get SPI"); - return FAILED; - } - - DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi)); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, get_cpi, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int16_t *cpi) -{ - u_int32_t received_spi = 0; - - DBG2(DBG_KNL, "getting CPI"); - - if (get_spi_internal(this, src, dst, IPPROTO_COMP, - 0x100, 0xEFFF, &received_spi) != SUCCESS) - { - DBG1(DBG_KNL, "unable to get CPI"); - return FAILED; - } - - *cpi = htons((u_int16_t)ntohl(received_spi)); - - DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi)); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, add_sa, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, - u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, bool update, - linked_list_t *src_ts, linked_list_t *dst_ts) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - struct sadb_x_sa2 *sa2; - struct sadb_lifetime *lft; - struct sadb_key *key; - size_t len; - - /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 - * we are in the recursive call below */ - if (ipcomp != IPCOMP_NONE && cpi != 0) - { - lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; - add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, - tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, - chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound, - update, NULL, NULL); - ipcomp = IPCOMP_NONE; - /* use transport mode ESP SA, IPComp uses tunnel mode */ - mode = MODE_TRANSPORT; - } - - if (update) - { - /* As we didn't know the reqid during SPI allocation, we used reqid - * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we - * have to delete the SPI allocation state manually. The reqid - * selector does not count for that, therefore we have to delete - * that state before installing the new SA to avoid deleting the - * the new state after installing it. */ - mark_t zeromark = {0, 0}; - - if (this->public.interface.del_sa(&this->public.interface, - src, dst, spi, protocol, 0, zeromark) != SUCCESS) - { - DBG1(DBG_KNL, "deleting SPI allocation SA failed"); - } - } - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", - ntohl(spi), reqid); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_ADD; - msg->sadb_msg_satype = proto2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - -#ifdef __APPLE__ - if (encap) - { - struct sadb_sa_2 *sa_2; - sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); - sa_2->sadb_sa_natt_port = dst->get_port(dst); - sa = &sa_2->sa; - sa->sadb_sa_flags |= SADB_X_EXT_NATT; - len = sizeof(struct sadb_sa_2); - } - else -#endif - { - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - len = sizeof(struct sadb_sa); - } - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(len); - sa->sadb_sa_spi = spi; - if (protocol == IPPROTO_COMP) - { - sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp); - } - else - { - /* Linux interprets sadb_sa_replay as number of packets/bits in the - * replay window, whereas on BSD it's the size of the window in bytes */ -#ifdef __linux__ - sa->sadb_sa_replay = min(replay_window, 32); -#else - sa->sadb_sa_replay = (replay_window + 7) / 8; -#endif - sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg); - sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg); - } - PFKEY_EXT_ADD(msg, sa); - - sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); - sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2; - sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange)); - sa2->sadb_x_sa2_mode = mode2kernel(mode); - sa2->sadb_x_sa2_reqid = reqid; - PFKEY_EXT_ADD(msg, sa2); - - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE); - - lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); - lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; - lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); - lft->sadb_lifetime_allocations = lifetime->packets.rekey; - lft->sadb_lifetime_bytes = lifetime->bytes.rekey; - lft->sadb_lifetime_addtime = lifetime->time.rekey; - lft->sadb_lifetime_usetime = 0; /* we only use addtime */ - PFKEY_EXT_ADD(msg, lft); - - lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); - lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; - lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); - lft->sadb_lifetime_allocations = lifetime->packets.life; - lft->sadb_lifetime_bytes = lifetime->bytes.life; - lft->sadb_lifetime_addtime = lifetime->time.life; - lft->sadb_lifetime_usetime = 0; /* we only use addtime */ - PFKEY_EXT_ADD(msg, lft); - - if (enc_alg != ENCR_UNDEFINED) - { - if (!sa->sadb_sa_encrypt) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - encryption_algorithm_names, enc_alg); - return FAILED; - } - DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", - encryption_algorithm_names, enc_alg, enc_key.len * 8); - - key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg); - key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - key->sadb_key_bits = enc_key.len * 8; - key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len); - memcpy(key + 1, enc_key.ptr, enc_key.len); - - PFKEY_EXT_ADD(msg, key); - } - - if (int_alg != AUTH_UNDEFINED) - { - if (!sa->sadb_sa_auth) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - integrity_algorithm_names, int_alg); - return FAILED; - } - DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", - integrity_algorithm_names, int_alg, int_key.len * 8); - - key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg); - key->sadb_key_exttype = SADB_EXT_KEY_AUTH; - key->sadb_key_bits = int_key.len * 8; - key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len); - memcpy(key + 1, int_key.ptr, int_key.len); - - PFKEY_EXT_ADD(msg, key); - } - -#ifdef HAVE_NATT - if (encap) - { - add_encap_ext(msg, src, dst); - } -#endif /*HAVE_NATT*/ - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol, - u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap, mark_t mark) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - pfkey_msg_t response; - size_t len; - - /* we can't update the SA if any of the ip addresses have changed. - * that's because we can't use SADB_UPDATE and by deleting and readding the - * SA the sequence numbers would get lost */ - if (!src->ip_equals(src, new_src) || - !dst->ip_equals(dst, new_dst)) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address " - "changes are not supported", ntohl(spi)); - return NOT_SUPPORTED; - } - - /* if IPComp is used, we first update the IPComp SA */ - if (cpi) - { - update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0, - src, dst, new_src, new_dst, FALSE, FALSE, mark); - } - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - PFKEY_EXT_ADD(msg, sa); - - /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though - * it is not used for anything. */ - add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), - out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing " - "response from kernel failed", ntohl(spi)); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", - ntohl(spi), src, dst, new_src, new_dst); - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_UPDATE; - msg->sadb_msg_satype = proto2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - -#ifdef __APPLE__ - { - struct sadb_sa_2 *sa_2; - sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); - sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2)); - memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa)); - if (encap) - { - sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst); - sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT; - } - } -#else - PFKEY_EXT_COPY(msg, response.sa); -#endif - PFKEY_EXT_COPY(msg, response.x_sa2); - - PFKEY_EXT_COPY(msg, response.src); - PFKEY_EXT_COPY(msg, response.dst); - - PFKEY_EXT_COPY(msg, response.lft_soft); - PFKEY_EXT_COPY(msg, response.lft_hard); - - if (response.key_encr) - { - PFKEY_EXT_COPY(msg, response.key_encr); - } - - if (response.key_auth) - { - PFKEY_EXT_COPY(msg, response.key_auth); - } - -#ifdef HAVE_NATT - if (new_encap) - { - add_encap_ext(msg, new_src, new_dst); - } -#endif /*HAVE_NATT*/ - - free(out); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), - out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, query_sa, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, u_int8_t protocol, mark_t mark, - u_int64_t *bytes, u_int64_t *packets, time_t *time) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - pfkey_msg_t response; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - PFKEY_EXT_ADD(msg, sa); - - /* the Linux Kernel doesn't care for the src address, but other systems do - * (e.g. FreeBSD) - */ - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), - out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; - } - if (bytes) - { - *bytes = response.lft_current->sadb_lifetime_bytes; - } - if (packets) - { - /* at least on Linux and FreeBSD this contains the number of packets */ - *packets = response.lft_current->sadb_lifetime_allocations; - } - if (time) - { -#ifdef __APPLE__ - /* OS X uses the "last" time of use in usetime */ - *time = response.lft_current->sadb_lifetime_usetime; -#else /* !__APPLE__ */ - /* on Linux, sadb_lifetime_usetime is set to the "first" time of use, - * which is actually correct according to PF_KEY. We have to query - * policies for the last usetime. */ - *time = 0; -#endif /* !__APPLE__ */ - } - - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, del_sa, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - size_t len; - - /* if IPComp was used, we first delete the additional IPComp SA */ - if (cpi) - { - del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark); - } - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_DELETE; - msg->sadb_msg_satype = proto2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - PFKEY_EXT_ADD(msg, sa); - - /* the Linux Kernel doesn't care for the src address, but other systems do - * (e.g. FreeBSD) - */ - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), - out->sadb_msg_errno); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, flush_sas, status_t, - private_kernel_pfkey_ipsec_t *this) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct { - u_int8_t proto; - char *name; - } protos[] = { - { SADB_SATYPE_AH, "AH" }, - { SADB_SATYPE_ESP, "ESP" }, - { SADB_X_SATYPE_IPCOMP, "IPComp" }, - }; - size_t len; - int i; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_FLUSH; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - for (i = 0; i < countof(protos); i++) - { - DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name); - - msg->sadb_msg_satype = protos[i].proto; - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to flush %s SAD entries: %s (%d)", - protos[i].name, strerror(out->sadb_msg_errno), - out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - } - return SUCCESS; -} - -/** - * Add an explicit exclude route to a routing entry - */ -static void add_exclude_route(private_kernel_pfkey_ipsec_t *this, - route_entry_t *route, host_t *src, host_t *dst) -{ - enumerator_t *enumerator; - exclude_route_t *exclude; - host_t *gtw; - - enumerator = this->excludes->create_enumerator(this->excludes); - while (enumerator->enumerate(enumerator, &exclude)) - { - if (dst->ip_equals(dst, exclude->dst)) - { - route->exclude = exclude; - exclude->refs++; - } - } - enumerator->destroy(enumerator); - - if (!route->exclude) - { - DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src); - gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface, - dst, -1, NULL); - if (gtw) - { - char *if_name = NULL; - - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, src, &if_name) && - hydra->kernel_interface->add_route(hydra->kernel_interface, - dst->get_address(dst), - dst->get_family(dst) == AF_INET ? 32 : 128, - gtw, src, if_name) == SUCCESS) - { - INIT(exclude, - .dst = dst->clone(dst), - .src = src->clone(src), - .gtw = gtw->clone(gtw), - .refs = 1, - ); - route->exclude = exclude; - this->excludes->insert_last(this->excludes, exclude); - } - else - { - DBG1(DBG_KNL, "installing exclude route for %H failed", dst); - } - gtw->destroy(gtw); - free(if_name); - } - else - { - DBG1(DBG_KNL, "gateway lookup for for %H failed", dst); - } - } -} - -/** - * Remove an exclude route attached to a routing entry - */ -static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this, - route_entry_t *route) -{ - if (route->exclude) - { - enumerator_t *enumerator; - exclude_route_t *exclude; - bool removed = FALSE; - host_t *dst; - - enumerator = this->excludes->create_enumerator(this->excludes); - while (enumerator->enumerate(enumerator, &exclude)) - { - if (route->exclude == exclude) - { - if (--exclude->refs == 0) - { - this->excludes->remove_at(this->excludes, enumerator); - removed = TRUE; - break; - } - } - } - enumerator->destroy(enumerator); - - if (removed) - { - char *if_name = NULL; - - dst = route->exclude->dst; - DBG2(DBG_KNL, "uninstalling exclude route for %H src %H", - dst, route->exclude->src); - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, - route->exclude->src, &if_name) && - hydra->kernel_interface->del_route(hydra->kernel_interface, - dst->get_address(dst), - dst->get_family(dst) == AF_INET ? 32 : 128, - route->exclude->gtw, route->exclude->src, - if_name) != SUCCESS) - { - DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst); - } - exclude_route_destroy(route->exclude); - free(if_name); - } - route->exclude = NULL; - } -} - -/** - * Try to install a route to the given inbound policy - */ -static bool install_route(private_kernel_pfkey_ipsec_t *this, - policy_entry_t *policy, policy_sa_in_t *in) -{ - route_entry_t *route, *old; - host_t *host, *src, *dst; - bool is_virtual; - - if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, - in->dst_ts, &host, &is_virtual) != SUCCESS) - { - return FALSE; - } - - /* switch src/dst, as we handle an IN policy */ - src = in->generic.sa->dst; - dst = in->generic.sa->src; - - INIT(route, - .prefixlen = policy->src.mask, - .src_ip = host, - .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)), - ); - - if (!dst->is_anyaddr(dst)) - { - route->gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, dst, -1, src); - - /* if the IP is virtual, we install the route over the interface it has - * been installed on. Otherwise we use the interface we use for IKE, as - * this is required for example on Linux. */ - if (is_virtual) - { - src = route->src_ip; - } - } - else - { /* for shunt policies */ - route->gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, policy->src.net, - policy->src.mask, route->src_ip); - - /* we don't have a source address, use the address we found */ - src = route->src_ip; - } - - /* get interface for route, using source address */ - if (!hydra->kernel_interface->get_interface(hydra->kernel_interface, - src, &route->if_name)) - { - route_entry_destroy(route); - return FALSE; - } - - if (policy->route) - { - old = policy->route; - - if (route_entry_equals(old, route)) - { /* such a route already exists */ - route_entry_destroy(route); - return TRUE; - } - /* uninstall previously installed route */ - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - old->dst_net, old->prefixlen, old->gateway, - old->src_ip, old->if_name) != SUCCESS) - { - DBG1(DBG_KNL, "error uninstalling route installed with policy " - "%R === %R %N", in->src_ts, in->dst_ts, - policy_dir_names, policy->direction); - } - route_entry_destroy(old); - policy->route = NULL; - } - - /* if remote traffic selector covers the IKE peer, add an exclude route */ - if (hydra->kernel_interface->get_features( - hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE) - { - if (in->src_ts->is_host(in->src_ts, dst)) - { - DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts " - "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names, - policy->direction); - route_entry_destroy(route); - return FALSE; - } - if (in->src_ts->includes(in->src_ts, dst)) - { - add_exclude_route(this, route, in->generic.sa->dst, dst); - } - } - - DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", - in->src_ts, route->gateway, route->src_ip, route->if_name); - - switch (hydra->kernel_interface->add_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name)) - { - case ALREADY_DONE: - /* route exists, do not uninstall */ - remove_exclude_route(this, route); - route_entry_destroy(route); - return TRUE; - case SUCCESS: - /* cache the installed route */ - policy->route = route; - return TRUE; - default: - DBG1(DBG_KNL, "installing route failed: %R via %H src %H dev %s", - in->src_ts, route->gateway, route->src_ip, route->if_name); - remove_exclude_route(this, route); - route_entry_destroy(route); - return FALSE; - } -} - -/** - * Add or update a policy in the kernel. - * - * Note: The mutex has to be locked when entering this function. - */ -static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this, - policy_entry_t *policy, policy_sa_t *mapping, bool update) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_x_policy *pol; - struct sadb_x_ipsecrequest *req; - ipsec_sa_t *ipsec = mapping->sa; - pfkey_msg_t response; - size_t len; - ipsec_mode_t proto_mode; - status_t status; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD; - msg->sadb_msg_satype = 0; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg); - pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); - pol->sadb_x_policy_id = 0; - pol->sadb_x_policy_dir = dir2kernel(policy->direction); - pol->sadb_x_policy_type = type2kernel(mapping->type); -#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY - pol->sadb_x_policy_priority = mapping->priority; -#endif - - /* one or more sadb_x_ipsecrequest extensions are added to the - * sadb_x_policy extension */ - proto_mode = ipsec->cfg.mode; - - req = (struct sadb_x_ipsecrequest*)(pol + 1); - - if (ipsec->cfg.ipcomp.transform != IPCOMP_NONE) - { - req->sadb_x_ipsecrequest_proto = IPPROTO_COMP; - - /* !!! the length here MUST be in octets instead of 64 bit words */ - req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest); - req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode); - req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid; - req->sadb_x_ipsecrequest_level = (policy->direction == POLICY_OUT) ? - IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_USE; - if (ipsec->cfg.mode == MODE_TUNNEL) - { - len = hostcpy(req + 1, ipsec->src, FALSE); - req->sadb_x_ipsecrequest_len += len; - len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE); - req->sadb_x_ipsecrequest_len += len; - /* use transport mode for other SAs */ - proto_mode = MODE_TRANSPORT; - } - - pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len); - req = (struct sadb_x_ipsecrequest*)((char*)(req) + - req->sadb_x_ipsecrequest_len); - } - - req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP - : IPPROTO_AH; - /* !!! the length here MUST be in octets instead of 64 bit words */ - req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest); - req->sadb_x_ipsecrequest_mode = mode2kernel(proto_mode); - req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid; - req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE; - if (proto_mode == MODE_TUNNEL) - { - len = hostcpy(req + 1, ipsec->src, FALSE); - req->sadb_x_ipsecrequest_len += len; - len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE); - req->sadb_x_ipsecrequest_len += len; - } - - pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len); - PFKEY_EXT_ADD(msg, pol); - - add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto, - policy->src.mask, TRUE); - add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, - policy->dst.mask, TRUE); - -#ifdef __FreeBSD__ - { /* on FreeBSD a lifetime has to be defined to be able to later query - * the current use time. */ - struct sadb_lifetime *lft; - lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); - lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; - lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); - lft->sadb_lifetime_addtime = LONG_MAX; - PFKEY_EXT_ADD(msg, lft); - } -#endif - - this->mutex->unlock(this->mutex); - - status = pfkey_send(this, msg, &out, &len); - if (status == SUCCESS && !update && out->sadb_msg_errno == EEXIST) - { - DBG1(DBG_KNL, "policy already exists, try to update it"); - free(out); - msg->sadb_msg_type = SADB_X_SPDUPDATE; - status = pfkey_send(this, msg, &out, &len); - } - if (status != SUCCESS) - { - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to %s policy: %s (%d)", - update ? "update" : "add", strerror(out->sadb_msg_errno), - out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel " - "failed", update ? "update" : "add"); - free(out); - return FAILED; - } - - /* we try to find the policy again and update the kernel index */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, NULL, - (void**)&policy) != SUCCESS) - { - DBG2(DBG_KNL, "unable to update index, the policy is already gone, " - "ignoring"); - this->mutex->unlock(this->mutex); - free(out); - return SUCCESS; - } - policy->index = response.x_policy->sadb_x_policy_id; - free(out); - - /* install a route, if: - * - this is an inbound policy (to just get one for each child) - * - we are in tunnel mode or install a bypass policy - * - routing is not disabled via strongswan.conf - */ - if (policy->direction == POLICY_IN && this->install_routes && - (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT)) - { - install_route(this, policy, (policy_sa_in_t*)mapping); - } - this->mutex->unlock(this->mutex); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, add_policy, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, - mark_t mark, policy_priority_t priority) -{ - policy_entry_t *policy, *found = NULL; - policy_sa_t *assigned_sa, *current_sa; - enumerator_t *enumerator; - bool update = TRUE; - - if (dir2kernel(direction) == IPSEC_DIR_INVALID) - { /* FWD policies are not supported on all platforms */ - return SUCCESS; - } - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, - (void**)&found, policy) == SUCCESS) - { /* use existing policy */ - DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing " - "refcount", src_ts, dst_ts, policy_dir_names, direction); - policy_entry_destroy(policy, this); - policy = found; - } - else - { /* use the new one, if we have no such policy */ - this->policies->insert_first(this->policies, policy); - policy->used_by = linked_list_create(); - } - - /* cache the assigned IPsec SA */ - assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts, - dst_ts, sa); - assigned_sa->priority = get_priority(policy, priority); - - /* insert the SA according to its priority */ - enumerator = policy->used_by->create_enumerator(policy->used_by); - while (enumerator->enumerate(enumerator, (void**)¤t_sa)) - { - if (current_sa->priority >= assigned_sa->priority) - { - break; - } - update = FALSE; - } - policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa); - enumerator->destroy(enumerator); - - if (!update) - { /* we don't update the policy if the priority is lower than that of the - * currently installed one */ - this->mutex->unlock(this->mutex); - return SUCCESS; - } - - DBG2(DBG_KNL, "%s policy %R === %R %N", - found ? "updating" : "adding", src_ts, dst_ts, - policy_dir_names, direction); - - if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS) - { - DBG1(DBG_KNL, "unable to %s policy %R === %R %N", - found ? "update" : "add", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - return SUCCESS; -} - -METHOD(kernel_ipsec_t, query_policy, status_t, - private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, - time_t *use_time) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_x_policy *pol; - policy_entry_t *policy, *found = NULL; - pfkey_msg_t response; - size_t len; - - if (dir2kernel(direction) == IPSEC_DIR_INVALID) - { /* FWD policies are not supported on all platforms */ - return NOT_FOUND; - } - - DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, - (void**)&found, policy) != SUCCESS) - { - DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); - policy_entry_destroy(policy, this); - this->mutex->unlock(this->mutex); - return NOT_FOUND; - } - policy_entry_destroy(policy, this); - policy = found; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_SPDGET; - msg->sadb_msg_satype = 0; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg); - pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - pol->sadb_x_policy_id = policy->index; - pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); - pol->sadb_x_policy_dir = dir2kernel(direction); - pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; - PFKEY_EXT_ADD(msg, pol); - - add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto, - policy->src.mask, TRUE); - add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, - policy->dst.mask, TRUE); - - this->mutex->unlock(this->mutex); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts, - dst_ts, policy_dir_names, direction, - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response " - "from kernel failed", src_ts, dst_ts, policy_dir_names, - direction); - free(out); - return FAILED; - } - else if (response.lft_current == NULL) - { - DBG2(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no " - "use time", src_ts, dst_ts, policy_dir_names, direction); - free(out); - return FAILED; - } - - /* we need the monotonic time, but the kernel returns system time. */ - if (response.lft_current->sadb_lifetime_usetime) - { - *use_time = time_monotonic(NULL) - - (time(NULL) - response.lft_current->sadb_lifetime_usetime); - } - else - { - *use_time = 0; - } - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, - mark_t mark, policy_priority_t prio) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_x_policy *pol; - policy_entry_t *policy, *found = NULL; - policy_sa_t *mapping, *to_remove = NULL; - enumerator_t *enumerator; - bool first = TRUE, is_installed = TRUE; - u_int32_t priority; - size_t len; - ipsec_sa_t assigned_sa = { - .src = src, - .dst = dst, - .cfg = *sa, - }; - - if (dir2kernel(direction) == IPSEC_DIR_INVALID) - { /* FWD policies are not supported on all platforms */ - return SUCCESS; - } - - DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, - (void**)&found, policy) != SUCCESS) - { - DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); - policy_entry_destroy(policy, this); - this->mutex->unlock(this->mutex); - return NOT_FOUND; - } - policy_entry_destroy(policy, this); - policy = found; - - /* remove mapping to SA by reqid and priority, if multiple match, which - * could happen when rekeying due to an address change, remove the oldest */ - priority = get_priority(policy, prio); - enumerator = policy->used_by->create_enumerator(policy->used_by); - while (enumerator->enumerate(enumerator, (void**)&mapping)) - { - if (priority == mapping->priority && - ipsec_sa_equals(mapping->sa, &assigned_sa)) - { - to_remove = mapping; - is_installed = first; - } - else if (priority < mapping->priority) - { - break; - } - first = FALSE; - } - enumerator->destroy(enumerator); - if (!to_remove) - { /* sanity check */ - this->mutex->unlock(this->mutex); - return SUCCESS; - } - policy->used_by->remove(policy->used_by, to_remove, NULL); - mapping = to_remove; - - if (policy->used_by->get_count(policy->used_by) > 0) - { /* policy is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); - policy_sa_destroy(mapping, &direction, this); - - if (!is_installed) - { /* no need to update as the policy was not installed for this SA */ - this->mutex->unlock(this->mutex); - return SUCCESS; - } - - DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - policy->used_by->get_first(policy->used_by, (void**)&mapping); - if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS) - { - DBG1(DBG_KNL, "unable to update policy %R === %R %N", - src_ts, dst_ts, policy_dir_names, direction); - return FAILED; - } - return SUCCESS; - } - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_SPDDELETE; - msg->sadb_msg_satype = 0; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg); - pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); - pol->sadb_x_policy_dir = dir2kernel(direction); - pol->sadb_x_policy_type = type2kernel(mapping->type); - PFKEY_EXT_ADD(msg, pol); - - add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto, - policy->src.mask, TRUE); - add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, - policy->dst.mask, TRUE); - - if (policy->route) - { - route_entry_t *route = policy->route; - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name) != SUCCESS) - { - DBG1(DBG_KNL, "error uninstalling route installed with " - "policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - } - remove_exclude_route(this, route); - } - - this->policies->remove(this->policies, found, NULL); - policy_sa_destroy(mapping, &direction, this); - policy_entry_destroy(policy, this); - this->mutex->unlock(this->mutex); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts, - dst_ts, policy_dir_names, direction, - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, flush_policies, status_t, - private_kernel_pfkey_ipsec_t *this) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "flushing all policies from SPD"); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_SPDFLUSH; - msg->sadb_msg_satype = SADB_SATYPE_UNSPEC; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to flush SPD entries"); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to flush SPD entries: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - return SUCCESS; -} - -/** - * Register a socket for ACQUIRE/EXPIRE messages - */ -static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, - u_int8_t satype) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - size_t len; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_REGISTER; - msg->sadb_msg_satype = satype; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to register PF_KEY socket"); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, bypass_socket, bool, - private_kernel_pfkey_ipsec_t *this, int fd, int family) -{ - struct sadb_x_policy policy; - u_int sol, ipsec_policy; - - switch (family) - { - case AF_INET: - { - sol = SOL_IP; - ipsec_policy = IP_IPSEC_POLICY; - break; - } - case AF_INET6: - { - sol = SOL_IPV6; - ipsec_policy = IPV6_IPSEC_POLICY; - break; - } - default: - return FALSE; - } - - memset(&policy, 0, sizeof(policy)); - policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t); - policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; - policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; - - policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; - if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) - { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); - return FALSE; - } - policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; - if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) - { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); - return FALSE; - } - return TRUE; -} - -METHOD(kernel_ipsec_t, enable_udp_decap, bool, - private_kernel_pfkey_ipsec_t *this, int fd, int family, u_int16_t port) -{ -#ifndef __APPLE__ - int type = UDP_ENCAP_ESPINUDP; - - if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) - { - DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno)); - return FALSE; - } -#else /* __APPLE__ */ - int intport = port; - - if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &intport, - sizeof(intport)) != 0) - { - DBG1(DBG_KNL, "could not set net.inet.ipsec.esp_port to %d: %s", - port, strerror(errno)); - return FALSE; - } -#endif /* __APPLE__ */ - - return TRUE; -} - -METHOD(kernel_ipsec_t, destroy, void, - private_kernel_pfkey_ipsec_t *this) -{ - if (this->socket > 0) - { - close(this->socket); - } - if (this->socket_events > 0) - { - lib->watcher->remove(lib->watcher, this->socket_events); - close(this->socket_events); - } - this->policies->invoke_function(this->policies, - (linked_list_invoke_t)policy_entry_destroy, - this); - this->policies->destroy(this->policies); - this->excludes->destroy(this->excludes); - this->sas->destroy(this->sas); - this->mutex->destroy(this->mutex); - this->mutex_pfkey->destroy(this->mutex_pfkey); - free(this); -} - -/* - * Described in header. - */ -kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() -{ - private_kernel_pfkey_ipsec_t *this; - bool register_for_events = TRUE; - int rcv_buffer; - - INIT(this, - .public = { - .interface = { - .get_spi = _get_spi, - .get_cpi = _get_cpi, - .add_sa = _add_sa, - .update_sa = _update_sa, - .query_sa = _query_sa, - .del_sa = _del_sa, - .flush_sas = _flush_sas, - .add_policy = _add_policy, - .query_policy = _query_policy, - .del_policy = _del_policy, - .flush_policies = _flush_policies, - .bypass_socket = _bypass_socket, - .enable_udp_decap = _enable_udp_decap, - .destroy = _destroy, - }, - }, - .policies = linked_list_create(), - .excludes = linked_list_create(), - .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash, - (hashtable_equals_t)ipsec_sa_equals, 32), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT), - .install_routes = lib->settings->get_bool(lib->settings, - "%s.install_routes", TRUE, - lib->ns), - ); - - if (streq(lib->ns, "starter")) - { /* starter has no threads, so we do not register for kernel events */ - register_for_events = FALSE; - } - - /* create a PF_KEY socket to communicate with the kernel */ - this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (this->socket <= 0) - { - DBG1(DBG_KNL, "unable to create PF_KEY socket"); - destroy(this); - return NULL; - } - - if (register_for_events) - { - /* create a PF_KEY socket for ACQUIRE & EXPIRE */ - this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (this->socket_events <= 0) - { - DBG1(DBG_KNL, "unable to create PF_KEY event socket"); - destroy(this); - return NULL; - } - - rcv_buffer = lib->settings->get_int(lib->settings, - "%s.plugins.kernel-pfkey.events_buffer_size", 0, lib->ns); - if (rcv_buffer > 0) - { - if (setsockopt(this->socket_events, SOL_SOCKET, SO_RCVBUF, - &rcv_buffer, sizeof(rcv_buffer)) == -1) - { - DBG1(DBG_KNL, "unable to set receive buffer size on PF_KEY " - "event socket: %s", strerror(errno)); - } - } - - /* register the event socket */ - if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS || - register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS) - { - DBG1(DBG_KNL, "unable to register PF_KEY event socket"); - destroy(this); - return NULL; - } - - lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ, - (watcher_cb_t)receive_events, this); - } - - return &this->public; -} diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h deleted file mode 100644 index 649f93733..000000000 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec - * @{ @ingroup kernel_pfkey - */ - -#ifndef KERNEL_PFKEY_IPSEC_H_ -#define KERNEL_PFKEY_IPSEC_H_ - -#include <kernel/kernel_ipsec.h> - -typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t; - -/** - * Implementation of the kernel ipsec interface using PF_KEY. - */ -struct kernel_pfkey_ipsec_t { - - /** - * Implements kernel_ipsec_t interface - */ - kernel_ipsec_t interface; -}; - -/** - * Create a PF_KEY kernel ipsec interface instance. - * - * @return kernel_pfkey_ipsec_t instance - */ -kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create(); - -#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c deleted file mode 100644 index 61d576547..000000000 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "kernel_pfkey_plugin.h" - -#include "kernel_pfkey_ipsec.h" - -#include <hydra.h> - -typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t; - -/** - * private data of kernel PF_KEY plugin - */ -struct private_kernel_pfkey_plugin_t { - /** - * implements plugin interface - */ - kernel_pfkey_plugin_t public; -}; - -METHOD(plugin_t, get_name, char*, - private_kernel_pfkey_plugin_t *this) -{ - return "kernel-pfkey"; -} - -METHOD(plugin_t, get_features, int, - private_kernel_pfkey_plugin_t *this, plugin_feature_t *features[]) -{ - static plugin_feature_t f[] = { - PLUGIN_CALLBACK(kernel_ipsec_register, kernel_pfkey_ipsec_create), - PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"), - }; - *features = f; - return countof(f); -} - -METHOD(plugin_t, destroy, void, - private_kernel_pfkey_plugin_t *this) -{ - free(this); -} - -/* - * see header file - */ -plugin_t *kernel_pfkey_plugin_create() -{ - private_kernel_pfkey_plugin_t *this; - - if (!lib->caps->check(lib->caps, CAP_NET_ADMIN)) - { /* required to open PF_KEY sockets */ - DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability"); - return NULL; - } - - INIT(this, - .public = { - .plugin = { - .get_name = _get_name, - .get_features = _get_features, - .destroy = _destroy, - }, - }, - ); - - return &this->public.plugin; -} diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h deleted file mode 100644 index 51db4d8d3..000000000 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup kernel_pfkey kernel_pfkey - * @ingroup hplugins - * - * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin - * @{ @ingroup kernel_pfkey - */ - -#ifndef KERNEL_PFKEY_PLUGIN_H_ -#define KERNEL_PFKEY_PLUGIN_H_ - -#include <plugins/plugin.h> - -typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t; - -/** - * PF_KEY kernel interface plugin - */ -struct kernel_pfkey_plugin_t { - - /** - * implements plugin interface - */ - plugin_t plugin; -}; - -#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/ |