[thirdparty/strongswan.git] / src / charon-tkm / src / tkm / tkm_kernel_ipsec.c

/*
 * Copyright (C) 2017 Tobias Brunner
 * Copyright (C) 2012-2014 Reto Buerki
 * Copyright (C) 2012 Adrian-Ken Rueegsegger
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include <errno.h>
#include <netinet/udp.h>
#include <linux/xfrm.h>
#include <utils/debug.h>
#include <utils/chunk.h>
#include <tkm/constants.h>
#include <tkm/client.h>

#include "tkm.h"
#include "tkm_utils.h"
#include "tkm_types.h"
#include "tkm_keymat.h"
#include "tkm_kernel_ipsec.h"

/** From linux/in.h */
#ifndef IP_XFRM_POLICY
#define IP_XFRM_POLICY 17
#endif

typedef struct private_tkm_kernel_ipsec_t private_tkm_kernel_ipsec_t;

/**
 * Private variables and functions of TKM kernel ipsec instance.
 */
struct private_tkm_kernel_ipsec_t {

	/**
	 * Public tkm_kernel_ipsec interface.
	 */
	tkm_kernel_ipsec_t public;

	/**
	 * RNG used for SPI generation.
	 */
	rng_t *rng;

};

METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
	private_tkm_kernel_ipsec_t *this)
{
	return KERNEL_POLICY_SPI;
}

METHOD(kernel_ipsec_t, get_spi, status_t,
	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
	uint8_t protocol, uint32_t *spi)
{
	bool result;

	if (!this->rng)
	{
		this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
		if (!this->rng)
		{
			DBG1(DBG_KNL, "unable to create RNG");
			return FAILED;
		}
	}

	result = this->rng->get_bytes(this->rng, sizeof(uint32_t),
								  (uint8_t *)spi);
	return result ? SUCCESS : FAILED;
}

METHOD(kernel_ipsec_t, get_cpi, status_t,
	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
	uint16_t *cpi)
{
	return NOT_SUPPORTED;
}

METHOD(kernel_ipsec_t, add_sa, status_t,
	private_tkm_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
	kernel_ipsec_add_sa_t *data)
{
	esa_info_t esa;
	esp_spi_type spi_loc, spi_rem;
	host_t *local, *peer;
	chunk_t *nonce_loc, *nonce_rem;
	nc_id_type nonce_loc_id;
	esa_id_type esa_id;
	nonce_type nc_rem;

	if (data->enc_key.ptr == NULL)
	{
		DBG1(DBG_KNL, "Unable to get ESA information");
		return FAILED;
	}
	esa = *(esa_info_t *)(data->enc_key.ptr);

	/* only handle the case where we have both distinct ESP spi's available */
	if (esa.spi_r == id->spi)
	{
		chunk_free(&esa.nonce_i);
		chunk_free(&esa.nonce_r);
		return SUCCESS;
	}

	if (data->initiator)
	{
		spi_loc = id->spi;
		spi_rem = esa.spi_r;
		local = id->dst;
		peer = id->src;
		nonce_loc = &esa.nonce_i;
		nonce_rem = &esa.nonce_r;
	}
	else
	{
		spi_loc = esa.spi_r;
		spi_rem = id->spi;
		local = id->src;
		peer = id->dst;
		nonce_loc = &esa.nonce_r;
		nonce_rem = &esa.nonce_i;
	}

	esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
	if (esa_id == 0)
	{
		DBG1(DBG_KNL, "unable to acquire esa context id");
		goto esa_id_failure;
	}

	if (!tkm->sad->insert(tkm->sad, esa_id, data->reqid, local, peer,
						  spi_loc, spi_rem, id->proto))
	{
		DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
		goto sad_failure;
	}

	/*
	 * creation of first CHILD SA:
	 * no nonce and no dh contexts because the ones from the IKE SA are re-used
	 */
	nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce_loc);
	if (nonce_loc_id == 0 && esa.dh_id == 0)
	{
		if (ike_esa_create_first(esa_id, esa.isa_id, data->reqid, 1, spi_loc,
								 spi_rem) != TKM_OK)
		{
			DBG1(DBG_KNL, "child SA (%llu, first) creation failed", esa_id);
			goto failure;
		}
	}
	/* creation of child SA without PFS: no dh context */
	else if (nonce_loc_id != 0 && esa.dh_id == 0)
	{
		chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
		if (ike_esa_create_no_pfs(esa_id, esa.isa_id, data->reqid, 1,
								  nonce_loc_id, nc_rem, data->initiator,
								  spi_loc, spi_rem) != TKM_OK)
		{
			DBG1(DBG_KNL, "child SA (%llu, no PFS) creation failed", esa_id);
			goto failure;
		}
		tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
	}
	/* creation of subsequent child SA with PFS: nonce and dh context are set */
	else
	{
		chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
		if (ike_esa_create(esa_id, esa.isa_id, data->reqid, 1, esa.dh_id,
						   nonce_loc_id, nc_rem, data->initiator, spi_loc,
						   spi_rem) != TKM_OK)
		{
			DBG1(DBG_KNL, "child SA (%llu) creation failed", esa_id);
			goto failure;
		}
		tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
	}

	DBG1(DBG_KNL, "added child SA (esa: %llu, isa: %llu, esp_spi_loc: %x, "
		 "esp_spi_rem: %x, role: %s)", esa_id, esa.isa_id, ntohl(spi_loc),
		 ntohl(spi_rem), data->initiator ? "initiator" : "responder");
	chunk_free(&esa.nonce_i);
	chunk_free(&esa.nonce_r);

	return SUCCESS;

failure:
	ike_esa_reset(esa_id);
	tkm->sad->remove(tkm->sad, esa_id);
sad_failure:
	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
esa_id_failure:
	chunk_free(&esa.nonce_i);
	chunk_free(&esa.nonce_r);
	return FAILED;
}

METHOD(kernel_ipsec_t, query_sa, status_t,
	private_tkm_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
	time_t *time)
{
	return NOT_SUPPORTED;
}

METHOD(kernel_ipsec_t, del_sa, status_t,
	private_tkm_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
	kernel_ipsec_del_sa_t *data)
{
	esa_id_type esa_id;

	esa_id = tkm->sad->get_esa_id(tkm->sad, id->src, id->dst,
								  id->spi, id->proto, TRUE);
	if (esa_id)
	{
		DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
			 ntohl(id->spi));
		if (ike_esa_reset(esa_id) != TKM_OK)
		{
			DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
			return FAILED;
		}
		tkm->sad->remove(tkm->sad, esa_id);
		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
	}
	return SUCCESS;
}

METHOD(kernel_ipsec_t, update_sa, status_t,
	private_tkm_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
	kernel_ipsec_update_sa_t *data)
{
	return NOT_SUPPORTED;
}

METHOD(kernel_ipsec_t, flush_sas, status_t,
	private_tkm_kernel_ipsec_t *this)
{
	DBG1(DBG_KNL, "flushing child SA entries");
	return SUCCESS;
}

METHOD(kernel_ipsec_t, add_policy, status_t,
	private_tkm_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
	kernel_ipsec_manage_policy_t *data)
{
	esa_id_type esa_id;
	uint32_t spi;
	uint8_t proto;

	if (id->dir == POLICY_OUT && data->type == POLICY_IPSEC &&
		data->prio == POLICY_PRIORITY_DEFAULT)
	{
		if (data->sa->esp.use)
		{
			spi = data->sa->esp.spi;
			proto = IPPROTO_ESP;
		}
		else if (data->sa->ah.use)
		{
			spi = data->sa->ah.spi;
			proto = IPPROTO_AH;
		}
		else
		{
			return FAILED;
		}
		esa_id = tkm->sad->get_esa_id(tkm->sad, data->src, data->dst,
									  spi, proto, FALSE);
		if (!esa_id)
		{
			DBG1(DBG_KNL, "unable to find esa ID for policy (spi: %x)",
				 ntohl(spi));
			return FAILED;
		}
		DBG1(DBG_KNL, "selecting child SA (esa: %llu, spi: %x)", esa_id,
			 ntohl(spi));
		if (ike_esa_select(esa_id) != TKM_OK)
		{
			DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id);
			return FAILED;
		}
	}
	return SUCCESS;
}

METHOD(kernel_ipsec_t, query_policy, status_t,
	private_tkm_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
	kernel_ipsec_query_policy_t *data, time_t *use_time)
{
	return NOT_SUPPORTED;
}

METHOD(kernel_ipsec_t, del_policy, status_t,
	private_tkm_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
	kernel_ipsec_manage_policy_t *data)
{
	return SUCCESS;
}

METHOD(kernel_ipsec_t, flush_policies, status_t,
	private_tkm_kernel_ipsec_t *this)
{
	return SUCCESS;
}


METHOD(kernel_ipsec_t, bypass_socket, bool,
	private_tkm_kernel_ipsec_t *this, int fd, int family)
{
	struct xfrm_userpolicy_info policy;
	u_int sol, ipsec_policy;

	switch (family)
	{
		case AF_INET:
			sol = SOL_IP;
			ipsec_policy = IP_XFRM_POLICY;
			break;
		case AF_INET6:
			sol = SOL_IPV6;
			ipsec_policy = IPV6_XFRM_POLICY;
			break;
		default:
			return FALSE;
	}

	memset(&policy, 0, sizeof(policy));
	policy.action = XFRM_POLICY_ALLOW;
	policy.sel.family = family;

	policy.dir = XFRM_POLICY_OUT;
	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
	{
		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
			 strerror(errno));
		return FALSE;
	}
	policy.dir = XFRM_POLICY_IN;
	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
	{
		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
			 strerror(errno));
		return FALSE;
	}
	return TRUE;
}

METHOD(kernel_ipsec_t, enable_udp_decap, bool,
	private_tkm_kernel_ipsec_t *this, int fd, int family, uint16_t port)
{
	int type = UDP_ENCAP_ESPINUDP;

	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
	{
		DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
		return FALSE;
	}
	return TRUE;
}

METHOD(kernel_ipsec_t, destroy, void,
	private_tkm_kernel_ipsec_t *this)
{
	DESTROY_IF(this->rng);
	free(this);
}

/*
 * Described in header.
 */
tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
{
	private_tkm_kernel_ipsec_t *this;

	INIT(this,
		.public = {
			.interface = {
				.get_features = _get_features,
				.get_spi = _get_spi,
				.get_cpi = _get_cpi,
				.add_sa  = _add_sa,
				.update_sa = _update_sa,
				.query_sa = _query_sa,
				.del_sa = _del_sa,
				.flush_sas = _flush_sas,
				.add_policy = _add_policy,
				.query_policy = _query_policy,
				.del_policy = _del_policy,
				.flush_policies = _flush_policies,
				.bypass_socket = _bypass_socket,
				.enable_udp_decap = _enable_udp_decap,
				.destroy = _destroy,
			},
		},
	);

	return &this->public;
}
Commit	Line	Data
8a780242	1	/*
d24b831f	2	* Copyright (C) 2017 Tobias Brunner
fa4f66cb	3	* Copyright (C) 2012-2014 Reto Buerki
8a780242	4	* Copyright (C) 2012 Adrian-Ken Rueegsegger
19ef2aec TB	5	*
19ef2aec TB	6	* Copyright (C) secunet Security Networks AG
8a780242 AKR	7	*
	8	* This program is free software; you can redistribute it and/or modify it
	9	* under the terms of the GNU General Public License as published by the
	10	* Free Software Foundation; either version 2 of the License, or (at your
	11	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	12	*
	13	* This program is distributed in the hope that it will be useful, but
	14	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	15	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	16	* for more details.
	17	*/
	18
a642e3ba RB	19	#include <errno.h>
	20	#include <netinet/udp.h>
	21	#include <linux/xfrm.h>
8a780242	22	#include <utils/debug.h>
6c237edb	23	#include <utils/chunk.h>
b94a0bef AKR	24	#include <tkm/constants.h>
b94a0bef AKR	25	#include <tkm/client.h>
8a780242	26
de202301	27	#include "tkm.h"
4a152920	28	#include "tkm_utils.h"
b94a0bef AKR	29	#include "tkm_types.h"
b94a0bef AKR	30	#include "tkm_keymat.h"
8a780242 AKR	31	#include "tkm_kernel_ipsec.h"
8a780242 AKR	32
41eaaef7 RB	33	/** From linux/in.h */
	34	#ifndef IP_XFRM_POLICY
	35	#define IP_XFRM_POLICY 17
	36	#endif
	37
8a780242 AKR	38	typedef struct private_tkm_kernel_ipsec_t private_tkm_kernel_ipsec_t;
	39
	40	/**
	41	* Private variables and functions of TKM kernel ipsec instance.
	42	*/
	43	struct private_tkm_kernel_ipsec_t {
	44
	45	/**
	46	* Public tkm_kernel_ipsec interface.
	47	*/
	48	tkm_kernel_ipsec_t public;
	49
d0ab667c AKR	50	/**
	51	* RNG used for SPI generation.
	52	*/
	53	rng_t *rng;
	54
8a780242 AKR	55	};
8a780242 AKR	56
0d42a762 TB	57	METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
	58	private_tkm_kernel_ipsec_t *this)
	59	{
	60	return KERNEL_POLICY_SPI;
	61	}
	62
8a780242 AKR	63	METHOD(kernel_ipsec_t, get_spi, status_t,
8a780242 AKR	64	private_tkm_kernel_ipsec_t this, host_t src, host_t *dst,
b12c53ce	65	uint8_t protocol, uint32_t *spi)
8a780242	66	{
7cc6fa1a AKR	67	bool result;
7cc6fa1a AKR	68
ae6f4ee3 RB	69	if (!this->rng)
	70	{
	71	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
	72	if (!this->rng)
	73	{
	74	DBG1(DBG_KNL, "unable to create RNG");
	75	return FAILED;
	76	}
	77	}
	78
b12c53ce AS	79	result = this->rng->get_bytes(this->rng, sizeof(uint32_t),
b12c53ce AS	80	(uint8_t *)spi);
d0ab667c	81	return result ? SUCCESS : FAILED;
8a780242 AKR	82	}
	83
	84	METHOD(kernel_ipsec_t, get_cpi, status_t,
	85	private_tkm_kernel_ipsec_t this, host_t src, host_t *dst,
b12c53ce	86	uint16_t *cpi)
8a780242 AKR	87	{
	88	return NOT_SUPPORTED;
	89	}
	90
	91	METHOD(kernel_ipsec_t, add_sa, status_t,
89da06ac TB	92	private_tkm_kernel_ipsec_t this, kernel_ipsec_sa_id_t id,
89da06ac TB	93	kernel_ipsec_add_sa_t *data)
8a780242	94	{
7cc6fa1a	95	esa_info_t esa;
7cc6fa1a AKR	96	esp_spi_type spi_loc, spi_rem;
	97	host_t local, peer;
	98	chunk_t nonce_loc, nonce_rem;
	99	nc_id_type nonce_loc_id;
	100	esa_id_type esa_id;
	101	nonce_type nc_rem;
	102
89da06ac	103	if (data->enc_key.ptr == NULL)
b94a0bef	104	{
4a152920 AKR	105	DBG1(DBG_KNL, "Unable to get ESA information");
	106	return FAILED;
	107	}
89da06ac	108	esa = (esa_info_t )(data->enc_key.ptr);
4a152920 AKR	109
4a152920 AKR	110	/* only handle the case where we have both distinct ESP spi's available */
89da06ac	111	if (esa.spi_r == id->spi)
4a152920 AKR	112	{
	113	chunk_free(&esa.nonce_i);
	114	chunk_free(&esa.nonce_r);
b94a0bef AKR	115	return SUCCESS;
b94a0bef AKR	116	}
4a152920	117
89da06ac	118	if (data->initiator)
4a152920	119	{
89da06ac	120	spi_loc = id->spi;
4a152920	121	spi_rem = esa.spi_r;
89da06ac TB	122	local = id->dst;
89da06ac TB	123	peer = id->src;
4a152920 AKR	124	nonce_loc = &esa.nonce_i;
	125	nonce_rem = &esa.nonce_r;
	126	}
	127	else
	128	{
	129	spi_loc = esa.spi_r;
89da06ac TB	130	spi_rem = id->spi;
	131	local = id->src;
	132	peer = id->dst;
4a152920 AKR	133	nonce_loc = &esa.nonce_r;
	134	nonce_rem = &esa.nonce_i;
	135	}
	136
7cc6fa1a	137	esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
59e7298f AKR	138	if (esa_id == 0)
	139	{
	140	DBG1(DBG_KNL, "unable to acquire esa context id");
	141	goto esa_id_failure;
	142	}
	143
89da06ac TB	144	if (!tkm->sad->insert(tkm->sad, esa_id, data->reqid, local, peer,
89da06ac TB	145	spi_loc, spi_rem, id->proto))
de202301 AKR	146	{
de202301 AKR	147	DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
4a152920	148	goto sad_failure;
de202301	149	}
4a152920 AKR	150
	151	/*
	152	* creation of first CHILD SA:
	153	* no nonce and no dh contexts because the ones from the IKE SA are re-used
	154	*/
7cc6fa1a	155	nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce_loc);
4a152920	156	if (nonce_loc_id == 0 && esa.dh_id == 0)
b94a0bef	157	{
89da06ac TB	158	if (ike_esa_create_first(esa_id, esa.isa_id, data->reqid, 1, spi_loc,
89da06ac TB	159	spi_rem) != TKM_OK)
4a152920 AKR	160	{
	161	DBG1(DBG_KNL, "child SA (%llu, first) creation failed", esa_id);
	162	goto failure;
	163	}
b94a0bef	164	}
4a152920 AKR	165	/* creation of child SA without PFS: no dh context */
	166	else if (nonce_loc_id != 0 && esa.dh_id == 0)
	167	{
0f0165c8	168	chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
89da06ac TB	169	if (ike_esa_create_no_pfs(esa_id, esa.isa_id, data->reqid, 1,
	170	nonce_loc_id, nc_rem, data->initiator,
	171	spi_loc, spi_rem) != TKM_OK)
4a152920 AKR	172	{
	173	DBG1(DBG_KNL, "child SA (%llu, no PFS) creation failed", esa_id);
	174	goto failure;
	175	}
5460098c	176	tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
4a152920 AKR	177	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
	178	}
	179	/* creation of subsequent child SA with PFS: nonce and dh context are set */
	180	else
	181	{
0f0165c8	182	chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
89da06ac TB	183	if (ike_esa_create(esa_id, esa.isa_id, data->reqid, 1, esa.dh_id,
	184	nonce_loc_id, nc_rem, data->initiator, spi_loc,
	185	spi_rem) != TKM_OK)
4a152920 AKR	186	{
	187	DBG1(DBG_KNL, "child SA (%llu) creation failed", esa_id);
	188	goto failure;
	189	}
5460098c	190	tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
4a152920 AKR	191	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
4a152920 AKR	192	}
1c1400f0	193
4a152920 AKR	194	DBG1(DBG_KNL, "added child SA (esa: %llu, isa: %llu, esp_spi_loc: %x, "
4a152920 AKR	195	"esp_spi_rem: %x, role: %s)", esa_id, esa.isa_id, ntohl(spi_loc),
89da06ac	196	ntohl(spi_rem), data->initiator ? "initiator" : "responder");
4a152920 AKR	197	chunk_free(&esa.nonce_i);
	198	chunk_free(&esa.nonce_r);
	199
6c237edb	200	return SUCCESS;
4a152920 AKR	201
4a152920 AKR	202	failure:
fc08e6af	203	ike_esa_reset(esa_id);
fa4f66cb	204	tkm->sad->remove(tkm->sad, esa_id);
4a152920 AKR	205	sad_failure:
4a152920 AKR	206	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
59e7298f	207	esa_id_failure:
4a152920 AKR	208	chunk_free(&esa.nonce_i);
	209	chunk_free(&esa.nonce_r);
	210	return FAILED;
8a780242 AKR	211	}
	212
	213	METHOD(kernel_ipsec_t, query_sa, status_t,
89da06ac TB	214	private_tkm_kernel_ipsec_t this, kernel_ipsec_sa_id_t id,
	215	kernel_ipsec_query_sa_t data, uint64_t bytes, uint64_t *packets,
	216	time_t *time)
8a780242 AKR	217	{
	218	return NOT_SUPPORTED;
	219	}
	220
	221	METHOD(kernel_ipsec_t, del_sa, status_t,
89da06ac TB	222	private_tkm_kernel_ipsec_t this, kernel_ipsec_sa_id_t id,
89da06ac TB	223	kernel_ipsec_del_sa_t *data)
8a780242	224	{
d24b831f	225	esa_id_type esa_id;
7cc6fa1a	226
89da06ac	227	esa_id = tkm->sad->get_esa_id(tkm->sad, id->src, id->dst,
77295777	228	id->spi, id->proto, TRUE);
de202301 AKR	229	if (esa_id)
	230	{
	231	DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
89da06ac	232	ntohl(id->spi));
de202301 AKR	233	if (ike_esa_reset(esa_id) != TKM_OK)
	234	{
	235	DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
	236	return FAILED;
	237	}
fa4f66cb	238	tkm->sad->remove(tkm->sad, esa_id);
de202301 AKR	239	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
de202301 AKR	240	}
6c237edb	241	return SUCCESS;
8a780242 AKR	242	}
	243
	244	METHOD(kernel_ipsec_t, update_sa, status_t,
89da06ac TB	245	private_tkm_kernel_ipsec_t this, kernel_ipsec_sa_id_t id,
89da06ac TB	246	kernel_ipsec_update_sa_t *data)
8a780242 AKR	247	{
	248	return NOT_SUPPORTED;
	249	}
	250
	251	METHOD(kernel_ipsec_t, flush_sas, status_t,
	252	private_tkm_kernel_ipsec_t *this)
	253	{
	254	DBG1(DBG_KNL, "flushing child SA entries");
6c237edb	255	return SUCCESS;
8a780242 AKR	256	}
	257
	258	METHOD(kernel_ipsec_t, add_policy, status_t,
89da06ac TB	259	private_tkm_kernel_ipsec_t this, kernel_ipsec_policy_id_t id,
89da06ac TB	260	kernel_ipsec_manage_policy_t *data)
8a780242	261	{
d24b831f TB	262	esa_id_type esa_id;
	263	uint32_t spi;
	264	uint8_t proto;
	265
	266	if (id->dir == POLICY_OUT && data->type == POLICY_IPSEC &&
	267	data->prio == POLICY_PRIORITY_DEFAULT)
	268	{
	269	if (data->sa->esp.use)
	270	{
	271	spi = data->sa->esp.spi;
	272	proto = IPPROTO_ESP;
	273	}
	274	else if (data->sa->ah.use)
	275	{
	276	spi = data->sa->ah.spi;
	277	proto = IPPROTO_AH;
	278	}
	279	else
	280	{
	281	return FAILED;
	282	}
	283	esa_id = tkm->sad->get_esa_id(tkm->sad, data->src, data->dst,
77295777	284	spi, proto, FALSE);
d24b831f TB	285	if (!esa_id)
	286	{
	287	DBG1(DBG_KNL, "unable to find esa ID for policy (spi: %x)",
	288	ntohl(spi));
	289	return FAILED;
	290	}
	291	DBG1(DBG_KNL, "selecting child SA (esa: %llu, spi: %x)", esa_id,
	292	ntohl(spi));
	293	if (ike_esa_select(esa_id) != TKM_OK)
	294	{
	295	DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id);
	296	return FAILED;
	297	}
	298	}
6c237edb	299	return SUCCESS;
8a780242 AKR	300	}
	301
	302	METHOD(kernel_ipsec_t, query_policy, status_t,
89da06ac TB	303	private_tkm_kernel_ipsec_t this, kernel_ipsec_policy_id_t id,
89da06ac TB	304	kernel_ipsec_query_policy_t data, time_t use_time)
8a780242 AKR	305	{
	306	return NOT_SUPPORTED;
	307	}
	308
	309	METHOD(kernel_ipsec_t, del_policy, status_t,
89da06ac TB	310	private_tkm_kernel_ipsec_t this, kernel_ipsec_policy_id_t id,
89da06ac TB	311	kernel_ipsec_manage_policy_t *data)
8a780242	312	{
6c237edb	313	return SUCCESS;
8a780242 AKR	314	}
	315
	316	METHOD(kernel_ipsec_t, flush_policies, status_t,
	317	private_tkm_kernel_ipsec_t *this)
	318	{
6c237edb	319	return SUCCESS;
8a780242 AKR	320	}
	321
	322
	323	METHOD(kernel_ipsec_t, bypass_socket, bool,
	324	private_tkm_kernel_ipsec_t *this, int fd, int family)
	325	{
a642e3ba RB	326	struct xfrm_userpolicy_info policy;
	327	u_int sol, ipsec_policy;
	328
	329	switch (family)
	330	{
	331	case AF_INET:
	332	sol = SOL_IP;
	333	ipsec_policy = IP_XFRM_POLICY;
	334	break;
	335	case AF_INET6:
	336	sol = SOL_IPV6;
	337	ipsec_policy = IPV6_XFRM_POLICY;
	338	break;
	339	default:
	340	return FALSE;
	341	}
	342
	343	memset(&policy, 0, sizeof(policy));
	344	policy.action = XFRM_POLICY_ALLOW;
	345	policy.sel.family = family;
	346
	347	policy.dir = XFRM_POLICY_OUT;
	348	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
	349	{
	350	DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
7cc6fa1a	351	strerror(errno));
a642e3ba RB	352	return FALSE;
	353	}
	354	policy.dir = XFRM_POLICY_IN;
	355	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
	356	{
	357	DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
7cc6fa1a	358	strerror(errno));
a642e3ba RB	359	return FALSE;
	360	}
	361	return TRUE;
8a780242 AKR	362	}
	363
	364	METHOD(kernel_ipsec_t, enable_udp_decap, bool,
b12c53ce	365	private_tkm_kernel_ipsec_t *this, int fd, int family, uint16_t port)
8a780242	366	{
a642e3ba RB	367	int type = UDP_ENCAP_ESPINUDP;
	368
	369	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
	370	{
	371	DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
	372	return FALSE;
	373	}
	374	return TRUE;
8a780242 AKR	375	}
	376
	377	METHOD(kernel_ipsec_t, destroy, void,
	378	private_tkm_kernel_ipsec_t *this)
	379	{
d0ab667c	380	DESTROY_IF(this->rng);
8a780242 AKR	381	free(this);
	382	}
	383
	384	/*
	385	* Described in header.
	386	*/
	387	tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
	388	{
	389	private_tkm_kernel_ipsec_t *this;
	390
	391	INIT(this,
	392	.public = {
	393	.interface = {
0d42a762	394	.get_features = _get_features,
8a780242 AKR	395	.get_spi = _get_spi,
	396	.get_cpi = _get_cpi,
	397	.add_sa = _add_sa,
	398	.update_sa = _update_sa,
	399	.query_sa = _query_sa,
	400	.del_sa = _del_sa,
	401	.flush_sas = _flush_sas,
	402	.add_policy = _add_policy,
	403	.query_policy = _query_policy,
	404	.del_policy = _del_policy,
	405	.flush_policies = _flush_policies,
	406	.bypass_socket = _bypass_socket,
	407	.enable_udp_decap = _enable_udp_decap,
	408	.destroy = _destroy,
	409	},
	410	},
8a780242 AKR	411	);
8a780242 AKR	412
8a780242 AKR	413	return &this->public;
8a780242 AKR	414	}