6 files changed, 112 insertions, 12 deletions

diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index b6bc5d92e..650cb1e9e 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2011 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -294,6 +294,16 @@ METHOD(kernel_interface_t, bypass_socket, bool,
 	return this->ipsec->bypass_socket(this->ipsec, fd, family);
 }
 
+METHOD(kernel_interface_t, enable_udp_decap, bool,
+	private_kernel_interface_t *this, int fd, int family, u_int16_t port)
+{
+	if (!this->ipsec)
+	{
+		return FALSE;
+	}
+	return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port);
+}
+
 METHOD(kernel_interface_t, get_address_by_ts, status_t,
 	private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
 {
@@ -539,6 +549,7 @@ kernel_interface_t *kernel_interface_create()
 			.add_route = _add_route,
 			.del_route = _del_route,
 			.bypass_socket = _bypass_socket,
+			.enable_udp_decap = _enable_udp_decap,
 
 			.get_address_by_ts = _get_address_by_ts,
 			.add_ipsec_interface = _add_ipsec_interface,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 991cfafd0..37b72f8bb 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -361,11 +361,23 @@ struct kernel_interface_t {
 	 *
 	 * @param fd			socket file descriptor to setup policy for
 	 * @param family		protocol family of the socket
-	 * @return				TRUE of policy set up successfully
+	 * @return				TRUE if policy set up successfully
 	 */
 	bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
 
 	/**
+	 * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
+	 *
+	 * @param fd			socket file descriptor
+	 * @param family		protocol family of the socket
+	 * @param port			the UDP port
+	 * @return				TRUE if UDP decapsulation was enabled successfully
+	 */
+	bool (*enable_udp_decap)(kernel_interface_t *this, int fd, int family,
+							 u_int16_t port);
+
+
+	/**
 	 * manager methods
 	 */
 
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 852f0560c..500a77cad 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -403,6 +403,17 @@ struct kernel_ipsec_t {
 	bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
 
 	/**
+	 * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
+	 *
+	 * @param fd			socket file descriptor
+	 * @param family		protocol family of the socket
+	 * @param port			the UDP port
+	 * @return				TRUE if UDP decapsulation was enabled successfully
+	 */
+	bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family,
+							 u_int16_t port);
+
+	/**
 	 * Destroy the implementation.
 	 */
 	void (*destroy) (kernel_ipsec_t *this);
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index 7e58cf30b..5f077b234 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -2537,13 +2537,6 @@ static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8
 	return SUCCESS;
 }
 
-METHOD(kernel_ipsec_t, bypass_socket, bool,
-	private_kernel_klips_ipsec_t *this, int fd, int family)
-{
-	/* KLIPS does not need a bypass policy for IKE */
-	return TRUE;
-}
-
 METHOD(kernel_ipsec_t, destroy, void,
 	private_kernel_klips_ipsec_t *this)
 {
@@ -2585,7 +2578,10 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 				.query_policy = _query_policy,
 				.del_policy = _del_policy,
 				.flush_policies = (void*)return_failed,
-				.bypass_socket = _bypass_socket,
+				/* KLIPS does not need a bypass policy for IKE */
+				.bypass_socket = (void*)return_true,
+				/* KLIPS does not need enabling UDP decap explicitly */
+				.enable_udp_decap = (void*)return_true,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index b46450c38..73d290051 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -58,6 +58,20 @@
 #define IPV6_XFRM_POLICY 34
 #endif /*IPV6_XFRM_POLICY*/
 
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif
+
+/* this is not defined on some platforms */
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
 /** Default priority of installed policies */
 #define PRIO_BASE 512
 
@@ -2607,6 +2621,19 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	return TRUE;
 }
 
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_kernel_netlink_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+	int type = UDP_ENCAP_ESPINUDP;
+
+	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
 METHOD(kernel_ipsec_t, destroy, void,
 	private_kernel_netlink_ipsec_t *this)
 {
@@ -2654,6 +2681,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 				.del_policy = _del_policy,
 				.flush_policies = _flush_policies,
 				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index dfe10f93f..13422670a 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -51,6 +51,9 @@
 #include <unistd.h>
 #include <time.h>
 #include <errno.h>
+#ifdef __APPLE__
+#include <sys/sysctl.h>
+#endif
 
 #include "kernel_pfkey_ipsec.h"
 
@@ -99,6 +102,20 @@
 #define IPV6_IPSEC_POLICY 34
 #endif
 
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif
+
+/* this is not defined on some platforms */
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
 /** default priority of installed policies */
 #define PRIO_BASE 512
 
@@ -2488,6 +2505,30 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	return TRUE;
 }
 
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_kernel_pfkey_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+#ifndef __APPLE__
+	int type = UDP_ENCAP_ESPINUDP;
+
+	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
+		return FALSE;
+	}
+#else /* __APPLE__ */
+	if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &port,
+					 sizeof(port)) != 0)
+	{
+		DBG1(DBG_KNL, "could not set net.inet.ipsec.esp_port to %d: %s",
+			 port, strerror(errno));
+		return FALSE;
+	}
+#endif /* __APPLE__ */
+
+	return TRUE;
+}
+
 METHOD(kernel_ipsec_t, destroy, void,
 	private_kernel_pfkey_ipsec_t *this)
 {
@@ -2532,6 +2573,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 				.del_policy = _del_policy,
 				.flush_policies = _flush_policies,
 				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
 				.destroy = _destroy,
 			},
 		},