Merge branch 'opaque-ports'

Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.

man/ipsec.conf.5.in

@@ -742,6 +742,14 @@ can be used to the same effect, e.g.
 .B leftprotoport=udp/%any
 or
 .BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
 .TP
 .BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
 the left participant's public key for RSA signature authentication, in RFC 2537

src/conftest/config.c

@@ -188,7 +188,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
 			if (ts)
 			{
 				child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -212,7 +212,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
 			if (ts)
 			{
 				child_cfg->add_traffic_selector(child_cfg, FALSE, ts);

src/libcharon/encoding/payloads/traffic_selector_substructure.c

@@ -114,7 +114,11 @@ METHOD(payload_t, verify, status_t,
 {
 	if (this->start_port > this->end_port)
 	{
-		return FAILED;
+		/* OPAQUE ports are the only exception */
+		if (this->start_port != 0xffff && this->end_port != 0)
+		{
+			return FAILED;
+		}
 	}
 	switch (this->ts_type)
 	{

src/libcharon/plugins/load_tester/load_tester_config.c

@@ -369,7 +369,7 @@ static void add_ts(char *string, child_cfg_t *cfg, bool local)
 
 	if (string)
 	{
-		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
 		if (!ts)
 		{
 			DBG1(DBG_CFG, "parsing TS string '%s' failed", string);

src/libcharon/plugins/medcli/medcli_config.c

@@ -63,7 +63,7 @@ static traffic_selector_t *ts_from_string(char *str)
 	{
 		traffic_selector_t *ts;
 
-		ts = traffic_selector_create_from_cidr(str, 0, 0);
+		ts = traffic_selector_create_from_cidr(str, 0, 0, 65535);
 		if (ts)
 		{
 			return ts;

src/libcharon/plugins/stroke/stroke_config.c

@@ -878,7 +878,7 @@ static void add_ts(private_stroke_config_t *this,
 	if (end->tohost)
 	{
 		ts = traffic_selector_create_dynamic(end->protocol,
-					end->port ? end->port : 0, end->port ? end->port : 65535);
+											 end->from_port, end->to_port);
 		child_cfg->add_traffic_selector(child_cfg, local, ts);
 	}
 	else
@@ -891,7 +891,7 @@ static void add_ts(private_stroke_config_t *this,
 			if (net)
 			{
 				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
-														 end->port);
+												end->from_port, end->to_port);
 				child_cfg->add_traffic_selector(child_cfg, local, ts);
 			}
 		}
@@ -903,8 +903,8 @@ static void add_ts(private_stroke_config_t *this,
 			enumerator = enumerator_create_token(end->subnets, ",", " ");
 			while (enumerator->enumerate(enumerator, &subnet))
 			{
-				ts = traffic_selector_create_from_cidr(subnet,
-													end->protocol, end->port);
+				ts = traffic_selector_create_from_cidr(subnet, end->protocol,
+												end->from_port, end->to_port);
 				if (ts)
 				{
 					child_cfg->add_traffic_selector(child_cfg, local, ts);

src/libcharon/plugins/uci/uci_config.c

@@ -89,7 +89,7 @@ static traffic_selector_t *create_ts(char *string)
 	{
 		traffic_selector_t *ts;
 
-		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
 		if (ts)
 		{
 			return ts;

src/libcharon/plugins/unity/unity_handler.c

@@ -192,7 +192,8 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 		{
 			has_vip = TRUE;
 			child_cfg->add_traffic_selector(child_cfg, TRUE,
-				traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
+				traffic_selector_create_from_subnet(host->clone(host),
+													32, 0, 0, 65535));
 		}
 		enumerator->destroy(enumerator);
 
@@ -200,7 +201,8 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 		{
 			host = ike_sa->get_my_host(ike_sa);
 			child_cfg->add_traffic_selector(child_cfg, TRUE,
-				traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
+				traffic_selector_create_from_subnet(host->clone(host), 32, 0,
+													0, 65535));
 		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 

src/libcharon/sa/ikev1/tasks/quick_mode.c

@@ -576,12 +576,12 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 	if (!tsi)
 	{
 		tsi = traffic_selector_create_from_subnet(hsi->clone(hsi),
-							hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0);
+					hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (!tsr)
 	{
 		tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
-							hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0);
+					hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (this->mode == MODE_TRANSPORT && this->udp &&
 	   (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))

src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c

@@ -787,7 +787,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 	if (host)
 	{
 		return traffic_selector_create_from_subnet(host, prefixlen,
-												   sel->proto, port);
+											sel->proto, port, port ?: 65535);
 	}
 	return NULL;
 }

src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

@@ -953,7 +953,8 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 	ts = traffic_selector_create_from_subnet(host,
 											 address->sadb_address_prefixlen,
 											 address->sadb_address_proto,
-											 host->get_port(host));
+											 host->get_port(host),
+											 host->get_port(host) ?: 65535);
 	return ts;
 }
 
@@ -2654,4 +2655,3 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 
 	return &this->public;
 }
-

src/libstrongswan/selectors/traffic_selector.c

@@ -174,7 +174,24 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this)
 /**
  * internal generic constructor
  */
-static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
+						ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * Check if TS contains "opaque" ports
+ */
+static bool is_opaque(private_traffic_selector_t *this)
+{
+	return this->from_port == 0xffff && this->to_port == 0;
+}
+
+/**
+ * Check if TS contains "any" ports
+ */
+static bool is_any(private_traffic_selector_t *this)
+{
+	return this->from_port == 0 && this->to_port == 0xffff;
+}
 
 /**
  * Described in header.
@@ -248,7 +265,7 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 
 	/* check if we have protocol and/or port selectors */
 	has_proto = this->protocol != 0;
-	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+	has_ports = !is_any(this);
 
 	if (!has_proto && !has_ports)
 	{
@@ -283,8 +300,9 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	{
 		if (this->from_port == this->to_port)
 		{
-			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+			struct servent *serv;
 
+			serv = getservbyport(htons(this->from_port), serv_proto);
 			if (serv)
 			{
 				written += print_in_hook(data, "%s", serv->s_name);
@@ -294,9 +312,14 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 				written += print_in_hook(data, "%d", this->from_port);
 			}
 		}
+		else if (is_opaque(this))
+		{
+			written += print_in_hook(data, "OPAQUE");
+		}
 		else
 		{
-			written += print_in_hook(data, "%d-%d", this->from_port, this->to_port);
+			written += print_in_hook(data, "%d-%d",
+									 this->from_port, this->to_port);
 		}
 	}
 
@@ -305,24 +328,55 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	return written;
 }
 
-/**
- * Implements traffic_selector_t.get_subset
- */
-static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
+	private_traffic_selector_t *other, *subset;
+	u_int16_t from_port, to_port;
+	u_char *from, *to;
+	u_int8_t protocol;
+	size_t size;
+
+	other = (private_traffic_selector_t*)other_public;
+
 	if (this->dynamic || other->dynamic)
 	{	/* no set_address() applied, TS has no subset */
 		return NULL;
 	}
-	if (this->type == other->type && (this->protocol == other->protocol ||
-								this->protocol == 0 || other->protocol == 0))
-	{
-		u_int16_t from_port, to_port;
-		u_char *from, *to;
-		u_int8_t protocol;
-		size_t size;
-		private_traffic_selector_t *new_ts;
 
+	if (this->type != other->type)
+	{
+		return NULL;
+	}
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			size = sizeof(this->from4);
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			size = sizeof(this->from6);
+			break;
+		default:
+			return NULL;
+	}
+
+	if (this->protocol != other->protocol &&
+		this->protocol != 0 && other->protocol != 0)
+	{
+		return NULL;
+	}
+	/* select protocol, which is not zero */
+	protocol = max(this->protocol, other->protocol);
+
+	if ((is_opaque(this) && is_opaque(other)) ||
+		(is_opaque(this) && is_any(other)) ||
+		(is_opaque(other) && is_any(this)))
+	{
+		from_port = 0xffff;
+		to_port = 0;
+	}
+	else
+	{
 		/* calculate the maximum port range allowed for both */
 		from_port = max(this->from_port, other->from_port);
 		to_port = min(this->to_port, other->to_port);
@@ -330,60 +384,46 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
 		{
 			return NULL;
 		}
-		/* select protocol, which is not zero */
-		protocol = max(this->protocol, other->protocol);
-
-		switch (this->type)
-		{
-			case TS_IPV4_ADDR_RANGE:
-				size = sizeof(this->from4);
-				break;
-			case TS_IPV6_ADDR_RANGE:
-				size = sizeof(this->from6);
-				break;
-			default:
-				return NULL;
-		}
-
-		/* get higher from-address */
-		if (memcmp(this->from, other->from, size) > 0)
-		{
-			from = this->from;
-		}
-		else
-		{
-			from = other->from;
-		}
-		/* get lower to-address */
-		if (memcmp(this->to, other->to, size) > 0)
-		{
-			to = other->to;
-		}
-		else
-		{
-			to = this->to;
-		}
-		/* if "from" > "to", we don't have a match */
-		if (memcmp(from, to, size) > 0)
-		{
-			return NULL;
-		}
-
-		/* we have a match in protocol, port, and address: return it... */
-		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
-		memcpy(new_ts->from, from, size);
-		memcpy(new_ts->to, to, size);
-		calc_netbits(new_ts);
-		return &new_ts->public;
 	}
-	return NULL;
+	/* get higher from-address */
+	if (memcmp(this->from, other->from, size) > 0)
+	{
+		from = this->from;
+	}
+	else
+	{
+		from = other->from;
+	}
+	/* get lower to-address */
+	if (memcmp(this->to, other->to, size) > 0)
+	{
+		to = other->to;
+	}
+	else
+	{
+		to = this->to;
+	}
+	/* if "from" > "to", we don't have a match */
+	if (memcmp(from, to, size) > 0)
+	{
+		return NULL;
+	}
+
+	/* we have a match in protocol, port, and address: return it... */
+	subset = traffic_selector_create(protocol, this->type, from_port, to_port);
+	memcpy(subset->from, from, size);
+	memcpy(subset->to, to, size);
+	calc_netbits(subset);
+
+	return &subset->public;
 }
 
-/**
- * Implements traffic_selector_t.equals
- */
-static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, equals, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
+	private_traffic_selector_t *other;
+
+	other = (private_traffic_selector_t*)other_public;
 	if (this->type != other->type)
 	{
 		return FALSE;
@@ -535,11 +575,8 @@ METHOD(traffic_selector_t, set_address, void,
 	}
 }
 
-/**
- * Implements traffic_selector_t.is_contained_in.
- */
-static bool is_contained_in(private_traffic_selector_t *this,
-							private_traffic_selector_t *other)
+METHOD(traffic_selector_t, is_contained_in, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other)
 {
 	private_traffic_selector_t *subset;
 	bool contained_in = FALSE;
@@ -548,7 +585,7 @@ static bool is_contained_in(private_traffic_selector_t *this,
 
 	if (subset)
 	{
-		if (equals(subset, this))
+		if (equals(subset, &this->public))
 		{
 			contained_in = TRUE;
 		}
@@ -739,12 +776,13 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * see header
  */
 traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
-							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+							u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port)
 {
 	private_traffic_selector_t *this;
 	chunk_t from;
 
-	this = traffic_selector_create(protocol, 0, 0, 65535);
+	this = traffic_selector_create(protocol, 0, from_port, to_port);
 
 	switch (net->get_family(net))
 	{
@@ -763,11 +801,6 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
 	memcpy(this->from, from.ptr, from.len);
 	netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
 	calc_range(this, netbits);
-	if (port)
-	{
-		this->from_port = port;
-		this->to_port = port;
-	}
 	net->destroy(net);
 
 	return &this->public;
@@ -818,8 +851,9 @@ traffic_selector_t *traffic_selector_create_from_string(
 /*
  * see header
  */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
-									u_int8_t protocol, u_int16_t port)
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port)
 {
 	host_t *net;
 	int bits;
@@ -827,7 +861,8 @@ traffic_selector_t *traffic_selector_create_from_cidr(char *string,
 	net = host_create_from_subnet(string, &bits);
 	if (net)
 	{
-		return traffic_selector_create_from_subnet(net, bits, protocol, port);
+		return traffic_selector_create_from_subnet(net, bits, protocol,
+												   from_port, to_port);
 	}
 	return NULL;
 }
@@ -859,8 +894,8 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	INIT(this,
 		.public = {
-			.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset,
-			.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals,
+			.get_subset = _get_subset,
+			.equals = _equals,
 			.get_from_address = _get_from_address,
 			.get_to_address = _get_to_address,
 			.get_from_port = _get_from_port,
@@ -869,7 +904,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 			.get_protocol = _get_protocol,
 			.is_host = _is_host,
 			.is_dynamic = _is_dynamic,
-			.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in,
+			.is_contained_in = _is_contained_in,
 			.includes = _includes,
 			.set_address = _set_address,
 			.to_subnet = _to_subnet,
@@ -884,4 +919,3 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	return this;
 }
-

src/libstrongswan/selectors/traffic_selector.h

@@ -238,11 +238,13 @@ traffic_selector_t *traffic_selector_create_from_string(
  *
  * @param string		CIDR string, such as 10.1.0.0/16
  * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			single port for this TS, 0 for any port
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
  * @return				traffic selector, NULL if string invalid
  */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
-									u_int8_t protocol, u_int16_t port);
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port);
 
 /**
  * Create a new traffic selector using data read from the net.
@@ -288,14 +290,15 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * @param net			subnet to use
  * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
  * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			port number, host order
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
  * @return
  *						- traffic_selector_t object
  *						- NULL if address family of net not supported
  */
 traffic_selector_t *traffic_selector_create_from_subnet(
-									host_t *net, u_int8_t netbits,
-									u_int8_t protocol, u_int16_t port);
+							host_t *net, u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port);
 
 /**
  * Create a traffic selector for host-to-host cases.

src/starter/cmp.c

@@ -27,7 +27,8 @@ static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 		return FALSE;
 
 	VARCMP(modecfg);
-	VARCMP(port);
+	VARCMP(from_port);
+	VARCMP(to_port);
 	VARCMP(protocol);
 
 	return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
@@ -63,4 +64,3 @@ bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
 
 	return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2);
 }
-

src/starter/confread.c

@@ -142,6 +142,9 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.left.ikeport = 500;
 	cfg->conn_default.right.ikeport = 500;
 
+	cfg->conn_default.left.to_port = 0xffff;
+	cfg->conn_default.right.to_port = 0xffff;
+
 	cfg->ca_default.seen = SEEN_NONE;
 }
 
@@ -292,24 +295,46 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 		}
 		if (streq(port, "%any"))
 		{
-			end->port = 0;
+			end->from_port = 0;
+			end->to_port = 0xffff;
 		}
-		else
+		else if (streq(port, "%opaque"))
+		{
+			end->from_port = 0xffff;
+			end->to_port = 0;
+		}
+		else if (*port)
 		{
 			svc = getservbyname(port, NULL);
 			if (svc)
 			{
-				end->port = ntohs(svc->s_port);
+				end->from_port = end->to_port = ntohs(svc->s_port);
 			}
 			else
 			{
 				p = strtol(port, &endptr, 0);
-				if ((*port && *endptr) || p < 0 || p > 0xffff)
+				if (p < 0 || p > 0xffff)
 				{
-					DBG1(DBG_APP, "# bad port: %s=%s", name, value);
+					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+					goto err;
+				}
+				end->from_port = p;
+				if (*endptr == '-')
+				{
+					port = endptr + 1;
+					p = strtol(port, &endptr, 0);
+					if (p < 0 || p > 0xffff)
+					{
+						DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+						goto err;
+					}
+				}
+				end->to_port = p;
+				if (*endptr)
+				{
+					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
 					goto err;
 				}
-				end->port = (u_int16_t)p;
 			}
 		}
 		if (sep)

src/starter/confread.h

@@ -115,7 +115,8 @@ struct starter_end {
 		bool            hostaccess;
 		bool            allow_any;
 		char            *updown;
-		u_int16_t       port;
+		u_int16_t       from_port;
+		u_int16_t       to_port;
 		u_int8_t        protocol;
 		char            *sourceip;
 		char            *dns;

src/starter/starterstroke.c

@@ -146,7 +146,8 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->tohost = !conn_end->subnet;
 	msg_end->allow_any = conn_end->allow_any;
 	msg_end->protocol = conn_end->protocol;
-	msg_end->port = conn_end->port;
+	msg_end->from_port = conn_end->from_port;
+	msg_end->to_port = conn_end->to_port;
 }
 
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)

src/stroke/stroke.c

@@ -151,12 +151,14 @@ static int add_connection(char *name,
 	msg.add_conn.me.ikeport = 500;
 	msg.add_conn.me.subnets = push_string(&msg, my_nets);
 	msg.add_conn.me.sendcert = 1;
+	msg.add_conn.me.to_port = 65535;
 
 	msg.add_conn.other.id = push_string(&msg, other_id);
 	msg.add_conn.other.address = push_string(&msg, other_addr);
 	msg.add_conn.other.ikeport = 500;
 	msg.add_conn.other.subnets = push_string(&msg, other_nets);
 	msg.add_conn.other.sendcert = 1;
+	msg.add_conn.other.to_port = 65535;
 
 	return send_stroke_msg(&msg);
 }

src/stroke/stroke_msg.h

@@ -167,7 +167,8 @@ struct stroke_end_t {
 	int tohost;
 	int allow_any;
 	u_int8_t protocol;
-	u_int16_t port;
+	u_int16_t from_port;
+	u_int16_t to_port;
 };
 
 typedef struct stroke_msg_t stroke_msg_t;