Fixing installation of trap policies (SPI=0) in kernel interface.

7 files changed, 59 insertions, 51 deletions

diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index ce199a719..aece95e12 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -85,9 +85,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
 	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	   policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
-	   u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	   u_int16_t cpi, bool routed)
+	   policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	   mark_t mark, bool routed)
 {
 	return SUCCESS;
 }
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 7e16a89cd..3e6d46205 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -131,17 +131,15 @@ METHOD(kernel_interface_t, del_sa, status_t,
 METHOD(kernel_interface_t, add_policy, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi,	bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-								   direction, type, spi, ah_spi, reqid, mark,
-								   mode, ipcomp, cpi, routed);
+								   direction, type, sa, mark, routed);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index fdf320be7..8b0c7a296 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -184,13 +184,8 @@ struct kernel_interface_t {
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
 	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
-	 * @param spi			SPI of optional ESP SA
-	 * @param ah_spi		SPI of optional AH SA
-	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param sa			details about the SA(s) tied to this policy
 	 * @param mark			mark for this policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
 	 * @param routed		TRUE, if this policy is routed in the kernel
 	 * @return				SUCCESS if operation completed
 	 */
@@ -199,9 +194,7 @@ struct kernel_interface_t {
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction, policy_type_t type,
-							u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
-							mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-							u_int16_t cpi, bool routed);
+							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
 
 	/**
 	 * Query the use time of a policy.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ff692535d..49d9cc07a 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -29,6 +29,7 @@ typedef enum policy_dir_t policy_dir_t;
 typedef enum policy_type_t policy_type_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
+typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
 typedef struct lifetime_cfg_t lifetime_cfg_t;
 typedef struct mark_t mark_t;
 
@@ -101,6 +102,30 @@ enum ipcomp_transform_t {
 extern enum_name_t *ipcomp_transform_names;
 
 /**
+ * This struct contains details about IPsec SA(s) tied to a policy.
+ */
+struct ipsec_sa_cfg_t {
+	/** mode of SA (tunnel, transport) */
+	ipsec_mode_t mode;
+	/** unique ID */
+	u_int32_t reqid;
+	/** details about ESP/AH */
+	struct {
+		/** TRUE if this protocol is used */
+		bool use;
+		/** SPI for ESP/AH */
+		u_int32_t spi;
+	} esp, ah;
+	/** details about IPComp */
+	struct {
+		/** the IPComp transform used */
+		u_int16_t transform;
+		/** CPI for IPComp */
+		u_int16_t cpi;
+	} ipcomp;
+};
+
+/**
  * A lifetime_cfg_t defines the lifetime limits of an SA.
  *
  * Set any of these values to 0 to ignore.
@@ -272,13 +297,8 @@ struct kernel_ipsec_t {
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
 	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
-	 * @param spi			SPI of optional ESP SA
-	 * @param ah_spi		SPI of optional AH SA
-	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param sa			details about the SA(s) tied to this policy
 	 * @param mark			mark for this policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
 	 * @param routed		TRUE, if this policy is routed in the kernel
 	 * @return				SUCCESS if operation completed
 	 */
@@ -287,9 +307,7 @@ struct kernel_ipsec_t {
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction, policy_type_t type,
-							u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
-							mark_t mark, ipsec_mode_t mode,
-							u_int16_t ipcomp, u_int16_t cpi, bool routed);
+							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
 
 	/**
 	 * Query the use time of a policy.
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index 042d98936..0df5f8baf 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1969,13 +1969,13 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	policy_entry_t *policy, *found = NULL;
+	u_int32_t spi;
 	u_int8_t satype;
 	size_t len;
 
@@ -1986,8 +1986,10 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 
 	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
-	satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
-									 proto2satype(spi ? IPPROTO_ESP : IPPROTO_AH);
+	satype = (sa->mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP
+									   : proto2satype(sa->esp.use ? IPPROTO_ESP
+																  : IPPROTO_AH);
+	spi = sa->esp.use ? sa->esp.spi : sa->ah.spi;
 
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction);
@@ -2019,7 +2021,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 		/* the reqid is always set to the latest child SA that trapped this
 		 * policy. we will need this reqid upon receiving an acquire. */
-		policy->reqid = reqid;
+		policy->reqid = sa->reqid;
 
 		/* increase the trap counter */
 		policy->trapcount++;
@@ -2097,7 +2099,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		route_entry_t *route = malloc_thing(route_entry_t);
 		route->src_ip = NULL;
 
-		if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		if (sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
 			this->install_routes)
 		{
 			hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 06c4125a4..55158af48 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1617,9 +1617,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	policy_entry_t *current, *policy;
 	bool found = FALSE;
@@ -1715,11 +1714,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			u_int8_t proto;
 			bool use;
 		} protos[] = {
-			{ IPPROTO_COMP, ipcomp != IPCOMP_NONE },
-			{ IPPROTO_ESP, spi != 0 },
-			{ IPPROTO_AH, ah_spi != 0 },
+			{ IPPROTO_COMP, sa->ipcomp.transform != IPCOMP_NONE },
+			{ IPPROTO_ESP, sa->esp.use },
+			{ IPPROTO_AH, sa->ah.use },
 		};
-		ipsec_mode_t proto_mode = mode;
+		ipsec_mode_t proto_mode = sa->mode;
 
 		rthdr->rta_type = XFRMA_TMPL;
 		rthdr->rta_len = 0; /* actual length is set below */
@@ -1738,7 +1737,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 				return FAILED;
 			}
 
-			tmpl->reqid = reqid;
+			tmpl->reqid = sa->reqid;
 			tmpl->id.proto = protos[i].proto;
 			tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
 			tmpl->mode = mode2kernel(proto_mode);
@@ -1793,7 +1792,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	 * - routing is not disabled via strongswan.conf
 	 */
 	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && this->install_routes)
+		sa->mode != MODE_TRANSPORT && this->install_routes)
 	{
 		route_entry_t *route = malloc_thing(route_entry_t);
 
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 20d1b1205..1b18f6a9c 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1593,9 +1593,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1612,7 +1611,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 
 	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
+	policy = create_policy_entry(src_ts, dst_ts, direction, sa->reqid);
 
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
@@ -1661,13 +1660,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
 	req = (struct sadb_x_ipsecrequest*)(pol + 1);
-	req->sadb_x_ipsecrequest_proto = spi ? IPPROTO_ESP : IPPROTO_AH;
+	req->sadb_x_ipsecrequest_proto = sa->esp.use ? IPPROTO_ESP : IPPROTO_AH;
 	/* !!! the length of this struct MUST be in octets instead of 64 bit words */
 	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
-	req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
-	req->sadb_x_ipsecrequest_reqid = reqid;
+	req->sadb_x_ipsecrequest_mode = mode2kernel(sa->mode);
+	req->sadb_x_ipsecrequest_reqid = sa->reqid;
 	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
-	if (mode == MODE_TUNNEL)
+	if (sa->mode == MODE_TUNNEL)
 	{
 		len = hostcpy(req + 1, src);
 		req->sadb_x_ipsecrequest_len += len;
@@ -1741,7 +1740,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	 * - routing is not disabled via strongswan.conf
 	 */
 	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
 		this->install_routes)
 	{
 		route_entry_t *route = malloc_thing(route_entry_t);