diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2010-07-12 10:35:19 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2010-09-02 19:01:25 +0200 |
| commit | 9f166d9ac20e493e772a384cecdf8badcabf35cb (patch) | |
| tree | c8e003bde4ba27e3fe4848ad2c1cebda20c8a5e3 /src | |
| parent | 9d94174242ad267429a46eda5d055ba450480a40 (diff) | |
| download | strongswan-9f166d9ac20e493e772a384cecdf8badcabf35cb.tar.bz2 strongswan-9f166d9ac20e493e772a384cecdf8badcabf35cb.tar.xz | |
Removed references to protocol_id_t from kernel interface.
Instead we use the actual IP protocol identifier (the conversion now happens in
child_sa_t and kernel_handler_t).
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/kernel/kernel_handler.c | 25 | ||||
| -rw-r--r-- | src/libcharon/kernel/kernel_interface.c | 14 | ||||
| -rw-r--r-- | src/libcharon/kernel/kernel_interface.h | 14 | ||||
| -rw-r--r-- | src/libcharon/kernel/kernel_ipsec.h | 14 | ||||
| -rw-r--r-- | src/libcharon/kernel/kernel_listener.h | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c | 60 | ||||
| -rw-r--r-- | src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 79 | ||||
| -rw-r--r-- | src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 70 | ||||
| -rw-r--r-- | src/libcharon/plugins/load_tester/load_tester_ipsec.c | 12 | ||||
| -rw-r--r-- | src/libcharon/sa/child_sa.c | 102 |
10 files changed, 193 insertions, 199 deletions
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c index 482f1494c..d863ca504 100644 --- a/src/libcharon/kernel/kernel_handler.c +++ b/src/libcharon/kernel/kernel_handler.c @@ -38,6 +38,22 @@ struct private_kernel_handler_t { }; +/** + * convert an IP protocol identifier to the IKEv2 specific protocol identifier. + */ +static inline protocol_id_t proto_ip2ike(u_int8_t protocol) +{ + switch (protocol) + { + case IPPROTO_ESP: + return PROTO_ESP; + case IPPROTO_AH: + return PROTO_AH; + default: + return protocol; + } +} + METHOD(kernel_listener_t, acquire, bool, private_kernel_handler_t *this, u_int32_t reqid, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) @@ -58,20 +74,21 @@ METHOD(kernel_listener_t, acquire, bool, } METHOD(kernel_listener_t, expire, bool, - private_kernel_handler_t *this, u_int32_t reqid, protocol_id_t protocol, + private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard) { job_t *job; + protocol_id_t proto = proto_ip2ike(protocol); DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x " "and reqid {%u}", hard ? "delete" : "rekey", - protocol_id_names, protocol, ntohl(spi), reqid); + protocol_id_names, proto, ntohl(spi), reqid); if (hard) { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); + job = (job_t*)delete_child_sa_job_create(reqid, proto, spi); } else { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); + job = (job_t*)rekey_child_sa_job_create(reqid, proto, spi); } hydra->processor->queue_job(hydra->processor, job); return TRUE; diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c index fffde68ae..cecaef728 100644 --- a/src/libcharon/kernel/kernel_interface.c +++ b/src/libcharon/kernel/kernel_interface.c @@ -56,7 +56,7 @@ struct private_kernel_interface_t { METHOD(kernel_interface_t, get_spi, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { if (!this->ipsec) { @@ -78,7 +78,7 @@ METHOD(kernel_interface_t, get_cpi, status_t, METHOD(kernel_interface_t, add_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, @@ -94,7 +94,7 @@ METHOD(kernel_interface_t, add_sa, status_t, } METHOD(kernel_interface_t, update_sa, status_t, - private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -108,7 +108,7 @@ METHOD(kernel_interface_t, update_sa, status_t, METHOD(kernel_interface_t, query_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { if (!this->ipsec) { @@ -119,7 +119,7 @@ METHOD(kernel_interface_t, query_sa, status_t, METHOD(kernel_interface_t, del_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int8_t protocol, u_int16_t cpi, mark_t mark) { if (!this->ipsec) { @@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t, METHOD(kernel_interface_t, add_policy, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, + policy_dir_t direction, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -387,7 +387,7 @@ METHOD(kernel_interface_t, acquire, void, } METHOD(kernel_interface_t, expire, void, - private_kernel_interface_t *this, u_int32_t reqid, protocol_id_t protocol, + private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard) { kernel_listener_t *listener; diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h index 61ce84102..06c526581 100644 --- a/src/libcharon/kernel/kernel_interface.h +++ b/src/libcharon/kernel/kernel_interface.h @@ -63,7 +63,7 @@ struct kernel_interface_t { * @return SUCCESS if operation completed */ status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); /** * Get a Compression Parameter Index (CPI) from the kernel. @@ -108,7 +108,7 @@ struct kernel_interface_t { */ status_t (*add_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, @@ -138,7 +138,7 @@ struct kernel_interface_t { * the kernel interface can't update the SA */ status_t (*update_sa)(kernel_interface_t *this, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark); @@ -155,7 +155,7 @@ struct kernel_interface_t { * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes); /** @@ -170,7 +170,7 @@ struct kernel_interface_t { * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark); /** @@ -199,7 +199,7 @@ struct kernel_interface_t { traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, + u_int8_t protocol, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed); @@ -436,7 +436,7 @@ struct kernel_interface_t { * @param hard TRUE if it is a hard expire, FALSE otherwise */ void (*expire)(kernel_interface_t *this, u_int32_t reqid, - protocol_id_t protocol, u_int32_t spi, bool hard); + u_int8_t protocol, u_int32_t spi, bool hard); /** * Raise a mapping event. diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h index a2c29f5fd..340b7e91d 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -93,7 +93,7 @@ struct kernel_ipsec_t { * @return SUCCESS if operation completed */ status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); /** * Get a Compression Parameter Index (CPI) from the kernel. @@ -138,7 +138,7 @@ struct kernel_ipsec_t { */ status_t (*add_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, @@ -168,7 +168,7 @@ struct kernel_ipsec_t { * the kernel interface can't update the SA */ status_t (*update_sa)(kernel_ipsec_t *this, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark); @@ -185,7 +185,7 @@ struct kernel_ipsec_t { * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes); /** @@ -200,7 +200,7 @@ struct kernel_ipsec_t { * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark); /** @@ -229,7 +229,7 @@ struct kernel_ipsec_t { traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, + u_int8_t protocol, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed); diff --git a/src/libcharon/kernel/kernel_listener.h b/src/libcharon/kernel/kernel_listener.h index b69bed66f..02e5b809e 100644 --- a/src/libcharon/kernel/kernel_listener.h +++ b/src/libcharon/kernel/kernel_listener.h @@ -55,7 +55,7 @@ struct kernel_listener_t { * @return TRUE to remain registered, FALSE to unregister */ bool (*expire)(kernel_listener_t *this, u_int32_t reqid, - protocol_id_t protocol, u_int32_t spi, bool hard); + u_int8_t protocol, u_int32_t spi, bool hard); /** * Hook called if the NAT mappings of an IPsec SA changed. diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c index 0b6233ae7..7fa307f9a 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -584,7 +584,7 @@ typedef struct sa_entry_t sa_entry_t; struct sa_entry_t { /** protocol of this SA */ - protocol_id_t protocol; + u_int8_t protocol; /** reqid of this SA */ u_int32_t reqid; @@ -608,7 +608,7 @@ struct sa_entry_t { /** * create an sa_entry_t object */ -static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi, +static sa_entry_t *create_sa_entry(u_int8_t protocol, u_int32_t spi, u_int32_t reqid, host_t *src, host_t *dst, bool encap, bool inbound) { @@ -646,7 +646,7 @@ static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi /** * match an sa_entry_t by protocol, spi and dst address (as the kernel does it) */ -static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol, +static inline bool sa_entry_match_bydst(sa_entry_t *current, u_int8_t *protocol, u_int32_t *spi, host_t *dst) { return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst); @@ -655,7 +655,7 @@ static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *prot /** * match an sa_entry_t by protocol, reqid and spi */ -static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol, +static inline bool sa_entry_match_byid(sa_entry_t *current, u_int8_t *protocol, u_int32_t *spi, u_int32_t *reqid) { return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid; @@ -713,15 +713,15 @@ struct pfkey_msg_t }; /** - * convert a IKEv2 specific protocol identifier to the PF_KEY sa type + * convert a protocol identifier to the PF_KEY sa type */ -static u_int8_t proto_ike2satype(protocol_id_t proto) +static u_int8_t proto2satype(u_int8_t proto) { switch (proto) { - case PROTO_ESP: + case IPPROTO_ESP: return SADB_SATYPE_ESP; - case PROTO_AH: + case IPPROTO_AH: return SADB_SATYPE_AH; case IPPROTO_COMP: return SADB_X_SATYPE_COMP; @@ -731,20 +731,20 @@ static u_int8_t proto_ike2satype(protocol_id_t proto) } /** - * convert a PF_KEY sa type to a IKEv2 specific protocol identifier + * convert a PF_KEY sa type to a protocol identifier */ -static protocol_id_t proto_satype2ike(u_int8_t proto) +static u_int8_t satype2proto(u_int8_t satype) { - switch (proto) + switch (satype) { case SADB_SATYPE_ESP: - return PROTO_ESP; + return IPPROTO_ESP; case SADB_SATYPE_AH: - return PROTO_AH; + return IPPROTO_AH; case SADB_X_SATYPE_COMP: return IPPROTO_COMP; default: - return proto; + return satype; } } @@ -1316,7 +1316,7 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* spi = response.sa->sadb_sa_spi; - if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP) + if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP) { sa_entry_t *sa; sockaddr_t *addr = (sockaddr_t*)(response.src + 1); @@ -1448,7 +1448,7 @@ struct sa_expire_t { /** the SPI of the expiring SA */ u_int32_t spi; /** the protocol of the expiring SA */ - protocol_id_t protocol; + u_int8_t protocol; /** the reqid of the expiring SA*/ u_int32_t reqid; /** what type of expire this is */ @@ -1461,7 +1461,7 @@ struct sa_expire_t { static job_requeue_t sa_expires(sa_expire_t *expire) { private_kernel_klips_ipsec_t *this = expire->this; - protocol_id_t protocol = expire->protocol; + u_int8_t protocol = expire->protocol; u_int32_t spi = expire->spi, reqid = expire->reqid; bool hard = expire->type != EXPIRE_TYPE_SOFT; sa_entry_t *cached_sa; @@ -1500,7 +1500,7 @@ static job_requeue_t sa_expires(sa_expire_t *expire) * Schedule an expire job for an SA. Time is in seconds. */ static void schedule_expire(private_kernel_klips_ipsec_t *this, - protocol_id_t protocol, u_int32_t spi, + u_int8_t protocol, u_int32_t spi, u_int32_t reqid, expire_type_t type, u_int32_t time) { callback_job_t *job; @@ -1516,7 +1516,7 @@ static void schedule_expire(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { /* we cannot use SADB_GETSPI because KLIPS does not allow us to set the * NAT-T type in an SADB_UPDATE which we would have to use to update the @@ -1611,7 +1611,7 @@ static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this, */ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid) + u_int8_t protocol, u_int32_t reqid) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1641,7 +1641,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg); satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2; satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype)); - satype->sadb_x_satype_satype = proto_ike2satype(protocol); + satype->sadb_x_satype_satype = proto2satype(protocol); PFKEY_EXT_ADD(msg, satype); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1672,7 +1672,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -1713,7 +1713,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_ADD; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1830,7 +1830,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_klips_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -1867,7 +1867,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_UPDATE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1903,14 +1903,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; /* TODO */ } METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1939,7 +1939,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_DELETE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1974,7 +1974,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, + policy_dir_t direction, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -1992,7 +1992,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, /* tunnel mode policies direct the packets into the pseudo IPIP SA */ satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP : - proto_ike2satype(protocol); + proto2satype(protocol); /* create a policy */ policy = create_policy_entry(src_ts, dst_ts, direction); diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 6d971bdbc..c366efde2 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008 Andreas Steffen * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser @@ -349,38 +349,6 @@ struct private_kernel_netlink_ipsec_t { }; /** - * convert a IKEv2 specific protocol identifier to the kernel one - */ -static u_int8_t proto_ike2kernel(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return IPPROTO_ESP; - case PROTO_AH: - return IPPROTO_AH; - default: - return proto; - } -} - -/** - * reverse of ike2kernel - */ -static protocol_id_t proto_kernel2ike(u_int8_t proto) -{ - switch (proto) - { - case IPPROTO_ESP: - return PROTO_ESP; - case IPPROTO_AH: - return PROTO_AH; - default: - return proto; - } -} - -/** * convert the general ipsec mode to the one defined in xfrm.h */ static u_int8_t mode2kernel(ipsec_mode_t mode) @@ -595,18 +563,18 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd */ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) { - protocol_id_t protocol; + u_int8_t protocol; u_int32_t spi, reqid; struct xfrm_user_expire *expire; expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr); - protocol = proto_kernel2ike(expire->state.id.proto); + protocol = expire->state.id.proto; spi = expire->state.id.spi; reqid = expire->state.reqid; DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); - if (protocol != PROTO_ESP && protocol != PROTO_AH) + if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH) { DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and " "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid); @@ -659,18 +627,15 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd else if (rta->rta_type == XFRMA_MIGRATE) { struct xfrm_user_migrate *migrate; - protocol_id_t proto; migrate = (struct xfrm_user_migrate*)RTA_DATA(rta); old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0); old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0); new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0); new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0); - proto = proto_kernel2ike(migrate->proto); reqid = migrate->reqid; - DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}", - protocol_id_names, proto, old_src, old_dst, - new_src, new_dst, reqid); + DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}", + old_src, old_dst, new_src, new_dst, reqid); DESTROY_IF(old_src); DESTROY_IF(old_dst); DESTROY_IF(new_src); @@ -709,7 +674,7 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING"); - if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP) + if (mapping->id.proto == IPPROTO_ESP) { host = xfrm2host(mapping->id.family, &mapping->new_saddr, mapping->new_sport); @@ -858,11 +823,11 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid); - if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol), + if (get_spi_internal(this, src, dst, protocol, 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS) { DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid); @@ -898,7 +863,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -944,7 +909,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, host2xfrm(src, &sa->saddr); host2xfrm(dst, &sa->id.daddr); sa->id.spi = spi; - sa->id.proto = proto_ike2kernel(protocol); + sa->id.proto = protocol; sa->family = src->get_family(src); sa->mode = mode2kernel(mode); switch (mode) @@ -1206,7 +1171,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, * Get the replay state (i.e. sequence numbers) of an SA. */ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, - u_int32_t spi, protocol_id_t protocol, host_t *dst, + u_int32_t spi, u_int8_t protocol, host_t *dst, struct xfrm_replay_state *replay) { netlink_buf_t request; @@ -1230,7 +1195,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, host2xfrm(dst, &aevent_id->sa_id.daddr); aevent_id->sa_id.spi = spi; - aevent_id->sa_id.proto = proto_ike2kernel(protocol); + aevent_id->sa_id.proto = protocol; aevent_id->sa_id.family = dst->get_family(dst); if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) @@ -1292,7 +1257,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { netlink_buf_t request; struct nlmsghdr *out = NULL, *hdr; @@ -1319,7 +1284,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); + sa_id->proto = protocol; sa_id->family = dst->get_family(dst); if (mark.value) @@ -1395,7 +1360,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1426,7 +1391,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); + sa_id->proto = protocol; sa_id->family = dst->get_family(dst); if (mark.value) @@ -1473,7 +1438,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool old_encap, bool new_encap, mark_t mark) { @@ -1509,7 +1474,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); + sa_id->proto = protocol; sa_id->family = dst->get_family(dst); if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) @@ -1652,9 +1617,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, + policy_dir_t direction, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) + u_int16_t cpi, bool routed) { policy_entry_t *current, *policy; bool found = FALSE; @@ -1784,7 +1749,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, } tmpl->reqid = reqid; - tmpl->id.proto = proto_ike2kernel(protocol); + tmpl->id.proto = protocol; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 91e46cbf2..4cb175bfa 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -394,15 +394,15 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, ); /** - * convert a IKEv2 specific protocol identifier to the PF_KEY sa type + * convert a protocol identifier to the PF_KEY sa type */ -static u_int8_t proto_ike2satype(protocol_id_t proto) +static u_int8_t proto2satype(u_int8_t proto) { switch (proto) { - case PROTO_ESP: + case IPPROTO_ESP: return SADB_SATYPE_ESP; - case PROTO_AH: + case IPPROTO_AH: return SADB_SATYPE_AH; case IPPROTO_COMP: return SADB_X_SATYPE_IPCOMP; @@ -412,36 +412,20 @@ static u_int8_t proto_ike2satype(protocol_id_t proto) } /** - * convert a PF_KEY sa type to a IKEv2 specific protocol identifier + * convert a PF_KEY sa type to a protocol identifier */ -static protocol_id_t proto_satype2ike(u_int8_t proto) +static u_int8_t satype2proto(u_int8_t satype) { - switch (proto) + switch (satype) { case SADB_SATYPE_ESP: - return PROTO_ESP; + return IPPROTO_ESP; case SADB_SATYPE_AH: - return PROTO_AH; + return IPPROTO_AH; case SADB_X_SATYPE_IPCOMP: return IPPROTO_COMP; default: - return proto; - } -} - -/** - * convert a IKEv2 specific protocol identifier to the IP protocol identifier - */ -static u_int8_t proto_ike2ip(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return IPPROTO_ESP; - case PROTO_AH: - return IPPROTO_AH; - default: - return proto; + return satype; } } @@ -942,7 +926,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) { pfkey_msg_t response; - protocol_id_t protocol; + u_int8_t protocol; u_int32_t spi, reqid; bool hard; @@ -954,12 +938,12 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* return; } - protocol = proto_satype2ike(msg->sadb_msg_satype); + protocol = satype2proto(msg->sadb_msg_satype); spi = response.sa->sadb_sa_spi; reqid = response.x_sa2->sadb_x_sa2_reqid; hard = response.lft_hard != NULL; - if (protocol != PROTO_ESP && protocol != PROTO_AH) + if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH) { DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} " "which is not a CHILD_SA", ntohl(spi), reqid); @@ -1053,7 +1037,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* spi = response.sa->sadb_sa_spi; reqid = response.x_sa2->sadb_x_sa2_reqid; - if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP) + if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP) { sockaddr_t *sa = (sockaddr_t*)(response.dst + 1); switch (sa->sa_family) @@ -1155,7 +1139,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1170,7 +1154,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_GETSPI; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); @@ -1221,7 +1205,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -1242,7 +1226,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); #ifdef __APPLE__ @@ -1367,7 +1351,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -1395,7 +1379,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1438,7 +1422,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_UPDATE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); #ifdef __APPLE__ @@ -1502,7 +1486,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1517,7 +1501,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1558,7 +1542,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1572,7 +1556,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_DELETE; - msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); @@ -1608,7 +1592,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, + policy_dir_t direction, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -1676,7 +1660,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ req = (struct sadb_x_ipsecrequest*)(pol + 1); - req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol); + req->sadb_x_ipsecrequest_proto = protocol; /* !!! the length of this struct MUST be in octets instead of 64 bit words */ req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest); req->sadb_x_ipsecrequest_mode = mode2kernel(mode); diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 43c0ef009..efb8fb6fa 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t { METHOD(kernel_ipsec_t, get_spi, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { *spi = ++this->spi; return SUCCESS; @@ -51,7 +51,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, @@ -61,7 +61,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_load_tester_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -70,14 +70,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; } METHOD(kernel_ipsec_t, del_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { return SUCCESS; } @@ -85,7 +85,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, + policy_dir_t direction, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 4e609da70..2f5d948c7 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -178,6 +178,22 @@ struct private_child_sa_t { u_int64_t other_usebytes; }; +/** + * convert an IKEv2 specific protocol identifier to the IP protocol identifier. + */ +static inline u_int8_t proto_ike2ip(protocol_id_t protocol) +{ + switch (protocol) + { + case PROTO_ESP: + return IPPROTO_ESP; + case PROTO_AH: + return IPPROTO_AH; + default: + return protocol; + } +} + METHOD(child_sa_t, get_name, char*, private_child_sa_t *this) { @@ -398,9 +414,9 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) if (this->my_spi) { status = charon->kernel_interface->query_sa(charon->kernel_interface, - this->other_addr, this->my_addr, - this->my_spi, this->protocol, - this->mark_in, &bytes); + this->other_addr, this->my_addr, this->my_spi, + proto_ike2ip(this->protocol), this->mark_in, + &bytes); if (status == SUCCESS) { if (bytes > this->my_usebytes) @@ -417,9 +433,9 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) if (this->other_spi) { status = charon->kernel_interface->query_sa(charon->kernel_interface, - this->my_addr, this->other_addr, - this->other_spi, this->protocol, - this->mark_out, &bytes); + this->my_addr, this->other_addr, this->other_spi, + proto_ike2ip(this->protocol), this->mark_out, + &bytes); if (status == SUCCESS) { if (bytes > this->other_usebytes) @@ -519,8 +535,9 @@ METHOD(child_sa_t, alloc_spi, u_int32_t, private_child_sa_t *this, protocol_id_t protocol) { if (charon->kernel_interface->get_spi(charon->kernel_interface, - this->other_addr, this->my_addr, protocol, - this->reqid, &this->my_spi) == SUCCESS) + this->other_addr, this->my_addr, + proto_ike2ip(protocol), this->reqid, + &this->my_spi) == SUCCESS) { return this->my_spi; } @@ -531,8 +548,8 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t, private_child_sa_t *this) { if (charon->kernel_interface->get_cpi(charon->kernel_interface, - this->other_addr, this->my_addr, this->reqid, - &this->my_cpi) == SUCCESS) + this->other_addr, this->my_addr, + this->reqid, &this->my_cpi) == SUCCESS) { return this->my_cpi; } @@ -620,7 +637,7 @@ METHOD(child_sa_t, install, status_t, } status = charon->kernel_interface->add_sa(charon->kernel_interface, - src, dst, spi, this->protocol, this->reqid, + src, dst, spi, proto_ike2ip(this->protocol), this->reqid, inbound ? this->mark_in : this->mark_out, lifetime, enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, this->encap, update, src_ts, dst_ts); @@ -661,20 +678,26 @@ METHOD(child_sa_t, add_policies, status_t, { /* install 3 policies: out, in and forward */ status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT, - this->other_spi, this->protocol, this->reqid, this->mark_out, - this->mode, this->ipcomp, this->other_cpi, routed); + this->my_addr, this->other_addr, my_ts, other_ts, + POLICY_OUT, this->other_spi, + proto_ike2ip(this->protocol), this->reqid, + this->mark_out, this->mode, this->ipcomp, + this->other_cpi, routed); status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN, - this->my_spi, this->protocol, this->reqid, this->mark_in, - this->mode, this->ipcomp, this->my_cpi, routed); + this->other_addr, this->my_addr, other_ts, my_ts, + POLICY_IN, this->my_spi, + proto_ike2ip(this->protocol), this->reqid, + this->mark_in, this->mode, this->ipcomp, + this->my_cpi, routed); if (this->mode != MODE_TRANSPORT) { status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD, - this->my_spi, this->protocol, this->reqid, this->mark_in, - this->mode, this->ipcomp, this->my_cpi, routed); + this->other_addr, this->my_addr, other_ts, my_ts, + POLICY_FWD, this->my_spi, + proto_ike2ip(this->protocol), this->reqid, + this->mark_in, this->mode, this->ipcomp, + this->my_cpi, routed); } if (status != SUCCESS) @@ -717,7 +740,7 @@ METHOD(child_sa_t, update, status_t, if (this->my_spi) { if (charon->kernel_interface->update_sa(charon->kernel_interface, - this->my_spi, this->protocol, + this->my_spi, proto_ike2ip(this->protocol), this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, this->other_addr, this->my_addr, other, me, this->encap, encap, this->mark_in) == NOT_SUPPORTED) @@ -730,7 +753,7 @@ METHOD(child_sa_t, update, status_t, if (this->other_spi) { if (charon->kernel_interface->update_sa(charon->kernel_interface, - this->other_spi, this->protocol, + this->other_spi, proto_ike2ip(this->protocol), this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, this->my_addr, this->other_addr, me, other, this->encap, encap, this->mark_out) == NOT_SUPPORTED) @@ -786,19 +809,22 @@ METHOD(child_sa_t, update, status_t, /* reinstall updated policies */ charon->kernel_interface->add_policy(charon->kernel_interface, - me, other, my_ts, other_ts, POLICY_OUT, this->other_spi, - this->protocol, this->reqid, this->mark_out, this->mode, - this->ipcomp, this->other_cpi, FALSE); + me, other, my_ts, other_ts, POLICY_OUT, + this->other_spi, proto_ike2ip(this->protocol), + this->reqid, this->mark_out, this->mode, + this->ipcomp, this->other_cpi, FALSE); charon->kernel_interface->add_policy(charon->kernel_interface, - other, me, other_ts, my_ts, POLICY_IN, this->my_spi, - this->protocol, this->reqid, this->mark_in, this->mode, - this->ipcomp, this->my_cpi, FALSE); + other, me, other_ts, my_ts, POLICY_IN, + this->my_spi, proto_ike2ip(this->protocol), + this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, FALSE); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->add_policy(charon->kernel_interface, - other, me, other_ts, my_ts, POLICY_FWD, this->my_spi, - this->protocol, this->reqid, this->mark_in, this->mode, - this->ipcomp, this->my_cpi, FALSE); + other, me, other_ts, my_ts, POLICY_FWD, + this->my_spi, proto_ike2ip(this->protocol), + this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, FALSE); } } enumerator->destroy(enumerator); @@ -846,13 +872,15 @@ METHOD(child_sa_t, destroy, void, } charon->kernel_interface->del_sa(charon->kernel_interface, this->other_addr, this->my_addr, this->my_spi, - this->protocol, this->my_cpi, this->mark_in); + proto_ike2ip(this->protocol), this->my_cpi, + this->mark_in); } if (this->other_spi) { charon->kernel_interface->del_sa(charon->kernel_interface, this->my_addr, this->other_addr, this->other_spi, - this->protocol, this->other_cpi, this->mark_out); + proto_ike2ip(this->protocol), this->other_cpi, + this->mark_out); } if (this->config->install_policy(this->config)) @@ -862,13 +890,13 @@ METHOD(child_sa_t, destroy, void, while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { charon->kernel_interface->del_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted); + my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted); charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, this->mark_in, unrouted); + other_ts, my_ts, POLICY_IN, this->mark_in, unrouted); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted); + other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted); } } enumerator->destroy(enumerator); |