diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2010-07-19 11:25:47 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2010-09-02 19:04:19 +0200 |
| commit | b4872c1e0963010525ff24c9562e26097fdd0d1b (patch) | |
| tree | ad7d389669ee620870c911f12c874a8c6ccd1600 /src | |
| parent | c5fb6882f2f74ae347d7937f2fc3eb3bad4a4466 (diff) | |
| download | strongswan-b4872c1e0963010525ff24c9562e26097fdd0d1b.tar.bz2 strongswan-b4872c1e0963010525ff24c9562e26097fdd0d1b.tar.xz | |
Replaced the protocol argument in add_policy with an optional SPI for an AH SA.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/plugins/load_tester/load_tester_ipsec.c | 2 | ||||
| -rw-r--r-- | src/libcharon/sa/child_sa.c | 55 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_interface.c | 4 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_interface.h | 6 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_ipsec.h | 6 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c | 4 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 6 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 4 |
8 files changed, 53 insertions, 34 deletions
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index efb8fb6fa..ce199a719 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -85,7 +85,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int8_t protocol, + policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index b5c2feb21..acfdfaf6c 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -673,30 +673,41 @@ METHOD(child_sa_t, add_policies, status_t, if (this->config->install_policy(this->config)) { + u_int32_t my_esp = 0, my_ah = 0, other_esp = 0, other_ah = 0; + if (this->protocol == PROTO_ESP) + { + my_esp = this->my_spi; + other_esp = this->other_spi; + } + else + { + my_ah = this->my_spi; + other_ah = this->other_spi; + } /* enumerate pairs of traffic selectors */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { /* install 3 policies: out, in and forward */ - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + status |= hydra->kernel_interface->add_policy( + hydra->kernel_interface, this->my_addr, this->other_addr, my_ts, other_ts, - POLICY_OUT, this->other_spi, - proto_ike2ip(this->protocol), this->reqid, + POLICY_OUT, other_esp, other_ah, this->reqid, this->mark_out, this->mode, this->ipcomp, this->other_cpi, routed); - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + status |= hydra->kernel_interface->add_policy( + hydra->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, - POLICY_IN, this->my_spi, - proto_ike2ip(this->protocol), this->reqid, + POLICY_IN, my_esp, my_ah, this->reqid, this->mark_in, this->mode, this->ipcomp, this->my_cpi, routed); if (this->mode != MODE_TRANSPORT) { - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + status |= hydra->kernel_interface->add_policy( + hydra->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, - POLICY_FWD, this->my_spi, - proto_ike2ip(this->protocol), this->reqid, + POLICY_FWD, my_esp, my_ah, this->reqid, this->mark_in, this->mode, this->ipcomp, this->my_cpi, routed); } @@ -766,6 +777,17 @@ METHOD(child_sa_t, update, status_t, if (this->config->install_policy(this->config)) { + u_int32_t my_esp = 0, my_ah = 0, other_esp = 0, other_ah = 0; + if (this->protocol == PROTO_ESP) + { + my_esp = this->my_spi; + other_esp = this->other_spi; + } + else + { + my_ah = this->my_spi; + other_ah = this->other_spi; + } /* update policies */ if (!me->ip_equals(me, this->my_addr) || !other->ip_equals(other, this->other_addr)) @@ -811,21 +833,18 @@ METHOD(child_sa_t, update, status_t, /* reinstall updated policies */ hydra->kernel_interface->add_policy(hydra->kernel_interface, me, other, my_ts, other_ts, POLICY_OUT, - this->other_spi, proto_ike2ip(this->protocol), - this->reqid, this->mark_out, this->mode, - this->ipcomp, this->other_cpi, FALSE); + other_esp, other_ah, this->reqid, this->mark_out, + this->mode, this->ipcomp, this->other_cpi, FALSE); hydra->kernel_interface->add_policy(hydra->kernel_interface, other, me, other_ts, my_ts, POLICY_IN, - this->my_spi, proto_ike2ip(this->protocol), - this->reqid, this->mark_in, this->mode, - this->ipcomp, this->my_cpi, FALSE); + my_esp, my_ah, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, FALSE); if (this->mode != MODE_TRANSPORT) { hydra->kernel_interface->add_policy(hydra->kernel_interface, other, me, other_ts, my_ts, POLICY_FWD, - this->my_spi, proto_ike2ip(this->protocol), - this->reqid, this->mark_in, this->mode, - this->ipcomp, this->my_cpi, FALSE); + my_esp, my_ah, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, FALSE); } } enumerator->destroy(enumerator); diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 77eaf68c4..bc9960509 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t, METHOD(kernel_interface_t, add_policy, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int8_t protocol, + policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -140,7 +140,7 @@ METHOD(kernel_interface_t, add_policy, status_t, return NOT_SUPPORTED; } return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts, - direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed); + direction, spi, ah_spi, reqid, mark, mode, ipcomp, cpi, routed); } METHOD(kernel_interface_t, query_policy, status_t, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index ec1f561cc..c3c3764c4 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -183,8 +183,8 @@ struct kernel_interface_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) - * @param spi SPI of SA - * @param protocol protocol to use to protect traffic (AH/ESP) + * @param spi SPI of optional ESP SA + * @param ah_spi SPI of optional AH SA * @param reqid unique ID of an SA to use to enforce policy * @param mark mark for this policy * @param mode mode of SA (tunnel, transport) @@ -198,7 +198,7 @@ struct kernel_interface_t { traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, - u_int8_t protocol, u_int32_t reqid, + u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed); diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index ad3f64c5d..1a7f7b44d 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -258,8 +258,8 @@ struct kernel_ipsec_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) - * @param spi SPI of SA - * @param protocol protocol to use to protect traffic (AH/ESP) + * @param spi SPI of optional ESP SA + * @param ah_spi SPI of optional AH SA * @param reqid unique ID of an SA to use to enforce policy * @param mark mark for this policy * @param mode mode of SA (tunnel, transport) @@ -273,7 +273,7 @@ struct kernel_ipsec_t { traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, - u_int8_t protocol, u_int32_t reqid, + u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed); diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index 166df54fe..f0a9e5504 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1969,7 +1969,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int8_t protocol, + policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -1987,7 +1987,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, /* tunnel mode policies direct the packets into the pseudo IPIP SA */ satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP : - proto2satype(protocol); + proto2satype(spi ? IPPROTO_ESP : IPPROTO_AH); /* create a policy */ policy = create_policy_entry(src_ts, dst_ts, direction); diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 6ecfa03e3..3fd78626b 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1617,7 +1617,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int8_t protocol, + policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -1749,7 +1749,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, } tmpl->reqid = reqid; - tmpl->id.proto = protocol; + tmpl->id.proto = spi ? IPPROTO_ESP : IPPROTO_AH; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); @@ -1943,7 +1943,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, bool unrouted) { policy_entry_t *current, policy, *to_delete = NULL; diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index b2c0e2ccd..5cd06eb2f 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1593,7 +1593,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int8_t protocol, + policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -1661,7 +1661,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ req = (struct sadb_x_ipsecrequest*)(pol + 1); - req->sadb_x_ipsecrequest_proto = protocol; + req->sadb_x_ipsecrequest_proto = spi ? IPPROTO_ESP : IPPROTO_AH; /* !!! the length of this struct MUST be in octets instead of 64 bit words */ req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest); req->sadb_x_ipsecrequest_mode = mode2kernel(mode); |