aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/threads
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/threads')
-rw-r--r--Source/charon/threads/kernel_interface.c93
-rw-r--r--Source/charon/threads/kernel_interface.h97
2 files changed, 149 insertions, 41 deletions
diff --git a/Source/charon/threads/kernel_interface.c b/Source/charon/threads/kernel_interface.c
index 8ff1affbd..7b0c163ce 100644
--- a/Source/charon/threads/kernel_interface.c
+++ b/Source/charon/threads/kernel_interface.c
@@ -44,28 +44,34 @@
#define SPD_PRIORITY 1024
+#define XFRM_DATA_LENGTH 512
+
typedef struct xfrm_data_t xfrm_data_t;
/**
* Lenght/Type/data struct for userdata in xfrm
+ * We dont use the "I-don't-know-where-they-come-from"-structs
+ * used in the kernel.
*/
struct xfrm_data_t {
/**
* length of the data
*/
u_int16_t length;
+
/**
* type of data
*/
u_int16_t type;
+
/**
* and the data itself, for different purposes
*/
union {
- /* algorithm */
+ /** algorithm */
struct xfrm_algo algo;
- /* policy tmpl */
+ /** policy tmpl */
struct xfrm_user_tmpl tmpl[2];
};
};
@@ -84,20 +90,20 @@ struct netlink_message_t {
struct nlmsghdr hdr;
union {
- /* error message */
+ /** error message */
struct nlmsgerr e;
- /* message for spi allocation */
+ /** message for spi allocation */
struct xfrm_userspi_info spi;
- /* message for SA manipulation */
+ /** message for SA manipulation */
struct xfrm_usersa_id sa_id;
- /* message for SA installation */
+ /** message for SA installation */
struct xfrm_usersa_info sa;
- /* message for policy manipulation */
+ /** message for policy manipulation */
struct xfrm_userpolicy_id policy_id;
- /* message for policy installation */
+ /** message for policy installation */
struct xfrm_userpolicy_info policy;
};
- u_int8_t data[512];
+ u_int8_t data[XFRM_DATA_LENGTH];
};
@@ -155,6 +161,12 @@ struct private_kernel_interface_t {
status_t (*send_message) (private_kernel_interface_t *this, netlink_message_t *request, netlink_message_t **response);
};
+/**
+ * In the kernel, algorithms are identified as strings, we use our
+ * mapping functions...
+ * Algorithms for encryption.
+ * TODO: Add missing algorithm strings
+ */
mapping_t kernel_encryption_algs_m[] = {
{ENCR_DES_IV64, ""},
{ENCR_DES, "des"},
@@ -170,7 +182,12 @@ mapping_t kernel_encryption_algs_m[] = {
{ENCR_AES_CTR, ""},
{MAPPING_END, NULL}
};
-
+/**
+ * In the kernel, algorithms are identified as strings, we use our
+ * mapping functions...
+ * Algorithms for integrity protection.
+ * TODO: Add missing algorithm strings
+ */
mapping_t kernel_integrity_algs_m[] = {
{AUTH_HMAC_MD5_96, "md5"},
{AUTH_HMAC_SHA1_96, "sha1"},
@@ -180,7 +197,9 @@ mapping_t kernel_integrity_algs_m[] = {
{MAPPING_END, NULL}
};
-
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
static status_t get_spi(private_kernel_interface_t *this,
host_t *src, host_t *dest,
protocol_id_t protocol, u_int32_t reqid,
@@ -199,8 +218,8 @@ static status_t get_spi(private_kernel_interface_t *this,
request.spi.info.reqid = reqid;
request.spi.info.id.proto = (protocol == ESP) ? KERNEL_ESP : KERNEL_AH;
request.spi.info.family = PF_INET;
- request.spi.min = 100;
- request.spi.max = 200;
+ request.spi.min = 0xc0000000;
+ request.spi.max = 0xcFFFFFFF;
if (this->send_message(this, &request, &response) != SUCCESS)
{
@@ -225,6 +244,9 @@ static status_t get_spi(private_kernel_interface_t *this,
return status;
}
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
static status_t add_sa( private_kernel_interface_t *this,
host_t *me,
host_t *other,
@@ -267,11 +289,13 @@ static status_t add_sa( private_kernel_interface_t *this,
data->type = XFRMA_ALG_CRYPT;
data->length = 4 + sizeof(data->algo) + encryption_key.len;
data->algo.alg_key_len = encryption_key.len * 8;
-
+ request.hdr.nlmsg_len += data->length;
+ if (request.hdr.nlmsg_len > sizeof(request))
+ {
+ return FAILED;
+ }
strcpy(data->algo.alg_name, mapping_find(kernel_encryption_algs_m, enc_alg));
memcpy(data->algo.alg_key, encryption_key.ptr, encryption_key.len);
-
- request.hdr.nlmsg_len += data->length;
}
if (int_alg != AUTH_UNDEFINED)
@@ -281,13 +305,16 @@ static status_t add_sa( private_kernel_interface_t *this,
data->type = XFRMA_ALG_AUTH;
data->length = 4 + sizeof(data->algo) + integrity_key.len;
data->algo.alg_key_len = integrity_key.len * 8;
+ request.hdr.nlmsg_len += data->length;
+ if (request.hdr.nlmsg_len > sizeof(request))
+ {
+ return FAILED;
+ }
strcpy(data->algo.alg_name, mapping_find(kernel_integrity_algs_m, int_alg));
memcpy(data->algo.alg_key, integrity_key.ptr, integrity_key.len);
-
- request.hdr.nlmsg_len += data->length;
}
- /* add IPComp here*/
+ /* TODO: add IPComp here*/
if (this->send_message(this, &request, &response) != SUCCESS)
{
@@ -343,6 +370,9 @@ static status_t del_sa( private_kernel_interface_t *this,
return SUCCESS;
}
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
static status_t add_policy(private_kernel_interface_t *this,
host_t *me, host_t *other,
host_t *src, host_t *dst,
@@ -432,6 +462,9 @@ static status_t add_policy(private_kernel_interface_t *this,
return status;
}
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
static status_t del_policy(private_kernel_interface_t *this,
host_t *me, host_t *other,
host_t *src, host_t *dst,
@@ -477,7 +510,9 @@ static status_t del_policy(private_kernel_interface_t *this,
return status;
}
-
+/**
+ * Implementation of private_kernel_interface_t.send_message.
+ */
static status_t send_message(private_kernel_interface_t *this, netlink_message_t *request, netlink_message_t **response)
{
size_t length;
@@ -528,7 +563,7 @@ static status_t send_message(private_kernel_interface_t *this, netlink_message_t
{
break;
}
- /* we should time out, if something goes wrong */
+ /* TODO: we should time out, if something goes wrong!??? */
pthread_cond_wait(&(this->condvar), &(this->mutex));
}
@@ -537,7 +572,9 @@ static status_t send_message(private_kernel_interface_t *this, netlink_message_t
return SUCCESS;
}
-
+/**
+ * Implementation of private_kernel_interface_t.receive_messages.
+ */
static void receive_messages(private_kernel_interface_t *this)
{
while(TRUE)
@@ -599,8 +636,6 @@ static void receive_messages(private_kernel_interface_t *this)
}
}
-
-
/**
* Implementation of kernel_interface_t.destroy.
*/
@@ -613,8 +648,6 @@ static void destroy(private_kernel_interface_t *this)
allocator_free(this);
}
-#define ASSIGN(member, function) member = (void*)function
-
/*
* Described in header.
*/
@@ -626,8 +659,8 @@ kernel_interface_t *kernel_interface_create()
this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,encryption_algorithm_t,chunk_t,integrity_algorithm_t,chunk_t,bool))add_sa;
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*, host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int,bool,bool,u_int32_t))add_policy;
- ASSIGN(this->public.del_sa, del_sa);
- ASSIGN(this->public.del_policy, del_policy);
+ this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
+ this->public.del_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int))del_policy;
this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
@@ -653,10 +686,6 @@ kernel_interface_t *kernel_interface_create()
charon->kill(charon, "Unable to create netlink thread");
}
- //host_t *all = host_create(AF_INET, "0.0.0.0", 500);
- //add_policy(this, all, all, all, all, 0, 0, XFRM_POLICY_OUT, 17, FALSE, FALSE, 0);
-
-
charon->logger_manager->enable_logger_level(charon->logger_manager, TESTER, FULL);
return (&this->public);
}
diff --git a/Source/charon/threads/kernel_interface.h b/Source/charon/threads/kernel_interface.h
index 7c2a27147..f7621afd9 100644
--- a/Source/charon/threads/kernel_interface.h
+++ b/Source/charon/threads/kernel_interface.h
@@ -33,6 +33,10 @@ typedef struct kernel_interface_t kernel_interface_t;
/**
* @brief Interface to the kernel.
*
+ * The kernel interface handles the communication with the kernel
+ * for SA and policy management. It allows setup of these, and provides
+ * further the handling of kernel events.
+ *
* @b Constructors:
* - kernel_interface_create()
*
@@ -41,22 +45,47 @@ typedef struct kernel_interface_t kernel_interface_t;
struct kernel_interface_t {
/**
- * @brief Get a SPI from the kernel
+ * @brief Get a SPI from the kernel.
*
- * @todo Fix spi range
+ * @param this calling object
+ * @param src source address of SA
+ * @param dst destination address of SA
+ * @param protocol protocol for SA (ESP/AH)
+ * @param reqid unique ID for this SA
+ * @param[out] spi allocated spi
+ * @return
+ * - SUCCESS
+ * - FAILED if kernel comm failed
*/
status_t (*get_spi) (kernel_interface_t *this,
- host_t *src, host_t *dest,
+ host_t *src, host_t *dst,
protocol_id_t protocol,
u_int32_t reqid,
u_int32_t *spi);
/**
- * @brief Create an SA.
+ * @brief Add an SA to the SAD.
*
- * @todo Fix reqid and replay_window params
+ * add_sa() may update an already allocated
+ * SPI (via get_spi). In this case, the replace
+ * flag must be set.
+ * This function does install a single SA for a
+ * single protocol in one direction.
*
- * @todo Cleanup method params
+ * @param this calling object
+ * @param src source address for this SA
+ * @param dst destination address for this SA
+ * @param spi SPI allocated by us or remote peer
+ * @param protocol protocol for this SA (ESP/AH)
+ * @param reqid unique ID for this SA
+ * @param enc_alg Algorithm to use for encryption (ESP only)
+ * @param enc_key Key to use for encryption
+ * @param int_alg Algorithm to use for integrity protection
+ * @param int_key Key for integrity protection
+ * @param replace Should an already installed SA be updated?
+ * @return
+ * - SUCCESS
+ * - FAILED if kernel comm failed
*/
status_t (*add_sa)(kernel_interface_t *this,
host_t *src, host_t *dst,
@@ -64,16 +93,50 @@ struct kernel_interface_t {
protocol_id_t protocol,
u_int32_t reqid,
encryption_algorithm_t enc_alg,
- chunk_t encryption_key,
+ chunk_t enc_key,
integrity_algorithm_t int_alg,
- chunk_t integrity_key,
+ chunk_t int_key,
bool replace);
-
+ /**
+ * @brief Delete a previusly installed SA from the SAD.
+ *
+ * @param this calling object
+ * @param dst destination address for this SA
+ * @param spi SPI allocated by us or remote peer
+ * @param protocol protocol for this SA (ESP/AH)
+ * @return
+ * - SUCCESS
+ * - FAILED if kernel comm failed
+ */
status_t (*del_sa) (kernel_interface_t *this,
host_t *dst,
u_int32_t spi,
protocol_id_t protocol);
+ /**
+ * @brief Add a policy to the SPD.
+ *
+ * A policy is always associated to an SA, so
+ * traffic applied to a policy. Traffic which
+ * matches a policy is handled by the SA with the same
+ * reqid.
+ *
+ * @param this calling object
+ * @param me address of local peer
+ * @param other address of remote peer
+ * @param src src address of traffic this policy applies
+ * @param dst dest address of traffic this policy applies
+ * @param src_hostbits subnetmask to use for src address
+ * @param dst_hostbits subnetmask to use for dst address
+ * @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD
+ * @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
+ * @param ah protect traffic with AH?
+ * @param esp protect traffic with ESP?
+ * @param reqid uniqe ID of an SA to use to enforce policy
+ * @return
+ * - SUCCESS
+ * - FAILED if kernel comm failed
+ */
status_t (*add_policy) (kernel_interface_t *this,
host_t *me, host_t *other,
host_t *src, host_t *dst,
@@ -82,6 +145,22 @@ struct kernel_interface_t {
bool ah, bool esp,
u_int32_t reqid);
+ /**
+ * @brief Remove a policy from the SPD.
+ *
+ * @param this calling object
+ * @param me address of local peer
+ * @param other address of remote peer
+ * @param src src address of traffic this policy applies
+ * @param dst dest address of traffic this policy applies
+ * @param src_hostbits subnetmask to use for src address
+ * @param dst_hostbits subnetmask to use for dst address
+ * @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD
+ * @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
+ * @return
+ * - SUCCESS
+ * - FAILED if kernel comm failed
+ */
status_t (*del_policy) (kernel_interface_t *this,
host_t *me, host_t *other,
host_t *src, host_t *dst,
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-16 21:16:44 +0000