kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods
authorMartin Willi <martin@revosec.ch>
Wed, 15 Oct 2014 15:22:55 +0000 (17:22 +0200)
committerMartin Willi <martin@revosec.ch>
Fri, 20 Feb 2015 12:34:32 +0000 (13:34 +0100)
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.

If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.

src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c
src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
src/libcharon/plugins/load_tester/load_tester_ipsec.c
src/libcharon/sa/child_sa.c
src/libhydra/kernel/kernel_interface.c
src/libhydra/kernel/kernel_interface.h
src/libhydra/kernel/kernel_ipsec.h
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index dbeea93..d0bf8df 100644 (file)
@@ -60,7 +60,7 @@ struct private_tkm_kernel_ipsec_t {
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
        private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
        bool result;
 
@@ -74,7 +74,6 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
                }
        }
 
-       DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
        result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
                                                                  (u_int8_t *)spi);
        return result ? SUCCESS : FAILED;
@@ -82,7 +81,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
        private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        return NOT_SUPPORTED;
 }
index 84b3b60..d2a45da 100644 (file)
@@ -48,14 +48,14 @@ void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard)
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
        private_kernel_android_ipsec_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
        return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, spi);
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
        private_kernel_android_ipsec_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        return NOT_SUPPORTED;
 }
index 5ab0c97..e277063 100644 (file)
@@ -236,14 +236,14 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
        private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
        return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, spi);
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
        private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        return NOT_SUPPORTED;
 }
index 39e37b1..61e820d 100644 (file)
@@ -1981,7 +1981,7 @@ static u_int permute(u_int x, u_int p)
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
        private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
        /* To avoid sequencial SPIs, we use a one-to-one permuation function on
         * an incrementing counter, that is a full period PRNG for the range we
@@ -1998,7 +1998,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
        private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        return NOT_SUPPORTED;
 }
index 3f256dd..578fc53 100644 (file)
@@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t {
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
        private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
        *spi = (uint32_t)ref_get(&this->spi);
        return SUCCESS;
@@ -44,7 +44,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
        private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        return FAILED;
 }
index 66be5fe..9026681 100644 (file)
@@ -603,7 +603,7 @@ METHOD(child_sa_t, alloc_spi, u_int32_t,
 {
        if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
                                                                                 this->other_addr, this->my_addr,
-                                                                                proto_ike2ip(protocol), this->reqid,
+                                                                                proto_ike2ip(protocol),
                                                                                 &this->my_spi) == SUCCESS)
        {
                /* if we allocate a SPI, but then are unable to establish the SA, we
@@ -619,7 +619,7 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 {
        if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
                                                                                 this->other_addr, this->my_addr,
-                                                                                this->reqid, &this->my_cpi) == SUCCESS)
+                                                                                &this->my_cpi) == SUCCESS)
        {
                return this->my_cpi;
        }
index 3fa28e0..f479b87 100644 (file)
@@ -155,24 +155,24 @@ METHOD(kernel_interface_t, get_features, kernel_feature_t,
 
 METHOD(kernel_interface_t, get_spi, status_t,
        private_kernel_interface_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
        if (!this->ipsec)
        {
                return NOT_SUPPORTED;
        }
-       return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
+       return this->ipsec->get_spi(this->ipsec, src, dst, protocol, spi);
 }
 
 METHOD(kernel_interface_t, get_cpi, status_t,
        private_kernel_interface_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        if (!this->ipsec)
        {
                return NOT_SUPPORTED;
        }
-       return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
+       return this->ipsec->get_cpi(this->ipsec, src, dst, cpi);
 }
 
 METHOD(kernel_interface_t, add_sa, status_t,
index cd55038..f290167 100644 (file)
@@ -104,24 +104,22 @@ struct kernel_interface_t {
         * @param src           source address of SA
         * @param dst           destination address of SA
         * @param protocol      protocol for SA (ESP/AH)
-        * @param reqid         unique ID for this SA
         * @param spi           allocated spi
-        * @return                              SUCCESS if operation completed
+        * @return                      SUCCESS if operation completed
         */
        status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
-                                               u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+                                               u_int8_t protocol, u_int32_t *spi);
 
        /**
         * Get a Compression Parameter Index (CPI) from the kernel.
         *
         * @param src           source address of SA
         * @param dst           destination address of SA
-        * @param reqid         unique ID for the corresponding SA
         * @param cpi           allocated cpi
-        * @return                              SUCCESS if operation completed
+        * @return                      SUCCESS if operation completed
         */
        status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
-                                               u_int32_t reqid, u_int16_t *cpi);
+                                               u_int16_t *cpi);
 
        /**
         * Add an SA to the SAD.
index eec7401..286f53f 100644 (file)
@@ -58,24 +58,22 @@ struct kernel_ipsec_t {
         * @param src           source address of SA
         * @param dst           destination address of SA
         * @param protocol      protocol for SA (ESP/AH)
-        * @param reqid         unique ID for this SA
         * @param spi           allocated spi
-        * @return                              SUCCESS if operation completed
+        * @return                      SUCCESS if operation completed
         */
        status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-                                               u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+                                               u_int8_t protocol, u_int32_t *spi);
 
        /**
         * Get a Compression Parameter Index (CPI) from the kernel.
         *
         * @param src           source address of SA
         * @param dst           destination address of SA
-        * @param reqid         unique ID for the corresponding SA
         * @param cpi           allocated cpi
-        * @return                              SUCCESS if operation completed
+        * @return                      SUCCESS if operation completed
         */
        status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-                                               u_int32_t reqid, u_int16_t *cpi);
+                                               u_int16_t *cpi);
 
        /**
         * Add an SA to the SAD.
index cfe58bc..a9f9c9f 100644 (file)
@@ -1066,7 +1066,7 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
  */
 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
        host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-       u_int32_t reqid, u_int32_t *spi)
+       u_int32_t *spi)
 {
        netlink_buf_t request;
        struct nlmsghdr *hdr, *out;
@@ -1086,7 +1086,6 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
        host2xfrm(dst, &userspi->info.id.daddr);
        userspi->info.id.proto = proto;
        userspi->info.mode = XFRM_MODE_TUNNEL;
-       userspi->info.reqid = reqid;
        userspi->info.family = src->get_family(src);
        userspi->min = min;
        userspi->max = max;
@@ -1133,39 +1132,35 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
        private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
-       DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
        if (get_spi_internal(this, src, dst, protocol,
-                                                0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+                                                0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
        {
-               DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+               DBG1(DBG_KNL, "unable to get SPI");
                return FAILED;
        }
 
-       DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+       DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
        return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
        private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        u_int32_t received_spi = 0;
 
-       DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
-
        if (get_spi_internal(this, src, dst, IPPROTO_COMP,
-                                                0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+                                                0x100, 0xEFFF, &received_spi) != SUCCESS)
        {
-               DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+               DBG1(DBG_KNL, "unable to get CPI");
                return FAILED;
        }
 
        *cpi = htons((u_int16_t)ntohl(received_spi));
 
-       DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+       DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
        return SUCCESS;
 }
 
index 6b56782..1d24b7b 100644 (file)
@@ -1518,7 +1518,7 @@ static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
 
 static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
        host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-       u_int32_t reqid, u_int32_t *spi)
+       u_int32_t *spi)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1539,7 +1539,6 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
        sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
        sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
        sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-       sa2->sadb_x_sa2_reqid = reqid;
        PFKEY_EXT_ADD(msg, sa2);
 
        add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
@@ -1577,39 +1576,37 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
        private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-       u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+       u_int8_t protocol, u_int32_t *spi)
 {
-       DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
        if (get_spi_internal(this, src, dst, protocol,
-                                                0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+                                                0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
        {
-               DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+               DBG1(DBG_KNL, "unable to get SPI");
                return FAILED;
        }
 
-       DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+       DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
        return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
        private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-       u_int32_t reqid, u_int16_t *cpi)
+       u_int16_t *cpi)
 {
        u_int32_t received_spi = 0;
 
-       DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
+       DBG2(DBG_KNL, "getting CPI");
 
        if (get_spi_internal(this, src, dst, IPPROTO_COMP,
-                                                0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+                                                0x100, 0xEFFF, &received_spi) != SUCCESS)
        {
-               DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+               DBG1(DBG_KNL, "unable to get CPI");
                return FAILED;
        }
 
        *cpi = htons((u_int16_t)ntohl(received_spi));
 
-       DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+       DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
        return SUCCESS;
 }