kernel-interface: Add a replay_window parameter to add_sa()
authorMartin Willi <martin@revosec.ch>
Mon, 16 Jun 2014 15:31:43 +0000 (17:31 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 17 Jun 2014 14:41:30 +0000 (16:41 +0200)
12 files changed:
src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c
src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
src/libcharon/plugins/load_tester/load_tester_ipsec.c
src/libcharon/sa/child_sa.c
src/libhydra/kernel/kernel_interface.c
src/libhydra/kernel/kernel_interface.h
src/libhydra/kernel/kernel_ipsec.h
src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index 72c247d..dbeea93 100644 (file)
@@ -91,8 +91,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool _initiator, bool encap, bool esn, bool inbound,
+       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool _initiator, bool encap, bool esn, bool inbound,
        traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
        esa_info_t esa;
index 48f1487..b1daaf0 100644 (file)
@@ -64,8 +64,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        private_kernel_android_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
index b335807..6f137b5 100644 (file)
@@ -252,8 +252,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
index 62b3ea8..cc1cae6 100644 (file)
@@ -1947,8 +1947,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        host_t *local, *remote;
index 5edd3b8..3f256dd 100644 (file)
@@ -53,8 +53,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        return SUCCESS;
index a7d7b73..bcb0ca2 100644 (file)
@@ -639,6 +639,7 @@ METHOD(child_sa_t, install, status_t,
        host_t *src, *dst;
        status_t status;
        bool update = FALSE;
+       u_int32_t replay_window = 0;
 
        /* now we have to decide which spi to use. Use self allocated, if "in",
         * or the one in the proposal, if not "in" (others). Additionally,
@@ -653,6 +654,9 @@ METHOD(child_sa_t, install, status_t,
                }
                this->my_spi = spi;
                this->my_cpi = cpi;
+
+               /* required on inbound SA only */
+               replay_window = this->config->get_replay_window(this->config);
        }
        else
        {
@@ -722,8 +726,8 @@ METHOD(child_sa_t, install, status_t,
                                src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
                                inbound ? this->mark_in : this->mark_out, tfc,
                                lifetime, enc_alg, encr, int_alg, integ, this->mode,
-                               this->ipcomp, cpi, initiator, this->encap, esn, update,
-                               src_ts, dst_ts);
+                               this->ipcomp, cpi, replay_window, initiator, this->encap,
+                               esn, update, src_ts, dst_ts);
 
        free(lifetime);
 
index 3e34d20..c9379dc 100644 (file)
@@ -179,8 +179,9 @@ METHOD(kernel_interface_t, add_sa, status_t,
        private_kernel_interface_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-       u_int16_t int_alg, chunk_t int_key,     ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        if (!this->ipsec)
@@ -188,8 +189,9 @@ METHOD(kernel_interface_t, add_sa, status_t,
                return NOT_SUPPORTED;
        }
        return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-                       mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
-                       ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts);
+                               mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
+                               ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
+                               src_ts, dst_ts);
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
index 3b1010d..bba6a58 100644 (file)
@@ -147,6 +147,7 @@ struct kernel_interface_t {
         * @param mode                  mode of the SA (tunnel, transport)
         * @param ipcomp                IPComp transform to use
         * @param cpi                   CPI for IPComp
+        * @param replay_window anti-replay window size
         * @param initiator             TRUE if initiator of the exchange creating this SA
         * @param encap                 enable UDP encapsulation for NAT traversal
         * @param esn                   TRUE to use Extended Sequence Numbers
@@ -162,6 +163,7 @@ struct kernel_interface_t {
                                                u_int16_t enc_alg, chunk_t enc_key,
                                                u_int16_t int_alg, chunk_t int_key,
                                                ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+                                               u_int32_t replay_window,
                                                bool initiator, bool encap, bool esn, bool inbound,
                                                traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
index 25f5b38..eec7401 100644 (file)
@@ -101,6 +101,7 @@ struct kernel_ipsec_t {
         * @param mode                  mode of the SA (tunnel, transport)
         * @param ipcomp                IPComp transform to use
         * @param cpi                   CPI for IPComp
+        * @param replay_window anti-replay window size
         * @param initiator             TRUE if initiator of the exchange creating this SA
         * @param encap                 enable UDP encapsulation for NAT traversal
         * @param esn                   TRUE to use Extended Sequence Numbers
@@ -116,6 +117,7 @@ struct kernel_ipsec_t {
                                                u_int16_t enc_alg, chunk_t enc_key,
                                                u_int16_t int_alg, chunk_t int_key,
                                                ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+                                               u_int32_t replay_window,
                                                bool initiator, bool encap, bool esn, bool inbound,
                                                traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
index 0b66b4d..baf87ae 100644 (file)
@@ -1682,8 +1682,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
        lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
        u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-       u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
-       bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
+       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
index c864a92..a1ccadd 100644 (file)
@@ -1194,8 +1194,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+       u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
        traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
        netlink_buf_t request;
@@ -1213,8 +1214,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
                add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
                           tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
-                          chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
-                          src_ts, dst_ts);
+                          chunk_empty, mode, ipcomp, 0, 0, initiator, FALSE, FALSE,
+                          inbound, src_ts, dst_ts);
                ipcomp = IPCOMP_NONE;
                /* use transport mode ESP SA, IPComp uses tunnel mode */
                mode = MODE_TRANSPORT;
index c865917..40e1823 100644 (file)
@@ -1615,8 +1615,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
        lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
        u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-       u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
-       bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+       bool initiator, bool encap, bool esn, bool inbound,
+       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1633,7 +1634,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
                add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
                           tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
-                          chunk_empty, mode, ipcomp, 0, FALSE, FALSE, FALSE, inbound,
+                          chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound,
                           NULL, NULL);
                ipcomp = IPCOMP_NONE;
                /* use transport mode ESP SA, IPComp uses tunnel mode */