* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
- * Copyright (C) 2003 Herbert Xu.
- *
- * Based on xfrm code from pluto.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
/** direction of this policy: in, out, forward */
u_int8_t direction;
+ /** protocol ID: ESP/AH */
+ protocol_id_t proto;
+
/** reqid of the policy */
u_int32_t reqid;
memset(policy, 0, sizeof(policy_entry_t));
policy->sel = ts2selector(src_ts, dst_ts);
policy->direction = direction;
+ policy->proto = protocol;
/* find the policy, which matches EXACTLY */
pthread_mutex_lock(&this->mutex);
iterator = this->policies->create_iterator(this->policies, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
- if (memcmp(¤t->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
- policy->direction == current->direction)
+ if (memeq(¤t->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
+ policy->direction == current->direction &&
+ policy->proto == current->proto)
{
/* use existing policy */
current->refcount++;
}
static status_t add_policies(private_child_sa_t *this,
- linked_list_t *my_ts_list,
- linked_list_t *other_ts_list, mode_t mode)
+ linked_list_t *my_ts_list, linked_list_t *other_ts_list,
+ mode_t mode, protocol_id_t proto)
{
iterator_t *my_iter, *other_iter;
traffic_selector_t *my_ts, *other_ts;
/* use low prio for ROUTED policies */
bool high_prio = (this->state != CHILD_CREATED);
+ if (this->protocol == PROTO_NONE)
+ { /* update if not set yet */
+ this->protocol = proto;
+ }
+
/* iterate over both lists */
my_iter = my_ts_list->create_iterator(my_ts_list, TRUE);
other_iter = other_ts_list->create_iterator(other_ts_list, TRUE);
this->public.add = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))add;
this->public.update = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))update;
this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,bool))update_hosts;
- this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,mode_t))add_policies;
+ this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,mode_t,protocol_id_t))add_policies;
this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
* @param my_ts traffic selectors for local site
* @param other_ts traffic selectors for remote site
* @param mode mode for the SA: tunnel/transport
+ * @param proto protocol for policy, ESP/AH
* @return SUCCESS or FAILED
*/
status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
- linked_list_t *other_ts_list, mode_t mode);
+ linked_list_t *other_ts_list, mode_t mode,
+ protocol_id_t proto);
/**
* Get the traffic selectors of added policies of local host.
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
status = child_sa->add_policies(child_sa, my_ts, other_ts,
- child_cfg->get_mode(child_cfg));
+ child_cfg->get_mode(child_cfg), PROTO_NONE);
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
if (status == SUCCESS)
{
seed = chunk_cata("cc", nonce_i, nonce_r);
}
- prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
if (this->ipcomp != IPCOMP_NONE)
{
this->other_cpi);
}
+ status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
+ this->mode, this->proposal->get_protocol(this->proposal));
+ if (status != SUCCESS)
+ {
+ SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
+ return NOT_FOUND;
+ }
+
+ prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
if (this->initiator)
{
status = this->child_sa->update(this->child_sa, this->proposal,
SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel");
return FAILED;
}
-
- status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
- this->mode);
-
- if (status != SUCCESS)
- {
- SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
- return NOT_FOUND;
- }
/* add to IKE_SA, and remove from task */
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);