Adapted the kernel interfaces to the new lifetime configuration.
authorTobias Brunner <tobias@strongswan.org>
Thu, 27 Aug 2009 09:41:52 +0000 (11:41 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 1 Sep 2009 10:53:13 +0000 (12:53 +0200)
src/charon/kernel/kernel_interface.c
src/charon/kernel/kernel_interface.h
src/charon/kernel/kernel_ipsec.h
src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
src/charon/plugins/load_tester/load_tester_ipsec.c

index 53ae1d2..f334513 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -73,7 +73,7 @@ static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *d
  */
 static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
                                u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
-                               u_int64_t expire_soft, u_int64_t expire_hard,
+                               lifetime_cfg_t *lifetime,
                                u_int16_t enc_alg, chunk_t enc_key,
                                u_int16_t int_alg, chunk_t int_key,
                                ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
@@ -84,8 +84,8 @@ static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *ds
                return NOT_SUPPORTED;
        }
        return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-                       expire_soft, expire_hard, enc_alg, enc_key, int_alg, int_key,
-                       mode, ipcomp, cpi, encap, inbound);
+                       lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi,
+                       encap, inbound);
 }
 
 /**
@@ -398,7 +398,7 @@ kernel_interface_t *kernel_interface_create()
        
        this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
        this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-       this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+       this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
        this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
        this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
index c4a273a..f4247a2 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -78,22 +78,19 @@ struct kernel_interface_t {
        
        /**
         * Add an SA to the SAD.
-        * 
+        *
         * add_sa() may update an already allocated
         * SPI (via get_spi). In this case, the replace
         * flag must be set.
         * This function does install a single SA for a
-        * single protocol in one direction. The kernel-interface
-        * gets the keys itself from the PRF, as we don't know
-        * his algorithms and key sizes.
-        * 
+        * single protocol in one direction.
+        *
         * @param src                   source address for this SA
         * @param dst                   destination address for this SA
         * @param spi                   SPI allocated by us or remote peer
         * @param protocol              protocol for this SA (ESP/AH)
         * @param reqid                 unique ID for this SA
-        * @param expire_soft   lifetime in seconds before rekeying
-        * @param expire_hard   lifetime in seconds before delete
+        * @param lifetime              lifetime_cfg_t for this SA
         * @param enc_alg               Algorithm to use for encryption (ESP only)
         * @param enc_key               key to use for encryption
         * @param int_alg               Algorithm to use for integrity protection
@@ -108,9 +105,9 @@ struct kernel_interface_t {
        status_t (*add_sa) (kernel_interface_t *this,
                                                host_t *src, host_t *dst, u_int32_t spi,
                                                protocol_id_t protocol, u_int32_t reqid,
-                                               u_int64_t expire_soft, u_int64_t expire_hard,
-                                           u_int16_t enc_alg, chunk_t enc_key,
-                                           u_int16_t int_alg, chunk_t int_key,
+                                               lifetime_cfg_t *lifetime,
+                                               u_int16_t enc_alg, chunk_t enc_key,
+                                               u_int16_t int_alg, chunk_t int_key,
                                                ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
                                                bool encap, bool inbound);
        
index 4abe3bf..b21be84 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -30,7 +30,8 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
 
 #include <utils/host.h>
 #include <crypto/prf_plus.h>
-#include <encoding/payloads/proposal_substructure.h>
+#include <config/proposal.h>
+#include <config/child_cfg.h>
 
 /**
  * Mode of a CHILD_SA.
@@ -108,22 +109,19 @@ struct kernel_ipsec_t {
        
        /**
         * Add an SA to the SAD.
-        * 
+        *
         * add_sa() may update an already allocated
         * SPI (via get_spi). In this case, the replace
         * flag must be set.
         * This function does install a single SA for a
-        * single protocol in one direction. The kernel-interface
-        * gets the keys itself from the PRF, as we don't know
-        * his algorithms and key sizes.
-        * 
+        * single protocol in one direction.
+        *
         * @param src                   source address for this SA
         * @param dst                   destination address for this SA
         * @param spi                   SPI allocated by us or remote peer
         * @param protocol              protocol for this SA (ESP/AH)
         * @param reqid                 unique ID for this SA
-        * @param expire_soft   lifetime in seconds before rekeying
-        * @param expire_hard   lifetime in seconds before delete
+        * @param lifetime              lifetime_cfg_t for this SA
         * @param enc_alg               Algorithm to use for encryption (ESP only)
         * @param enc_key               key to use for encryption
         * @param int_alg               Algorithm to use for integrity protection
@@ -138,9 +136,9 @@ struct kernel_ipsec_t {
        status_t (*add_sa) (kernel_ipsec_t *this,
                                                host_t *src, host_t *dst, u_int32_t spi,
                                                protocol_id_t protocol, u_int32_t reqid,
-                                               u_int64_t expire_soft, u_int64_t expire_hard,
-                                           u_int16_t enc_alg, chunk_t enc_key,
-                                           u_int16_t int_alg, chunk_t int_key,
+                                               lifetime_cfg_t *lifetime,
+                                               u_int16_t enc_alg, chunk_t enc_key,
+                                               u_int16_t int_alg, chunk_t int_key,
                                                ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
                                                bool encap, bool inbound);
        
index 0a35546..5dc08b2 100644 (file)
@@ -1700,7 +1700,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 static status_t add_sa(private_kernel_klips_ipsec_t *this,
                                           host_t *src, host_t *dst, u_int32_t spi,
                                           protocol_id_t protocol, u_int32_t reqid,
-                                          u_int64_t expire_soft, u_int64_t expire_hard,
+                                          lifetime_cfg_t *lifetime,
                                           u_int16_t enc_alg, chunk_t enc_key,
                                           u_int16_t int_alg, chunk_t int_key,
                                           ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
@@ -1844,14 +1844,14 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
        /* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
         * of SAs manually in the plugin. Refer to the comments in receive_events()
         * for details. */
-       if (expire_soft)
+       if (lifetime->rekey_time)
        {
-               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, expire_soft);
+               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->rekey_time);
        }
        
-       if (expire_hard)
+       if (lifetime->life_time)
        {
-               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, expire_hard);
+               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->life_time);
        }
                
        return SUCCESS;
@@ -2617,7 +2617,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
        /* public functions */
        this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
        this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
        this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
index edad7f7..afdf7ed 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
@@ -919,7 +919,7 @@ static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
                                           host_t *src, host_t *dst, u_int32_t spi,
                                           protocol_id_t protocol, u_int32_t reqid,
-                                          u_int64_t expire_soft, u_int64_t expire_hard,
+                                          lifetime_cfg_t *lifetime,
                                           u_int16_t enc_alg, chunk_t enc_key,
                                           u_int16_t int_alg, chunk_t int_key,
                                           ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
@@ -935,7 +935,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
         * we are in the recursive call below */
        if (ipcomp != IPCOMP_NONE && cpi != 0)
        {
-               add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
+               lifetime_cfg_t lft = { 0,0,0,0,0,0,0,0,0 };
+               add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
                           ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
                           mode, ipcomp, 0, FALSE, inbound);
                ipcomp = IPCOMP_NONE;
@@ -970,8 +971,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
        sa->lft.soft_packet_limit = XFRM_INF;
        sa->lft.hard_packet_limit = XFRM_INF;
        /* we use lifetimes since added, not since used */
-       sa->lft.soft_add_expires_seconds = expire_soft;
-       sa->lft.hard_add_expires_seconds = expire_hard;
+       sa->lft.soft_add_expires_seconds = lifetime->rekey_time;
+       sa->lft.hard_add_expires_seconds = lifetime->life_time;
        sa->lft.soft_use_expires_seconds = 0;
        sa->lft.hard_use_expires_seconds = 0;
        
@@ -1970,7 +1971,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
        /* public functions */
        this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
        this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
        this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
index 7674654..a37a1b0 100644 (file)
@@ -1226,7 +1226,7 @@ static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
                                           host_t *src, host_t *dst, u_int32_t spi,
                                           protocol_id_t protocol, u_int32_t reqid,
-                                          u_int64_t expire_soft, u_int64_t expire_hard,
+                                          lifetime_cfg_t *lifetime,
                                           u_int16_t enc_alg, chunk_t enc_key,
                                           u_int16_t int_alg, chunk_t int_key,
                                           ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
@@ -1287,13 +1287,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-       lft->sadb_lifetime_addtime = expire_soft;
+       lft->sadb_lifetime_addtime = lifetime->rekey_time;
        PFKEY_EXT_ADD(msg, lft);
        
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-       lft->sadb_lifetime_addtime = expire_hard;
+       lft->sadb_lifetime_addtime = lifetime->life_time;
        PFKEY_EXT_ADD(msg, lft);
        
        if (enc_alg != ENCR_UNDEFINED)
@@ -2153,7 +2153,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
        /* public functions */
        this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
        this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
        this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
index 76652d3..76460c3 100644 (file)
@@ -62,7 +62,7 @@ static status_t get_cpi(private_load_tester_ipsec_t *this,
 static status_t add_sa(private_load_tester_ipsec_t *this,
                                           host_t *src, host_t *dst, u_int32_t spi,
                                           protocol_id_t protocol, u_int32_t reqid,
-                                          u_int64_t expire_soft, u_int64_t expire_hard,
+                                          lifetime_cfg_t *lifetime,
                                           u_int16_t enc_alg, chunk_t enc_key,
                                           u_int16_t int_alg, chunk_t int_key,
                                           ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
@@ -159,7 +159,7 @@ load_tester_ipsec_t *load_tester_ipsec_create()
        /* public functions */
        this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
        this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
        this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;