Replaced the protocol argument in add_policy with an optional SPI for an AH SA.
authorTobias Brunner <tobias@strongswan.org>
Mon, 19 Jul 2010 09:25:47 +0000 (11:25 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 2 Sep 2010 17:04:19 +0000 (19:04 +0200)
src/libcharon/plugins/load_tester/load_tester_ipsec.c
src/libcharon/sa/child_sa.c
src/libhydra/kernel/kernel_interface.c
src/libhydra/kernel/kernel_interface.h
src/libhydra/kernel/kernel_ipsec.h
src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index efb8fb6..ce199a7 100644 (file)
@@ -85,7 +85,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
           private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
           traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-          policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+          policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
           u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
           u_int16_t cpi, bool routed)
 {
index b5c2feb..acfdfaf 100644 (file)
@@ -673,30 +673,41 @@ METHOD(child_sa_t, add_policies, status_t,
 
        if (this->config->install_policy(this->config))
        {
+               u_int32_t my_esp = 0, my_ah = 0, other_esp = 0, other_ah = 0;
+               if (this->protocol == PROTO_ESP)
+               {
+                       my_esp = this->my_spi;
+                       other_esp = this->other_spi;
+               }
+               else
+               {
+                       my_ah = this->my_spi;
+                       other_ah = this->other_spi;
+               }
                /* enumerate pairs of traffic selectors */
                enumerator = create_policy_enumerator(this);
                while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
                {
                        /* install 3 policies: out, in and forward */
-                       status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+                       status |= hydra->kernel_interface->add_policy(
+                                                       hydra->kernel_interface,
                                                        this->my_addr, this->other_addr, my_ts, other_ts,
-                                                       POLICY_OUT, this->other_spi,
-                                                       proto_ike2ip(this->protocol), this->reqid,
+                                                       POLICY_OUT, other_esp, other_ah, this->reqid,
                                                        this->mark_out, this->mode, this->ipcomp,
                                                        this->other_cpi, routed);
 
-                       status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+                       status |= hydra->kernel_interface->add_policy(
+                                                       hydra->kernel_interface,
                                                        this->other_addr, this->my_addr, other_ts, my_ts,
-                                                       POLICY_IN, this->my_spi,
-                                                       proto_ike2ip(this->protocol), this->reqid,
+                                                       POLICY_IN, my_esp, my_ah, this->reqid,
                                                        this->mark_in, this->mode, this->ipcomp,
                                                        this->my_cpi, routed);
                        if (this->mode != MODE_TRANSPORT)
                        {
-                               status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+                               status |= hydra->kernel_interface->add_policy(
+                                                       hydra->kernel_interface,
                                                        this->other_addr, this->my_addr, other_ts, my_ts,
-                                                       POLICY_FWD, this->my_spi,
-                                                       proto_ike2ip(this->protocol), this->reqid,
+                                                       POLICY_FWD, my_esp, my_ah, this->reqid,
                                                        this->mark_in, this->mode, this->ipcomp,
                                                        this->my_cpi, routed);
                        }
@@ -766,6 +777,17 @@ METHOD(child_sa_t, update, status_t,
 
        if (this->config->install_policy(this->config))
        {
+               u_int32_t my_esp = 0, my_ah = 0, other_esp = 0, other_ah = 0;
+               if (this->protocol == PROTO_ESP)
+               {
+                       my_esp = this->my_spi;
+                       other_esp = this->other_spi;
+               }
+               else
+               {
+                       my_ah = this->my_spi;
+                       other_ah = this->other_spi;
+               }
                /* update policies */
                if (!me->ip_equals(me, this->my_addr) ||
                        !other->ip_equals(other, this->other_addr))
@@ -811,21 +833,18 @@ METHOD(child_sa_t, update, status_t,
                                /* reinstall updated policies */
                                hydra->kernel_interface->add_policy(hydra->kernel_interface,
                                                        me, other, my_ts, other_ts, POLICY_OUT,
-                                                       this->other_spi, proto_ike2ip(this->protocol),
-                                                       this->reqid, this->mark_out, this->mode,
-                                                       this->ipcomp, this->other_cpi, FALSE);
+                                                       other_esp, other_ah, this->reqid, this->mark_out,
+                                                       this->mode, this->ipcomp, this->other_cpi, FALSE);
                                hydra->kernel_interface->add_policy(hydra->kernel_interface,
                                                        other, me, other_ts, my_ts, POLICY_IN,
-                                                       this->my_spi, proto_ike2ip(this->protocol),
-                                                       this->reqid, this->mark_in, this->mode,
-                                                       this->ipcomp, this->my_cpi, FALSE);
+                                                       my_esp, my_ah, this->reqid, this->mark_in,
+                                                       this->mode, this->ipcomp, this->my_cpi, FALSE);
                                if (this->mode != MODE_TRANSPORT)
                                {
                                        hydra->kernel_interface->add_policy(hydra->kernel_interface,
                                                        other, me, other_ts, my_ts, POLICY_FWD,
-                                                       this->my_spi, proto_ike2ip(this->protocol),
-                                                       this->reqid, this->mark_in, this->mode,
-                                                       this->ipcomp, this->my_cpi, FALSE);
+                                                       my_esp, my_ah, this->reqid, this->mark_in,
+                                                       this->mode, this->ipcomp, this->my_cpi, FALSE);
                                }
                        }
                        enumerator->destroy(enumerator);
index 77eaf68..bc99605 100644 (file)
@@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t,
 METHOD(kernel_interface_t, add_policy, status_t,
        private_kernel_interface_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi,  bool routed)
 {
@@ -140,7 +140,7 @@ METHOD(kernel_interface_t, add_policy, status_t,
                return NOT_SUPPORTED;
        }
        return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-                       direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed);
+                       direction, spi, ah_spi, reqid, mark, mode, ipcomp, cpi, routed);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
index ec1f561..c3c3764 100644 (file)
@@ -183,8 +183,8 @@ struct kernel_interface_t {
         * @param src_ts                traffic selector to match traffic source
         * @param dst_ts                traffic selector to match traffic dest
         * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
-        * @param spi                   SPI of SA
-        * @param protocol              protocol to use to protect traffic (AH/ESP)
+        * @param spi                   SPI of optional ESP SA
+        * @param ah_spi                SPI of optional AH SA
         * @param reqid                 unique ID of an SA to use to enforce policy
         * @param mark                  mark for this policy
         * @param mode                  mode of SA (tunnel, transport)
@@ -198,7 +198,7 @@ struct kernel_interface_t {
                                                        traffic_selector_t *src_ts,
                                                        traffic_selector_t *dst_ts,
                                                        policy_dir_t direction, u_int32_t spi,
-                                                       u_int8_t protocol, u_int32_t reqid,
+                                                       u_int32_t ah_spi, u_int32_t reqid,
                                                        mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
                                                        u_int16_t cpi, bool routed);
 
index ad3f64c..1a7f7b4 100644 (file)
@@ -258,8 +258,8 @@ struct kernel_ipsec_t {
         * @param src_ts                traffic selector to match traffic source
         * @param dst_ts                traffic selector to match traffic dest
         * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
-        * @param spi                   SPI of SA
-        * @param protocol              protocol to use to protect traffic (AH/ESP)
+        * @param spi                   SPI of optional ESP SA
+        * @param ah_spi                SPI of optional AH SA
         * @param reqid                 unique ID of an SA to use to enforce policy
         * @param mark                  mark for this policy
         * @param mode                  mode of SA (tunnel, transport)
@@ -273,7 +273,7 @@ struct kernel_ipsec_t {
                                                        traffic_selector_t *src_ts,
                                                        traffic_selector_t *dst_ts,
                                                        policy_dir_t direction, u_int32_t spi,
-                                                       u_int8_t protocol, u_int32_t reqid,
+                                                       u_int32_t ah_spi, u_int32_t reqid,
                                                        mark_t mark, ipsec_mode_t mode,
                                                        u_int16_t ipcomp, u_int16_t cpi, bool routed);
 
index 166df54..f0a9e55 100644 (file)
@@ -1969,7 +1969,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi, bool routed)
 {
@@ -1987,7 +1987,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
        /* tunnel mode policies direct the packets into the pseudo IPIP SA */
        satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
-                                                                        proto2satype(protocol);
+                                                                        proto2satype(spi ? IPPROTO_ESP : IPPROTO_AH);
 
        /* create a policy */
        policy = create_policy_entry(src_ts, dst_ts, direction);
index 6ecfa03..3fd7862 100644 (file)
@@ -1617,7 +1617,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi, bool routed)
 {
@@ -1749,7 +1749,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        }
 
        tmpl->reqid = reqid;
-       tmpl->id.proto = protocol;
+       tmpl->id.proto = spi ? IPPROTO_ESP : IPPROTO_AH;
        tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
        tmpl->mode = mode2kernel(mode);
        tmpl->family = src->get_family(src);
@@ -1943,7 +1943,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
        private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
-       traffic_selector_t *dst_ts, policy_dir_t direction,     mark_t mark,
+       traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
        bool unrouted)
 {
        policy_entry_t *current, policy, *to_delete = NULL;
index b2c0e2c..5cd06eb 100644 (file)
@@ -1593,7 +1593,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi, bool routed)
 {
@@ -1661,7 +1661,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
        /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
        req = (struct sadb_x_ipsecrequest*)(pol + 1);
-       req->sadb_x_ipsecrequest_proto = protocol;
+       req->sadb_x_ipsecrequest_proto = spi ? IPPROTO_ESP : IPPROTO_AH;
        /* !!! the length of this struct MUST be in octets instead of 64 bit words */
        req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
        req->sadb_x_ipsecrequest_mode = mode2kernel(mode);