kernel-interface: Pass full list of traffic selectors to add_sa()

author Martin Willi <martin@revosec.ch>

Wed, 15 Oct 2014 16:03:31 +0000 (18:03 +0200)

committer Martin Willi <martin@revosec.ch>

Fri, 20 Feb 2015 12:34:47 +0000 (13:34 +0100)
author Martin Willi <martin@revosec.ch>
Wed, 15 Oct 2014 16:03:31 +0000 (18:03 +0200)
committer Martin Willi <martin@revosec.ch>
Fri, 20 Feb 2015 12:34:47 +0000 (13:34 +0100)
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c

index d0bf8df..da8e0ee 100644 (file)
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -93,7 +93,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool _initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+       linked_list_t* src_ts, linked_list_t* dst_ts)
  {
         esa_info_t esa;
         bool initiator;
diff --git a/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c b/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c

index 4ed5a42..6516607 100644 (file)
--- a/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c
+++ b/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c
@@ -67,7 +67,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       linked_list_t *src_ts, linked_list_t *dst_ts)
  {
         return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
                                                           tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c

index cb4aa90..362b327 100644 (file)
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -255,7 +255,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       linked_list_t *src_ts, linked_list_t *dst_ts)
  {
         return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
                                                           tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c

index 61e820d..9fd6541 100644 (file)
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -2107,7 +2107,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       linked_list_t *src_ts, linked_list_t *dst_ts)
  {
         host_t *local, *remote;
         entry_t *entry;
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c

index 578fc53..68af479 100644 (file)
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -56,7 +56,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       linked_list_t *src_ts, linked_list_t *dst_ts)
  {
         return SUCCESS;
  }
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c

index 9026681..ed9e9b0 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -633,7 +633,7 @@ METHOD(child_sa_t, install, status_t,
  {
         u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
         u_int16_t esn = NO_EXT_SEQ_NUMBERS;
-       traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
+       linked_list_t *src_ts = NULL, *dst_ts = NULL;
         time_t now;
         lifetime_cfg_t *lifetime;
         u_int32_t tfc = 0;
@@ -705,18 +705,16 @@ METHOD(child_sa_t, install, status_t,
                 lifetime->time.rekey = 0;
         }
  
-       /* BEET requires the bound address from the traffic selectors.
-        * TODO: We add just the first traffic selector for now, as the
-        * kernel accepts a single TS per SA only */
+       /* BEET requires the bound address from the traffic selectors */
         if (inbound)
         {
-               my_ts->get_first(my_ts, (void**)&dst_ts);
-               other_ts->get_first(other_ts, (void**)&src_ts);
+               dst_ts = my_ts;
+               src_ts = other_ts;
         }
         else
         {
-               my_ts->get_first(my_ts, (void**)&src_ts);
-               other_ts->get_first(other_ts, (void**)&dst_ts);
+               src_ts = my_ts;
+               dst_ts = other_ts;
         }
  
         status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c

index f479b87..1cb0015 100644 (file)
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -182,7 +182,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       linked_list_t *src_ts, linked_list_t *dst_ts)
  {
         if (!this->ipsec)
         {
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h

index f290167..a94c58a 100644 (file)
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -124,11 +124,8 @@ struct kernel_interface_t {
         /**
          * Add an SA to the SAD.
          *
-        * add_sa() may update an already allocated
-        * SPI (via get_spi). In this case, the replace
-        * flag must be set.
-        * This function does install a single SA for a
-        * single protocol in one direction.
+        * This function does install a single SA for a single protocol in one
+        * direction.
          *
          * @param src                   source address for this SA
          * @param dst                   destination address for this SA
@@ -150,8 +147,8 @@ struct kernel_interface_t {
          * @param encap                 enable UDP encapsulation for NAT traversal
          * @param esn                   TRUE to use Extended Sequence Numbers
          * @param inbound               TRUE if this is an inbound SA
-        * @param src_ts                traffic selector with BEET source address
-        * @param dst_ts                traffic selector with BEET destination address
+        * @param src_ts                list of source traffic selectors
+        * @param dst_ts                list of destination traffic selectors
          * @return                              SUCCESS if operation completed
          */
         status_t (*add_sa) (kernel_interface_t *this,
@@ -163,7 +160,7 @@ struct kernel_interface_t {
                                                 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
                                                 u_int32_t replay_window,
                                                 bool initiator, bool encap, bool esn, bool inbound,
-                                               traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+                                               linked_list_t *src_ts, linked_list_t *dst_ts);
  
         /**
          * Update the hosts on an installed SA.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h

index 286f53f..f6705ff 100644 (file)
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -78,11 +78,8 @@ struct kernel_ipsec_t {
         /**
          * Add an SA to the SAD.
          *
-        * add_sa() may update an already allocated
-        * SPI (via get_spi). In this case, the replace
-        * flag must be set.
-        * This function does install a single SA for a
-        * single protocol in one direction.
+        * This function does install a single SA for a single protocol in one
+        * direction.
          *
          * @param src                   source address for this SA
          * @param dst                   destination address for this SA
@@ -104,8 +101,8 @@ struct kernel_ipsec_t {
          * @param encap                 enable UDP encapsulation for NAT traversal
          * @param esn                   TRUE to use Extended Sequence Numbers
          * @param inbound               TRUE if this is an inbound SA
-        * @param src_ts                traffic selector with BEET source address
-        * @param dst_ts                traffic selector with BEET destination address
+        * @param src_ts                list of source traffic selectors
+        * @param dst_ts                list of destination traffic selectors
          * @return                              SUCCESS if operation completed
          */
         status_t (*add_sa) (kernel_ipsec_t *this,
@@ -117,7 +114,7 @@ struct kernel_ipsec_t {
                                                 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
                                                 u_int32_t replay_window,
                                                 bool initiator, bool encap, bool esn, bool inbound,
-                                               traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+                                               linked_list_t *src_ts, linked_list_t *dst_ts);
  
         /**
          * Update the hosts on an installed SA.
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c

index a9f9c9f..31bb4f6 100644 (file)
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1191,7 +1191,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+       linked_list_t* src_ts, linked_list_t* dst_ts)
  {
         netlink_buf_t request;
         char *alg_name;
@@ -1199,6 +1199,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         struct xfrm_usersa_info *sa;
         u_int16_t icv_size = 64;
         ipsec_mode_t original_mode = mode;
+       traffic_selector_t *first_src_ts, *first_dst_ts;
         status_t status = FAILED;
  
         /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
@@ -1244,9 +1245,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                                  * selector can be installed other traffic would get dropped */
                                 break;
                         }
-                       if (src_ts && dst_ts)
+                       if (src_ts->get_first(src_ts, (void**)&first_src_ts) == SUCCESS &&
+                               dst_ts->get_first(dst_ts, (void**)&first_dst_ts) == SUCCESS)
                         {
-                               sa->sel = ts2selector(src_ts, dst_ts);
+                               sa->sel = ts2selector(first_src_ts, first_dst_ts);
                                 if (!this->proto_port_transport)
                                 {
                                         /* don't install proto/port on SA. This would break
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index b46f190..348549b 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1611,7 +1611,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
         u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
         bool initiator, bool encap, bool esn, bool inbound,
-       traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+       linked_list_t *src_ts, linked_list_t *dst_ts)
  {
         unsigned char request[PFKEY_BUFFER_SIZE];
         struct sadb_msg *msg, *out;
author	Martin Willi <martin@revosec.ch>
	Wed, 15 Oct 2014 16:03:31 +0000 (18:03 +0200)
committer	Martin Willi <martin@revosec.ch>
	Fri, 20 Feb 2015 12:34:47 +0000 (13:34 +0100)
src/charon-tkm/src/tkm/tkm_kernel_ipsec.c		patch \| blob \| history
src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c		patch \| blob \| history
src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c		patch \| blob \| history
src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c		patch \| blob \| history
src/libcharon/plugins/load_tester/load_tester_ipsec.c		patch \| blob \| history
src/libcharon/sa/child_sa.c		patch \| blob \| history
src/libhydra/kernel/kernel_interface.c		patch \| blob \| history
src/libhydra/kernel/kernel_interface.h		patch \| blob \| history
src/libhydra/kernel/kernel_ipsec.h		patch \| blob \| history
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c		patch \| blob \| history
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c		patch \| blob \| history