kernel-interface: Add a replay_window parameter to add_sa()
This commit is contained in:
parent
bdcaa5e680
commit
30c009c2fe
|
@ -91,8 +91,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
|
||||
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
|
||||
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
|
||||
u_int16_t cpi, bool _initiator, bool encap, bool esn, bool inbound,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool _initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
|
||||
{
|
||||
esa_info_t esa;
|
||||
|
|
|
@ -64,8 +64,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
private_kernel_android_ipsec_t *this, host_t *src, host_t *dst,
|
||||
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
|
||||
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
|
||||
u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
{
|
||||
return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
|
||||
|
|
|
@ -252,8 +252,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
|
||||
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
|
||||
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
|
||||
u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
{
|
||||
return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
|
||||
|
|
|
@ -1947,8 +1947,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
|
||||
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
|
||||
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
|
||||
u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
{
|
||||
host_t *local, *remote;
|
||||
|
|
|
@ -53,8 +53,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
|
||||
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
|
||||
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
|
||||
u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
{
|
||||
return SUCCESS;
|
||||
|
|
|
@ -639,6 +639,7 @@ METHOD(child_sa_t, install, status_t,
|
|||
host_t *src, *dst;
|
||||
status_t status;
|
||||
bool update = FALSE;
|
||||
u_int32_t replay_window = 0;
|
||||
|
||||
/* now we have to decide which spi to use. Use self allocated, if "in",
|
||||
* or the one in the proposal, if not "in" (others). Additionally,
|
||||
|
@ -653,6 +654,9 @@ METHOD(child_sa_t, install, status_t,
|
|||
}
|
||||
this->my_spi = spi;
|
||||
this->my_cpi = cpi;
|
||||
|
||||
/* required on inbound SA only */
|
||||
replay_window = this->config->get_replay_window(this->config);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -722,8 +726,8 @@ METHOD(child_sa_t, install, status_t,
|
|||
src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
|
||||
inbound ? this->mark_in : this->mark_out, tfc,
|
||||
lifetime, enc_alg, encr, int_alg, integ, this->mode,
|
||||
this->ipcomp, cpi, initiator, this->encap, esn, update,
|
||||
src_ts, dst_ts);
|
||||
this->ipcomp, cpi, replay_window, initiator, this->encap,
|
||||
esn, update, src_ts, dst_ts);
|
||||
|
||||
free(lifetime);
|
||||
|
||||
|
|
|
@ -179,8 +179,9 @@ METHOD(kernel_interface_t, add_sa, status_t,
|
|||
private_kernel_interface_t *this, host_t *src, host_t *dst,
|
||||
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
|
||||
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
|
||||
u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
{
|
||||
if (!this->ipsec)
|
||||
|
@ -188,8 +189,9 @@ METHOD(kernel_interface_t, add_sa, status_t,
|
|||
return NOT_SUPPORTED;
|
||||
}
|
||||
return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
|
||||
mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
|
||||
ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts);
|
||||
mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
|
||||
ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
|
||||
src_ts, dst_ts);
|
||||
}
|
||||
|
||||
METHOD(kernel_interface_t, update_sa, status_t,
|
||||
|
|
|
@ -147,6 +147,7 @@ struct kernel_interface_t {
|
|||
* @param mode mode of the SA (tunnel, transport)
|
||||
* @param ipcomp IPComp transform to use
|
||||
* @param cpi CPI for IPComp
|
||||
* @param replay_window anti-replay window size
|
||||
* @param initiator TRUE if initiator of the exchange creating this SA
|
||||
* @param encap enable UDP encapsulation for NAT traversal
|
||||
* @param esn TRUE to use Extended Sequence Numbers
|
||||
|
@ -162,6 +163,7 @@ struct kernel_interface_t {
|
|||
u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key,
|
||||
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
|
||||
u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
|
||||
|
||||
|
|
|
@ -101,6 +101,7 @@ struct kernel_ipsec_t {
|
|||
* @param mode mode of the SA (tunnel, transport)
|
||||
* @param ipcomp IPComp transform to use
|
||||
* @param cpi CPI for IPComp
|
||||
* @param replay_window anti-replay window size
|
||||
* @param initiator TRUE if initiator of the exchange creating this SA
|
||||
* @param encap enable UDP encapsulation for NAT traversal
|
||||
* @param esn TRUE to use Extended Sequence Numbers
|
||||
|
@ -116,6 +117,7 @@ struct kernel_ipsec_t {
|
|||
u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key,
|
||||
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
|
||||
u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
|
||||
|
||||
|
|
|
@ -1682,8 +1682,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
|
||||
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
|
||||
bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
{
|
||||
unsigned char request[PFKEY_BUFFER_SIZE];
|
||||
struct sadb_msg *msg, *out;
|
||||
|
|
|
@ -1194,8 +1194,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
|
||||
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
|
||||
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
|
||||
u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
|
||||
{
|
||||
netlink_buf_t request;
|
||||
|
@ -1213,8 +1214,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
|
||||
add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
|
||||
tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
|
||||
chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
|
||||
src_ts, dst_ts);
|
||||
chunk_empty, mode, ipcomp, 0, 0, initiator, FALSE, FALSE,
|
||||
inbound, src_ts, dst_ts);
|
||||
ipcomp = IPCOMP_NONE;
|
||||
/* use transport mode ESP SA, IPComp uses tunnel mode */
|
||||
mode = MODE_TRANSPORT;
|
||||
|
|
|
@ -1615,8 +1615,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
|
||||
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
|
||||
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
|
||||
u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
|
||||
bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
|
||||
bool initiator, bool encap, bool esn, bool inbound,
|
||||
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
|
||||
{
|
||||
unsigned char request[PFKEY_BUFFER_SIZE];
|
||||
struct sadb_msg *msg, *out;
|
||||
|
@ -1633,7 +1634,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
|
|||
lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
|
||||
add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
|
||||
tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
|
||||
chunk_empty, mode, ipcomp, 0, FALSE, FALSE, FALSE, inbound,
|
||||
chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound,
|
||||
NULL, NULL);
|
||||
ipcomp = IPCOMP_NONE;
|
||||
/* use transport mode ESP SA, IPComp uses tunnel mode */
|
||||
|
|
Loading…
Reference in New Issue