ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Replaced the protocol argument in add_policy with an optional SPI for an AH SA.

This commit is contained in:
Tobias Brunner 2010-07-19 11:25:47 +02:00
parent c5fb6882f2
commit b4872c1e09
8 changed files with 53 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libcharon/plugins/load_tester/load_tester_ipsec.c
View File

@ -85,7 +85,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
METHOD(kernel_ipsec_t, add_policy, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{

55
src/libcharon/sa/child_sa.c
View File

@ -673,30 +673,41 @@ METHOD(child_sa_t, add_policies, status_t,
if (this->config->install_policy(this->config))
{
u_int32_t my_esp = 0, my_ah = 0, other_esp = 0, other_ah = 0;
if (this->protocol == PROTO_ESP)
{
my_esp = this->my_spi;
other_esp = this->other_spi;
}
else
{
my_ah = this->my_spi;
other_ah = this->other_spi;
}
/* enumerate pairs of traffic selectors */
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
/* install 3 policies: out, in and forward */
status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
status |= hydra->kernel_interface->add_policy(
hydra->kernel_interface,
this->my_addr, this->other_addr, my_ts, other_ts,
POLICY_OUT, this->other_spi,
proto_ike2ip(this->protocol), this->reqid,
POLICY_OUT, other_esp, other_ah, this->reqid,
this->mark_out, this->mode, this->ipcomp,
this->other_cpi, routed);
status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
status |= hydra->kernel_interface->add_policy(
hydra->kernel_interface,
this->other_addr, this->my_addr, other_ts, my_ts,
POLICY_IN, this->my_spi,
proto_ike2ip(this->protocol), this->reqid,
POLICY_IN, my_esp, my_ah, this->reqid,
this->mark_in, this->mode, this->ipcomp,
this->my_cpi, routed);
if (this->mode != MODE_TRANSPORT)
{
status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
status |= hydra->kernel_interface->add_policy(
hydra->kernel_interface,
this->other_addr, this->my_addr, other_ts, my_ts,
POLICY_FWD, this->my_spi,
proto_ike2ip(this->protocol), this->reqid,
POLICY_FWD, my_esp, my_ah, this->reqid,
this->mark_in, this->mode, this->ipcomp,
this->my_cpi, routed);
}
@ -766,6 +777,17 @@ METHOD(child_sa_t, update, status_t,
if (this->config->install_policy(this->config))
{
u_int32_t my_esp = 0, my_ah = 0, other_esp = 0, other_ah = 0;
if (this->protocol == PROTO_ESP)
{
my_esp = this->my_spi;
other_esp = this->other_spi;
}
else
{
my_ah = this->my_spi;
other_ah = this->other_spi;
}
/* update policies */
if (!me->ip_equals(me, this->my_addr) ||
!other->ip_equals(other, this->other_addr))
@ -811,21 +833,18 @@ METHOD(child_sa_t, update, status_t,
/* reinstall updated policies */
hydra->kernel_interface->add_policy(hydra->kernel_interface,
me, other, my_ts, other_ts, POLICY_OUT,
this->other_spi, proto_ike2ip(this->protocol),
this->reqid, this->mark_out, this->mode,
this->ipcomp, this->other_cpi, FALSE);
other_esp, other_ah, this->reqid, this->mark_out,
this->mode, this->ipcomp, this->other_cpi, FALSE);
hydra->kernel_interface->add_policy(hydra->kernel_interface,
other, me, other_ts, my_ts, POLICY_IN,
this->my_spi, proto_ike2ip(this->protocol),
this->reqid, this->mark_in, this->mode,
this->ipcomp, this->my_cpi, FALSE);
my_esp, my_ah, this->reqid, this->mark_in,
this->mode, this->ipcomp, this->my_cpi, FALSE);
if (this->mode != MODE_TRANSPORT)
{
hydra->kernel_interface->add_policy(hydra->kernel_interface,
other, me, other_ts, my_ts, POLICY_FWD,
this->my_spi, proto_ike2ip(this->protocol),
this->reqid, this->mark_in, this->mode,
this->ipcomp, this->my_cpi, FALSE);
my_esp, my_ah, this->reqid, this->mark_in,
this->mode, this->ipcomp, this->my_cpi, FALSE);
}
}
enumerator->destroy(enumerator);

4
src/libhydra/kernel/kernel_interface.c
View File

@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t,
METHOD(kernel_interface_t, add_policy, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@ -140,7 +140,7 @@ METHOD(kernel_interface_t, add_policy, status_t,
return NOT_SUPPORTED;
}
return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed);
direction, spi, ah_spi, reqid, mark, mode, ipcomp, cpi, routed);
}
METHOD(kernel_interface_t, query_policy, status_t,

6
src/libhydra/kernel/kernel_interface.h
View File

@ -183,8 +183,8 @@ struct kernel_interface_t {
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
* @param spi SPI of SA
* @param protocol protocol to use to protect traffic (AH/ESP)
* @param spi SPI of optional ESP SA
* @param ah_spi SPI of optional AH SA
* @param reqid unique ID of an SA to use to enforce policy
* @param mark mark for this policy
* @param mode mode of SA (tunnel, transport)
@ -198,7 +198,7 @@ struct kernel_interface_t {
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi,
u_int8_t protocol, u_int32_t reqid,
u_int32_t ah_spi, u_int32_t reqid,
mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed);

6
src/libhydra/kernel/kernel_ipsec.h
View File

@ -258,8 +258,8 @@ struct kernel_ipsec_t {
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
* @param spi SPI of SA
* @param protocol protocol to use to protect traffic (AH/ESP)
* @param spi SPI of optional ESP SA
* @param ah_spi SPI of optional AH SA
* @param reqid unique ID of an SA to use to enforce policy
* @param mark mark for this policy
* @param mode mode of SA (tunnel, transport)
@ -273,7 +273,7 @@ struct kernel_ipsec_t {
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi,
u_int8_t protocol, u_int32_t reqid,
u_int32_t ah_spi, u_int32_t reqid,
mark_t mark, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, bool routed);

4
src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
View File

@ -1969,7 +1969,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@ -1987,7 +1987,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
/* tunnel mode policies direct the packets into the pseudo IPIP SA */
satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
proto2satype(protocol);
proto2satype(spi ? IPPROTO_ESP : IPPROTO_AH);
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction);

6
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
View File

@ -1617,7 +1617,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@ -1749,7 +1749,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
}
tmpl->reqid = reqid;
tmpl->id.proto = protocol;
tmpl->id.proto = spi ? IPPROTO_ESP : IPPROTO_AH;
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
tmpl->mode = mode2kernel(mode);
tmpl->family = src->get_family(src);
@ -1943,7 +1943,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
METHOD(kernel_ipsec_t, del_policy, status_t,
private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
bool unrouted)
{
policy_entry_t *current, policy, *to_delete = NULL;

4
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
View File

@ -1593,7 +1593,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@ -1661,7 +1661,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
req = (struct sadb_x_ipsecrequest*)(pol + 1);
req->sadb_x_ipsecrequest_proto = protocol;
req->sadb_x_ipsecrequest_proto = spi ? IPPROTO_ESP : IPPROTO_AH;
/* !!! the length of this struct MUST be in octets instead of 64 bit words */
req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
req->sadb_x_ipsecrequest_mode = mode2kernel(mode);