summaryrefslogtreecommitdiff
path: root/src/charon-tkm
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2017-09-01 17:21:25 +0200
committerYves-Alexis Perez <corsac@corsac.net>2017-09-01 17:21:25 +0200
commit11d6b62db969bdd808d0f56706cb18f113927a31 (patch)
tree8aa7d8fb611c3da6a3523cb78a082f62ffd0dac8 /src/charon-tkm
parentbba25e2ff6c4a193acb54560ea4417537bd2954e (diff)
downloadvyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.tar.gz
vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.zip
New upstream version 5.6.0
Diffstat (limited to 'src/charon-tkm')
-rw-r--r--src/charon-tkm/Makefile.in8
-rw-r--r--src/charon-tkm/src/ees/ees_callbacks.c1
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_ipsec.c71
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_sad.c86
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_sad.h18
-rw-r--r--src/charon-tkm/tests/kernel_sad_tests.c38
6 files changed, 88 insertions, 134 deletions
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 9987b44b6..258f33b0f 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -227,8 +227,6 @@ RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -329,6 +327,8 @@ random_device = @random_device@
resolv_conf = @resolv_conf@
routing_table = @routing_table@
routing_table_prio = @routing_table_prio@
+ruby_CFLAGS = @ruby_CFLAGS@
+ruby_LIBS = @ruby_LIBS@
runstatedir = @runstatedir@
s_plugins = @s_plugins@
sbindir = @sbindir@
@@ -357,6 +357,10 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
tss2_CFLAGS = @tss2_CFLAGS@
tss2_LIBS = @tss2_LIBS@
+tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
+tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
+tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
index f4107d90a..a36629b13 100644
--- a/src/charon-tkm/src/ees/ees_callbacks.c
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -47,4 +47,5 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id,
DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id,
ntohl(spi_rem), dst);
charon->kernel->expire(charon->kernel, protocol, spi_rem, dst, hard != 0);
+ dst->destroy(dst);
}
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index c9be8989a..5decde92b 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -1,7 +1,8 @@
/*
+ * Copyright (C) 2017 Tobias Brunner
* Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -52,6 +53,12 @@ struct private_tkm_kernel_ipsec_t {
};
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+ private_tkm_kernel_ipsec_t *this)
+{
+ return KERNEL_POLICY_SPI;
+}
+
METHOD(kernel_ipsec_t, get_spi, status_t,
private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
@@ -176,15 +183,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
}
- if (ike_esa_select(esa_id) != TKM_OK)
- {
- DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id);
- if (ike_esa_reset(esa_id) != TKM_OK)
- {
- DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
- }
- goto failure;
- }
DBG1(DBG_KNL, "added child SA (esa: %llu, isa: %llu, esp_spi_loc: %x, "
"esp_spi_rem: %x, role: %s)", esa_id, esa.isa_id, ntohl(spi_loc),
@@ -215,23 +213,12 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
private_tkm_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_del_sa_t *data)
{
- esa_id_type esa_id, other_esa_id;
+ esa_id_type esa_id;
esa_id = tkm->sad->get_esa_id(tkm->sad, id->src, id->dst,
- id->spi, id->proto);
+ id->spi, id->proto, TRUE);
if (esa_id)
{
- other_esa_id = tkm->sad->get_other_esa_id(tkm->sad, esa_id);
- if (other_esa_id)
- {
- DBG1(DBG_KNL, "selecting child SA (esa: %llu)", other_esa_id);
- if (ike_esa_select(other_esa_id) != TKM_OK)
- {
- DBG1(DBG_KNL, "error selecting other child SA (esa: %llu)",
- other_esa_id);
- }
- }
-
DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
ntohl(id->spi));
if (ike_esa_reset(esa_id) != TKM_OK)
@@ -263,6 +250,43 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
private_tkm_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
kernel_ipsec_manage_policy_t *data)
{
+ esa_id_type esa_id;
+ uint32_t spi;
+ uint8_t proto;
+
+ if (id->dir == POLICY_OUT && data->type == POLICY_IPSEC &&
+ data->prio == POLICY_PRIORITY_DEFAULT)
+ {
+ if (data->sa->esp.use)
+ {
+ spi = data->sa->esp.spi;
+ proto = IPPROTO_ESP;
+ }
+ else if (data->sa->ah.use)
+ {
+ spi = data->sa->ah.spi;
+ proto = IPPROTO_AH;
+ }
+ else
+ {
+ return FAILED;
+ }
+ esa_id = tkm->sad->get_esa_id(tkm->sad, data->src, data->dst,
+ spi, proto, FALSE);
+ if (!esa_id)
+ {
+ DBG1(DBG_KNL, "unable to find esa ID for policy (spi: %x)",
+ ntohl(spi));
+ return FAILED;
+ }
+ DBG1(DBG_KNL, "selecting child SA (esa: %llu, spi: %x)", esa_id,
+ ntohl(spi));
+ if (ike_esa_select(esa_id) != TKM_OK)
+ {
+ DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id);
+ return FAILED;
+ }
+ }
return SUCCESS;
}
@@ -358,6 +382,7 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
INIT(this,
.public = {
.interface = {
+ .get_features = _get_features,
.get_spi = _get_spi,
.get_cpi = _get_cpi,
.add_sa = _add_sa,
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
index 97226f1ac..acc3ff10a 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -107,16 +107,23 @@ CALLBACK(sad_entry_match, bool,
const host_t *src, *dst;
const uint32_t *spi;
const uint8_t *proto;
+ const bool *local;
- VA_ARGS_VGET(args, src, dst, spi, proto);
+ VA_ARGS_VGET(args, src, dst, spi, proto, local);
- if (entry->src == NULL || entry->dst == NULL)
+ if (entry->src == NULL || entry->dst == NULL || entry->proto != *proto)
{
return FALSE;
}
- return src->ip_equals(entry->src, (host_t *)src) &&
- dst->ip_equals(entry->dst, (host_t *)dst) &&
- entry->spi_rem == *spi && entry->proto == *proto;
+ if (*local)
+ {
+ return entry->src->ip_equals(entry->src, (host_t *)dst) &&
+ entry->dst->ip_equals(entry->dst, (host_t *)src) &&
+ entry->spi_loc == *spi;
+ }
+ return entry->src->ip_equals(entry->src, (host_t *)src) &&
+ entry->dst->ip_equals(entry->dst, (host_t *)dst) &&
+ entry->spi_rem == *spi;
}
CALLBACK(sad_entry_match_dst, bool,
@@ -131,26 +138,6 @@ CALLBACK(sad_entry_match_dst, bool,
entry->proto == *proto;
}
-CALLBACK(sad_entry_match_esa_id, bool,
- sad_entry_t * const entry, va_list args)
-{
- const esa_id_type *esa_id;
-
- VA_ARGS_VGET(args, esa_id);
- return entry->esa_id == *esa_id;
-}
-
-CALLBACK(sad_entry_match_other_esa, bool,
- sad_entry_t * const entry, va_list args)
-{
- const esa_id_type *esa_id;
- const uint32_t *reqid;
-
- VA_ARGS_VGET(args, esa_id, reqid);
- return entry->reqid == *reqid &&
- entry->esa_id != *esa_id;
-}
-
CALLBACK(sad_entry_equal, bool,
sad_entry_t * const left, va_list args)
{
@@ -213,7 +200,8 @@ METHOD(tkm_kernel_sad_t, insert, bool,
METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
private_tkm_kernel_sad_t * const this, const host_t * const src,
- const host_t * const dst, const uint32_t spi, const uint8_t proto)
+ const host_t * const dst, const uint32_t spi, const uint8_t proto,
+ const bool local)
{
esa_id_type id = 0;
sad_entry_t *entry = NULL;
@@ -221,51 +209,18 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
this->mutex->lock(this->mutex);
const bool res = this->data->find_first(this->data, sad_entry_match,
(void**)&entry, src, dst, &spi,
- &proto);
+ &proto, &local);
if (res && entry)
{
id = entry->esa_id;
DBG3(DBG_KNL, "returning ESA id %llu of SAD entry (src: %H, dst: %H, "
- "spi: %x, proto: %u)", id, src, dst, ntohl(spi), proto);
- }
- else
- {
- DBG3(DBG_KNL, "no SAD entry found for src %H, dst %H, spi %x, proto %u",
- src, dst, ntohl(spi), proto);
- }
- this->mutex->unlock(this->mutex);
- return id;
-}
-
-METHOD(tkm_kernel_sad_t, get_other_esa_id, esa_id_type,
- private_tkm_kernel_sad_t * const this, const esa_id_type esa_id)
-{
- esa_id_type id = 0;
- sad_entry_t *entry = NULL;
- uint32_t reqid;
- bool res;
-
- this->mutex->lock(this->mutex);
- res = this->data->find_first(this->data, sad_entry_match_esa_id,
- (void**)&entry, &esa_id);
- if (res && entry)
- {
- reqid = entry->reqid;
+ "%sbound spi: %x, proto: %u)", id, src, dst, local ? "in" : "out",
+ ntohl(spi), proto);
}
else
{
- DBG3(DBG_KNL, "no SAD entry found for ESA id %llu", esa_id);
- this->mutex->unlock(this->mutex);
- return id;
- }
-
- res = this->data->find_first(this->data, sad_entry_match_other_esa,
- (void**)&entry, &esa_id, &reqid);
- if (res && entry)
- {
- id = entry->esa_id;
- DBG3(DBG_KNL, "returning ESA id %llu of other SAD entry with reqid %u",
- id, reqid);
+ DBG3(DBG_KNL, "no SAD entry found for src %H, dst %H, %sbound spi %x, "
+ "proto %u", src, dst, local ? "in" : "out", ntohl(spi), proto);
}
this->mutex->unlock(this->mutex);
return id;
@@ -283,7 +238,7 @@ METHOD(tkm_kernel_sad_t, get_dst_host, host_t *,
(void**)&entry, &reqid, &spi, &proto);
if (res && entry)
{
- dst = entry->dst;
+ dst = entry->dst->clone(entry->dst);
DBG3(DBG_KNL, "returning destination host %H of SAD entry (reqid: %u,"
" spi: %x, proto: %u)", dst, reqid, ntohl(spi), proto);
}
@@ -350,7 +305,6 @@ tkm_kernel_sad_t *tkm_kernel_sad_create()
.public = {
.insert = _insert,
.get_esa_id = _get_esa_id,
- .get_other_esa_id = _get_other_esa_id,
.get_dst_host = _get_dst_host,
.remove = __remove,
.destroy = _destroy,
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
index ba6462192..3d9f5f3f8 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -55,23 +55,14 @@ struct tkm_kernel_sad_t {
*
* @param src source address of CHILD SA
* @param dst destination address of CHILD SA
- * @param spi Remote SPI of CHILD SA
+ * @param spi SPI of CHILD SA
* @param proto protocol of CHILD SA (ESP/AH)
+ * @param local whether the SPI is local or remote
* @return ESA id of entry if found, 0 otherwise
*/
esa_id_type (*get_esa_id)(tkm_kernel_sad_t * const this,
const host_t * const src, const host_t * const dst,
- const uint32_t spi, const uint8_t proto);
-
- /**
- * Get ESA id for entry associated with same security policy as the
- * specified ESA.
- *
- * @param esa_id id of ESA identifying the security policy
- * @return ESA id of entry if found, 0 otherwise
- */
- esa_id_type (*get_other_esa_id)(tkm_kernel_sad_t * const this,
- const esa_id_type esa_id);
+ const uint32_t spi, const uint8_t proto, const bool local);
/**
* Get destination host for entry with given parameters.
@@ -79,7 +70,8 @@ struct tkm_kernel_sad_t {
* @param reqid reqid of CHILD SA
* @param spi Remote SPI of CHILD SA
* @param proto protocol of CHILD SA (ESP/AH)
- * @return destination host of entry if found, NULL otherwise
+ * @return destination host of entry if found (cloned),
+ * NULL otherwise
*/
host_t * (*get_dst_host)(tkm_kernel_sad_t * const this,
const uint32_t reqid, const uint32_t spi, const uint8_t proto);
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
index 2a033d237..39d8a790a 100644
--- a/src/charon-tkm/tests/kernel_sad_tests.c
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -63,50 +63,32 @@ START_TEST(test_get_esa_id)
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
"Error inserting SAD entry");
- fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
+ fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 23,
"Error getting esa id");
sad->destroy(sad);
addr->destroy(addr);
}
END_TEST
-START_TEST(test_get_esa_id_nonexistent)
-{
- host_t *addr = host_create_from_string("127.0.0.1", 1024);
- tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0,
- "Got esa id for nonexistent SAD entry");
- sad->destroy(sad);
- addr->destroy(addr);
-}
-END_TEST
-
-START_TEST(test_get_other_esa_id)
+START_TEST(test_get_esa_id_local)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
"Error inserting SAD entry");
- fail_unless(sad->insert(sad, 24, 54, addr, addr, 27, 42, 50),
- "Error inserting SAD entry");
- fail_unless(sad->get_other_esa_id(sad, 23) == 24,
- "Error getting other esa id");
+ fail_unless(sad->get_esa_id(sad, addr, addr, 27, 50, TRUE) == 23,
+ "Error getting esa id");
sad->destroy(sad);
addr->destroy(addr);
}
END_TEST
-START_TEST(test_get_other_esa_id_nonexistent)
+START_TEST(test_get_esa_id_nonexistent)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->get_other_esa_id(sad, 1) == 0,
- "Got other esa id for nonexistent SAD entry");
- fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
- "Error inserting SAD entry");
- fail_unless(sad->get_other_esa_id(sad, 23) == 0,
- "Got own esa id");
-
+ fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 0,
+ "Got esa id for nonexistent SAD entry");
sad->destroy(sad);
addr->destroy(addr);
}
@@ -179,14 +161,10 @@ Suite *make_kernel_sad_tests()
tc = tcase_create("get_esa_id");
tcase_add_test(tc, test_get_esa_id);
+ tcase_add_test(tc, test_get_esa_id_local);
tcase_add_test(tc, test_get_esa_id_nonexistent);
suite_add_tcase(s, tc);
- tc = tcase_create("get_other_esa_id");
- tcase_add_test(tc, test_get_other_esa_id);
- tcase_add_test(tc, test_get_other_esa_id_nonexistent);
- suite_add_tcase(s, tc);
-
tc = tcase_create("get_dst_host");
tcase_add_test(tc, test_get_dst_host);
tcase_add_test(tc, test_get_dst_host_nonexistent);