diff options
author | Yves-Alexis Perez <corsac@corsac.net> | 2017-09-01 17:21:25 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-09-01 17:21:25 +0200 |
commit | 11d6b62db969bdd808d0f56706cb18f113927a31 (patch) | |
tree | 8aa7d8fb611c3da6a3523cb78a082f62ffd0dac8 /src/charon-tkm | |
parent | bba25e2ff6c4a193acb54560ea4417537bd2954e (diff) | |
download | vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.tar.gz vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.zip |
New upstream version 5.6.0
Diffstat (limited to 'src/charon-tkm')
-rw-r--r-- | src/charon-tkm/Makefile.in | 8 | ||||
-rw-r--r-- | src/charon-tkm/src/ees/ees_callbacks.c | 1 | ||||
-rw-r--r-- | src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 71 | ||||
-rw-r--r-- | src/charon-tkm/src/tkm/tkm_kernel_sad.c | 86 | ||||
-rw-r--r-- | src/charon-tkm/src/tkm/tkm_kernel_sad.h | 18 | ||||
-rw-r--r-- | src/charon-tkm/tests/kernel_sad_tests.c | 38 |
6 files changed, 88 insertions, 134 deletions
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in index 9987b44b6..258f33b0f 100644 --- a/src/charon-tkm/Makefile.in +++ b/src/charon-tkm/Makefile.in @@ -227,8 +227,6 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -329,6 +327,8 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -357,6 +357,10 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c index f4107d90a..a36629b13 100644 --- a/src/charon-tkm/src/ees/ees_callbacks.c +++ b/src/charon-tkm/src/ees/ees_callbacks.c @@ -47,4 +47,5 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id, DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id, ntohl(spi_rem), dst); charon->kernel->expire(charon->kernel, protocol, spi_rem, dst, hard != 0); + dst->destroy(dst); } diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index c9be8989a..5decde92b 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -1,7 +1,8 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -52,6 +53,12 @@ struct private_tkm_kernel_ipsec_t { }; +METHOD(kernel_ipsec_t, get_features, kernel_feature_t, + private_tkm_kernel_ipsec_t *this) +{ + return KERNEL_POLICY_SPI; +} + METHOD(kernel_ipsec_t, get_spi, status_t, private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) @@ -176,15 +183,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t, tkm->chunk_map->remove(tkm->chunk_map, nonce_loc); tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id); } - if (ike_esa_select(esa_id) != TKM_OK) - { - DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id); - if (ike_esa_reset(esa_id) != TKM_OK) - { - DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id); - } - goto failure; - } DBG1(DBG_KNL, "added child SA (esa: %llu, isa: %llu, esp_spi_loc: %x, " "esp_spi_rem: %x, role: %s)", esa_id, esa.isa_id, ntohl(spi_loc), @@ -215,23 +213,12 @@ METHOD(kernel_ipsec_t, del_sa, status_t, private_tkm_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_del_sa_t *data) { - esa_id_type esa_id, other_esa_id; + esa_id_type esa_id; esa_id = tkm->sad->get_esa_id(tkm->sad, id->src, id->dst, - id->spi, id->proto); + id->spi, id->proto, TRUE); if (esa_id) { - other_esa_id = tkm->sad->get_other_esa_id(tkm->sad, esa_id); - if (other_esa_id) - { - DBG1(DBG_KNL, "selecting child SA (esa: %llu)", other_esa_id); - if (ike_esa_select(other_esa_id) != TKM_OK) - { - DBG1(DBG_KNL, "error selecting other child SA (esa: %llu)", - other_esa_id); - } - } - DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id, ntohl(id->spi)); if (ike_esa_reset(esa_id) != TKM_OK) @@ -263,6 +250,43 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_tkm_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data) { + esa_id_type esa_id; + uint32_t spi; + uint8_t proto; + + if (id->dir == POLICY_OUT && data->type == POLICY_IPSEC && + data->prio == POLICY_PRIORITY_DEFAULT) + { + if (data->sa->esp.use) + { + spi = data->sa->esp.spi; + proto = IPPROTO_ESP; + } + else if (data->sa->ah.use) + { + spi = data->sa->ah.spi; + proto = IPPROTO_AH; + } + else + { + return FAILED; + } + esa_id = tkm->sad->get_esa_id(tkm->sad, data->src, data->dst, + spi, proto, FALSE); + if (!esa_id) + { + DBG1(DBG_KNL, "unable to find esa ID for policy (spi: %x)", + ntohl(spi)); + return FAILED; + } + DBG1(DBG_KNL, "selecting child SA (esa: %llu, spi: %x)", esa_id, + ntohl(spi)); + if (ike_esa_select(esa_id) != TKM_OK) + { + DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id); + return FAILED; + } + } return SUCCESS; } @@ -358,6 +382,7 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create() INIT(this, .public = { .interface = { + .get_features = _get_features, .get_spi = _get_spi, .get_cpi = _get_cpi, .add_sa = _add_sa, diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c index 97226f1ac..acc3ff10a 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c @@ -107,16 +107,23 @@ CALLBACK(sad_entry_match, bool, const host_t *src, *dst; const uint32_t *spi; const uint8_t *proto; + const bool *local; - VA_ARGS_VGET(args, src, dst, spi, proto); + VA_ARGS_VGET(args, src, dst, spi, proto, local); - if (entry->src == NULL || entry->dst == NULL) + if (entry->src == NULL || entry->dst == NULL || entry->proto != *proto) { return FALSE; } - return src->ip_equals(entry->src, (host_t *)src) && - dst->ip_equals(entry->dst, (host_t *)dst) && - entry->spi_rem == *spi && entry->proto == *proto; + if (*local) + { + return entry->src->ip_equals(entry->src, (host_t *)dst) && + entry->dst->ip_equals(entry->dst, (host_t *)src) && + entry->spi_loc == *spi; + } + return entry->src->ip_equals(entry->src, (host_t *)src) && + entry->dst->ip_equals(entry->dst, (host_t *)dst) && + entry->spi_rem == *spi; } CALLBACK(sad_entry_match_dst, bool, @@ -131,26 +138,6 @@ CALLBACK(sad_entry_match_dst, bool, entry->proto == *proto; } -CALLBACK(sad_entry_match_esa_id, bool, - sad_entry_t * const entry, va_list args) -{ - const esa_id_type *esa_id; - - VA_ARGS_VGET(args, esa_id); - return entry->esa_id == *esa_id; -} - -CALLBACK(sad_entry_match_other_esa, bool, - sad_entry_t * const entry, va_list args) -{ - const esa_id_type *esa_id; - const uint32_t *reqid; - - VA_ARGS_VGET(args, esa_id, reqid); - return entry->reqid == *reqid && - entry->esa_id != *esa_id; -} - CALLBACK(sad_entry_equal, bool, sad_entry_t * const left, va_list args) { @@ -213,7 +200,8 @@ METHOD(tkm_kernel_sad_t, insert, bool, METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type, private_tkm_kernel_sad_t * const this, const host_t * const src, - const host_t * const dst, const uint32_t spi, const uint8_t proto) + const host_t * const dst, const uint32_t spi, const uint8_t proto, + const bool local) { esa_id_type id = 0; sad_entry_t *entry = NULL; @@ -221,51 +209,18 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type, this->mutex->lock(this->mutex); const bool res = this->data->find_first(this->data, sad_entry_match, (void**)&entry, src, dst, &spi, - &proto); + &proto, &local); if (res && entry) { id = entry->esa_id; DBG3(DBG_KNL, "returning ESA id %llu of SAD entry (src: %H, dst: %H, " - "spi: %x, proto: %u)", id, src, dst, ntohl(spi), proto); - } - else - { - DBG3(DBG_KNL, "no SAD entry found for src %H, dst %H, spi %x, proto %u", - src, dst, ntohl(spi), proto); - } - this->mutex->unlock(this->mutex); - return id; -} - -METHOD(tkm_kernel_sad_t, get_other_esa_id, esa_id_type, - private_tkm_kernel_sad_t * const this, const esa_id_type esa_id) -{ - esa_id_type id = 0; - sad_entry_t *entry = NULL; - uint32_t reqid; - bool res; - - this->mutex->lock(this->mutex); - res = this->data->find_first(this->data, sad_entry_match_esa_id, - (void**)&entry, &esa_id); - if (res && entry) - { - reqid = entry->reqid; + "%sbound spi: %x, proto: %u)", id, src, dst, local ? "in" : "out", + ntohl(spi), proto); } else { - DBG3(DBG_KNL, "no SAD entry found for ESA id %llu", esa_id); - this->mutex->unlock(this->mutex); - return id; - } - - res = this->data->find_first(this->data, sad_entry_match_other_esa, - (void**)&entry, &esa_id, &reqid); - if (res && entry) - { - id = entry->esa_id; - DBG3(DBG_KNL, "returning ESA id %llu of other SAD entry with reqid %u", - id, reqid); + DBG3(DBG_KNL, "no SAD entry found for src %H, dst %H, %sbound spi %x, " + "proto %u", src, dst, local ? "in" : "out", ntohl(spi), proto); } this->mutex->unlock(this->mutex); return id; @@ -283,7 +238,7 @@ METHOD(tkm_kernel_sad_t, get_dst_host, host_t *, (void**)&entry, &reqid, &spi, &proto); if (res && entry) { - dst = entry->dst; + dst = entry->dst->clone(entry->dst); DBG3(DBG_KNL, "returning destination host %H of SAD entry (reqid: %u," " spi: %x, proto: %u)", dst, reqid, ntohl(spi), proto); } @@ -350,7 +305,6 @@ tkm_kernel_sad_t *tkm_kernel_sad_create() .public = { .insert = _insert, .get_esa_id = _get_esa_id, - .get_other_esa_id = _get_other_esa_id, .get_dst_host = _get_dst_host, .remove = __remove, .destroy = _destroy, diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h index ba6462192..3d9f5f3f8 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h +++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h @@ -55,23 +55,14 @@ struct tkm_kernel_sad_t { * * @param src source address of CHILD SA * @param dst destination address of CHILD SA - * @param spi Remote SPI of CHILD SA + * @param spi SPI of CHILD SA * @param proto protocol of CHILD SA (ESP/AH) + * @param local whether the SPI is local or remote * @return ESA id of entry if found, 0 otherwise */ esa_id_type (*get_esa_id)(tkm_kernel_sad_t * const this, const host_t * const src, const host_t * const dst, - const uint32_t spi, const uint8_t proto); - - /** - * Get ESA id for entry associated with same security policy as the - * specified ESA. - * - * @param esa_id id of ESA identifying the security policy - * @return ESA id of entry if found, 0 otherwise - */ - esa_id_type (*get_other_esa_id)(tkm_kernel_sad_t * const this, - const esa_id_type esa_id); + const uint32_t spi, const uint8_t proto, const bool local); /** * Get destination host for entry with given parameters. @@ -79,7 +70,8 @@ struct tkm_kernel_sad_t { * @param reqid reqid of CHILD SA * @param spi Remote SPI of CHILD SA * @param proto protocol of CHILD SA (ESP/AH) - * @return destination host of entry if found, NULL otherwise + * @return destination host of entry if found (cloned), + * NULL otherwise */ host_t * (*get_dst_host)(tkm_kernel_sad_t * const this, const uint32_t reqid, const uint32_t spi, const uint8_t proto); diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c index 2a033d237..39d8a790a 100644 --- a/src/charon-tkm/tests/kernel_sad_tests.c +++ b/src/charon-tkm/tests/kernel_sad_tests.c @@ -63,50 +63,32 @@ START_TEST(test_get_esa_id) tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), "Error inserting SAD entry"); - fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23, + fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 23, "Error getting esa id"); sad->destroy(sad); addr->destroy(addr); } END_TEST -START_TEST(test_get_esa_id_nonexistent) -{ - host_t *addr = host_create_from_string("127.0.0.1", 1024); - tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0, - "Got esa id for nonexistent SAD entry"); - sad->destroy(sad); - addr->destroy(addr); -} -END_TEST - -START_TEST(test_get_other_esa_id) +START_TEST(test_get_esa_id_local) { host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), "Error inserting SAD entry"); - fail_unless(sad->insert(sad, 24, 54, addr, addr, 27, 42, 50), - "Error inserting SAD entry"); - fail_unless(sad->get_other_esa_id(sad, 23) == 24, - "Error getting other esa id"); + fail_unless(sad->get_esa_id(sad, addr, addr, 27, 50, TRUE) == 23, + "Error getting esa id"); sad->destroy(sad); addr->destroy(addr); } END_TEST -START_TEST(test_get_other_esa_id_nonexistent) +START_TEST(test_get_esa_id_nonexistent) { host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->get_other_esa_id(sad, 1) == 0, - "Got other esa id for nonexistent SAD entry"); - fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), - "Error inserting SAD entry"); - fail_unless(sad->get_other_esa_id(sad, 23) == 0, - "Got own esa id"); - + fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 0, + "Got esa id for nonexistent SAD entry"); sad->destroy(sad); addr->destroy(addr); } @@ -179,14 +161,10 @@ Suite *make_kernel_sad_tests() tc = tcase_create("get_esa_id"); tcase_add_test(tc, test_get_esa_id); + tcase_add_test(tc, test_get_esa_id_local); tcase_add_test(tc, test_get_esa_id_nonexistent); suite_add_tcase(s, tc); - tc = tcase_create("get_other_esa_id"); - tcase_add_test(tc, test_get_other_esa_id); - tcase_add_test(tc, test_get_other_esa_id_nonexistent); - suite_add_tcase(s, tc); - tc = tcase_create("get_dst_host"); tcase_add_test(tc, test_get_dst_host); tcase_add_test(tc, test_get_dst_host_nonexistent); |