diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
| commit | a9b7f8d4a4a4202facd9690580b38542e7933f00 (patch) | |
| tree | d82a9d506c62cff257e5292845b68df3ca5c60dc /src/charon/plugins/kernel_netlink | |
| parent | 12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff) | |
| download | vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip | |
- New upstream release.
- Don't disable internal crypto plugins, pluto expects to find them in
some cases.
- Enable integrity checking.
Diffstat (limited to 'src/charon/plugins/kernel_netlink')
5 files changed, 91 insertions, 11 deletions
diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am index e0efe5779..6351280d6 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.am +++ b/src/charon/plugins/kernel_netlink/Makefile.am @@ -8,4 +8,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \ kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in index b97738bff..46d2a1c65 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.in +++ b/src/charon/plugins/kernel_netlink/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -228,7 +233,7 @@ libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 9322d8dfe..2051316f6 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -984,16 +984,20 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, break; case ENCR_AES_CCM_ICV16: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV16: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV12: case ENCR_AES_GCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV12: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV8: case ENCR_AES_GCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV8: { - rthdr->rta_type = XFRMA_ALG_AEAD; + struct xfrm_algo_aead *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1004,6 +1008,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_AEAD; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1011,7 +1016,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); + algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; algo->alg_icv_len = icv_size; strcpy(algo->alg_name, alg_name); @@ -1022,7 +1027,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, } default: { - rthdr->rta_type = XFRMA_ALG_CRYPT; + struct xfrm_algo *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1033,6 +1039,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_CRYPT; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1040,13 +1047,12 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); + algo = (struct xfrm_algo*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; strcpy(algo->alg_name, alg_name); memcpy(algo->alg_key, enc_key.ptr, enc_key.len); rthdr = XFRM_RTA_NEXT(rthdr); - break; } } @@ -1230,6 +1236,74 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + netlink_buf_t request; + struct nlmsghdr *out = NULL, *hdr; + struct xfrm_usersa_id *sa_id; + struct xfrm_usersa_info *sa = NULL; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_GETSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); + + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); + host2xfrm(dst, &sa_id->daddr); + sa_id->spi = spi; + sa_id->proto = proto_ike2kernel(protocol); + sa_id->family = dst->get_family(dst); + + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWSA: + { + sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)", + ntohl(spi), strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + } + + if (sa == NULL) + { + DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + free(out); + return FAILED; + } + *bytes = sa->curlft.bytes; + + free(out); + return SUCCESS; +} +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, @@ -1888,6 +1962,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -1897,7 +1972,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() /* private members */ this->policies = hashtable_create((hashtable_hash_t)policy_hash, (hashtable_equals_t)policy_equals, 32); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index 32154a7ea..e5c0b5da7 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1370,8 +1370,8 @@ kernel_netlink_net_t *kernel_netlink_net_create() /* private members */ this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); timerclear(&this->last_roam); this->routing_table = lib->settings->get_int(lib->settings, "charon.routing_table", IPSEC_ROUTING_TABLE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c index 7ef7cc56e..ec1187083 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -255,7 +255,7 @@ netlink_socket_t *netlink_socket_create(int protocol) { /* private members */ this->seq = 200; - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; |