};
+/**
+ * convert an IP protocol identifier to the IKEv2 specific protocol identifier.
+ */
+static inline protocol_id_t proto_ip2ike(u_int8_t protocol)
+{
+ switch (protocol)
+ {
+ case IPPROTO_ESP:
+ return PROTO_ESP;
+ case IPPROTO_AH:
+ return PROTO_AH;
+ default:
+ return protocol;
+ }
+}
+
METHOD(kernel_listener_t, acquire, bool,
private_kernel_handler_t *this, u_int32_t reqid,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
}
METHOD(kernel_listener_t, expire, bool,
- private_kernel_handler_t *this, u_int32_t reqid, protocol_id_t protocol,
+ private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol,
u_int32_t spi, bool hard)
{
job_t *job;
+ protocol_id_t proto = proto_ip2ike(protocol);
DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x "
"and reqid {%u}", hard ? "delete" : "rekey",
- protocol_id_names, protocol, ntohl(spi), reqid);
+ protocol_id_names, proto, ntohl(spi), reqid);
if (hard)
{
- job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+ job = (job_t*)delete_child_sa_job_create(reqid, proto, spi);
}
else
{
- job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+ job = (job_t*)rekey_child_sa_job_create(reqid, proto, spi);
}
hydra->processor->queue_job(hydra->processor, job);
return TRUE;
METHOD(kernel_interface_t, get_spi, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
- protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
{
if (!this->ipsec)
{
METHOD(kernel_interface_t, add_sa, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
+ u_int32_t spi, u_int8_t protocol, u_int32_t reqid,
mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
}
METHOD(kernel_interface_t, update_sa, status_t,
- private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol,
+ private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol,
u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
bool encap, bool new_encap, mark_t mark)
{
METHOD(kernel_interface_t, query_sa, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+ u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
{
if (!this->ipsec)
{
METHOD(kernel_interface_t, del_sa, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+ u_int8_t protocol, u_int16_t cpi, mark_t mark)
{
if (!this->ipsec)
{
METHOD(kernel_interface_t, add_policy, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
}
METHOD(kernel_interface_t, expire, void,
- private_kernel_interface_t *this, u_int32_t reqid, protocol_id_t protocol,
+ private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol,
u_int32_t spi, bool hard)
{
kernel_listener_t *listener;
* @return SUCCESS if operation completed
*/
status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
- protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+ u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
/**
* Get a Compression Parameter Index (CPI) from the kernel.
*/
status_t (*add_sa) (kernel_interface_t *this,
host_t *src, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+ u_int8_t protocol, u_int32_t reqid, mark_t mark,
lifetime_cfg_t *lifetime,
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
* the kernel interface can't update the SA
*/
status_t (*update_sa)(kernel_interface_t *this,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
host_t *src, host_t *dst,
host_t *new_src, host_t *new_dst,
bool encap, bool new_encap, mark_t mark);
* @return SUCCESS if operation completed
*/
status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, mark_t mark,
+ u_int32_t spi, u_int8_t protocol, mark_t mark,
u_int64_t *bytes);
/**
* @return SUCCESS if operation completed
*/
status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
mark_t mark);
/**
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi,
- protocol_id_t protocol, u_int32_t reqid,
+ u_int8_t protocol, u_int32_t reqid,
mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed);
* @param hard TRUE if it is a hard expire, FALSE otherwise
*/
void (*expire)(kernel_interface_t *this, u_int32_t reqid,
- protocol_id_t protocol, u_int32_t spi, bool hard);
+ u_int8_t protocol, u_int32_t spi, bool hard);
/**
* Raise a mapping event.
/*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* @return SUCCESS if operation completed
*/
status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
- protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+ u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
/**
* Get a Compression Parameter Index (CPI) from the kernel.
*/
status_t (*add_sa) (kernel_ipsec_t *this,
host_t *src, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int32_t reqid,
+ u_int8_t protocol, u_int32_t reqid,
mark_t mark, lifetime_cfg_t *lifetime,
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
* the kernel interface can't update the SA
*/
status_t (*update_sa)(kernel_ipsec_t *this,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
host_t *src, host_t *dst,
host_t *new_src, host_t *new_dst,
bool encap, bool new_encap, mark_t mark);
* @return SUCCESS if operation completed
*/
status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, mark_t mark,
+ u_int32_t spi, u_int8_t protocol, mark_t mark,
u_int64_t *bytes);
/**
* @return SUCCESS if operation completed
*/
status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
mark_t mark);
/**
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi,
- protocol_id_t protocol, u_int32_t reqid,
+ u_int8_t protocol, u_int32_t reqid,
mark_t mark, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, bool routed);
* @return TRUE to remain registered, FALSE to unregister
*/
bool (*expire)(kernel_listener_t *this, u_int32_t reqid,
- protocol_id_t protocol, u_int32_t spi, bool hard);
+ u_int8_t protocol, u_int32_t spi, bool hard);
/**
* Hook called if the NAT mappings of an IPsec SA changed.
struct sa_entry_t {
/** protocol of this SA */
- protocol_id_t protocol;
+ u_int8_t protocol;
/** reqid of this SA */
u_int32_t reqid;
/**
* create an sa_entry_t object
*/
-static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi,
+static sa_entry_t *create_sa_entry(u_int8_t protocol, u_int32_t spi,
u_int32_t reqid, host_t *src, host_t *dst,
bool encap, bool inbound)
{
/**
* match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
*/
-static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol,
+static inline bool sa_entry_match_bydst(sa_entry_t *current, u_int8_t *protocol,
u_int32_t *spi, host_t *dst)
{
return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
/**
* match an sa_entry_t by protocol, reqid and spi
*/
-static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol,
+static inline bool sa_entry_match_byid(sa_entry_t *current, u_int8_t *protocol,
u_int32_t *spi, u_int32_t *reqid)
{
return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
};
/**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ * convert a protocol identifier to the PF_KEY sa type
*/
-static u_int8_t proto_ike2satype(protocol_id_t proto)
+static u_int8_t proto2satype(u_int8_t proto)
{
switch (proto)
{
- case PROTO_ESP:
+ case IPPROTO_ESP:
return SADB_SATYPE_ESP;
- case PROTO_AH:
+ case IPPROTO_AH:
return SADB_SATYPE_AH;
case IPPROTO_COMP:
return SADB_X_SATYPE_COMP;
}
/**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ * convert a PF_KEY sa type to a protocol identifier
*/
-static protocol_id_t proto_satype2ike(u_int8_t proto)
+static u_int8_t satype2proto(u_int8_t satype)
{
- switch (proto)
+ switch (satype)
{
case SADB_SATYPE_ESP:
- return PROTO_ESP;
+ return IPPROTO_ESP;
case SADB_SATYPE_AH:
- return PROTO_AH;
+ return IPPROTO_AH;
case SADB_X_SATYPE_COMP:
return IPPROTO_COMP;
default:
- return proto;
+ return satype;
}
}
spi = response.sa->sadb_sa_spi;
- if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+ if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP)
{
sa_entry_t *sa;
sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
/** the SPI of the expiring SA */
u_int32_t spi;
/** the protocol of the expiring SA */
- protocol_id_t protocol;
+ u_int8_t protocol;
/** the reqid of the expiring SA*/
u_int32_t reqid;
/** what type of expire this is */
static job_requeue_t sa_expires(sa_expire_t *expire)
{
private_kernel_klips_ipsec_t *this = expire->this;
- protocol_id_t protocol = expire->protocol;
+ u_int8_t protocol = expire->protocol;
u_int32_t spi = expire->spi, reqid = expire->reqid;
bool hard = expire->type != EXPIRE_TYPE_SOFT;
sa_entry_t *cached_sa;
* Schedule an expire job for an SA. Time is in seconds.
*/
static void schedule_expire(private_kernel_klips_ipsec_t *this,
- protocol_id_t protocol, u_int32_t spi,
+ u_int8_t protocol, u_int32_t spi,
u_int32_t reqid, expire_type_t type, u_int32_t time)
{
callback_job_t *job;
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
- protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
{
/* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
* NAT-T type in an SADB_UPDATE which we would have to use to update the
*/
static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
host_t *src, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int32_t reqid)
+ u_int8_t protocol, u_int32_t reqid)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
- satype->sadb_x_satype_satype = proto_ike2satype(protocol);
+ satype->sadb_x_satype_satype = proto2satype(protocol);
PFKEY_EXT_ADD(msg, satype);
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
METHOD(kernel_ipsec_t, add_sa, status_t,
private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+ u_int8_t protocol, u_int32_t reqid, mark_t mark,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_ADD;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
}
METHOD(kernel_ipsec_t, update_sa, status_t,
- private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+ private_kernel_klips_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
bool encap, bool new_encap, mark_t mark)
{
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_UPDATE;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
METHOD(kernel_ipsec_t, query_sa, status_t,
private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+ u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
{
return NOT_SUPPORTED; /* TODO */
}
METHOD(kernel_ipsec_t, del_sa, status_t,
private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_DELETE;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
/* tunnel mode policies direct the packets into the pseudo IPIP SA */
satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
- proto_ike2satype(protocol);
+ proto2satype(protocol);
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction);
/*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008 Andreas Steffen
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
bool install_routes;
};
-/**
- * convert a IKEv2 specific protocol identifier to the kernel one
- */
-static u_int8_t proto_ike2kernel(protocol_id_t proto)
-{
- switch (proto)
- {
- case PROTO_ESP:
- return IPPROTO_ESP;
- case PROTO_AH:
- return IPPROTO_AH;
- default:
- return proto;
- }
-}
-
-/**
- * reverse of ike2kernel
- */
-static protocol_id_t proto_kernel2ike(u_int8_t proto)
-{
- switch (proto)
- {
- case IPPROTO_ESP:
- return PROTO_ESP;
- case IPPROTO_AH:
- return PROTO_AH;
- default:
- return proto;
- }
-}
-
/**
* convert the general ipsec mode to the one defined in xfrm.h
*/
*/
static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
{
- protocol_id_t protocol;
+ u_int8_t protocol;
u_int32_t spi, reqid;
struct xfrm_user_expire *expire;
expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
- protocol = proto_kernel2ike(expire->state.id.proto);
+ protocol = expire->state.id.proto;
spi = expire->state.id.spi;
reqid = expire->state.reqid;
DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
- if (protocol != PROTO_ESP && protocol != PROTO_AH)
+ if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
{
DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
"reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
else if (rta->rta_type == XFRMA_MIGRATE)
{
struct xfrm_user_migrate *migrate;
- protocol_id_t proto;
migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
- proto = proto_kernel2ike(migrate->proto);
reqid = migrate->reqid;
- DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
- protocol_id_names, proto, old_src, old_dst,
- new_src, new_dst, reqid);
+ DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
+ old_src, old_dst, new_src, new_dst, reqid);
DESTROY_IF(old_src);
DESTROY_IF(old_dst);
DESTROY_IF(new_src);
DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
- if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
+ if (mapping->id.proto == IPPROTO_ESP)
{
host = xfrm2host(mapping->id.family, &mapping->new_saddr,
mapping->new_sport);
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
- protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
{
DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
- if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
+ if (get_spi_internal(this, src, dst, protocol,
0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
METHOD(kernel_ipsec_t, add_sa, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+ u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool encap, bool inbound,
host2xfrm(src, &sa->saddr);
host2xfrm(dst, &sa->id.daddr);
sa->id.spi = spi;
- sa->id.proto = proto_ike2kernel(protocol);
+ sa->id.proto = protocol;
sa->family = src->get_family(src);
sa->mode = mode2kernel(mode);
switch (mode)
* Get the replay state (i.e. sequence numbers) of an SA.
*/
static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
- u_int32_t spi, protocol_id_t protocol, host_t *dst,
+ u_int32_t spi, u_int8_t protocol, host_t *dst,
struct xfrm_replay_state *replay)
{
netlink_buf_t request;
host2xfrm(dst, &aevent_id->sa_id.daddr);
aevent_id->sa_id.spi = spi;
- aevent_id->sa_id.proto = proto_ike2kernel(protocol);
+ aevent_id->sa_id.proto = protocol;
aevent_id->sa_id.family = dst->get_family(dst);
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
METHOD(kernel_ipsec_t, query_sa, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+ u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
{
netlink_buf_t request;
struct nlmsghdr *out = NULL, *hdr;
sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
host2xfrm(dst, &sa_id->daddr);
sa_id->spi = spi;
- sa_id->proto = proto_ike2kernel(protocol);
+ sa_id->proto = protocol;
sa_id->family = dst->get_family(dst);
if (mark.value)
METHOD(kernel_ipsec_t, del_sa, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
host2xfrm(dst, &sa_id->daddr);
sa_id->spi = spi;
- sa_id->proto = proto_ike2kernel(protocol);
+ sa_id->proto = protocol;
sa_id->family = dst->get_family(dst);
if (mark.value)
}
METHOD(kernel_ipsec_t, update_sa, status_t,
- private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+ private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
bool old_encap, bool new_encap, mark_t mark)
{
sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
host2xfrm(dst, &sa_id->daddr);
sa_id->spi = spi;
- sa_id->proto = proto_ike2kernel(protocol);
+ sa_id->proto = protocol;
sa_id->family = dst->get_family(dst);
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
- u_int16_t cpi, bool routed)
+ u_int16_t cpi, bool routed)
{
policy_entry_t *current, *policy;
bool found = FALSE;
}
tmpl->reqid = reqid;
- tmpl->id.proto = proto_ike2kernel(protocol);
+ tmpl->id.proto = protocol;
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
tmpl->mode = mode2kernel(mode);
tmpl->family = src->get_family(src);
);
/**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ * convert a protocol identifier to the PF_KEY sa type
*/
-static u_int8_t proto_ike2satype(protocol_id_t proto)
+static u_int8_t proto2satype(u_int8_t proto)
{
switch (proto)
{
- case PROTO_ESP:
+ case IPPROTO_ESP:
return SADB_SATYPE_ESP;
- case PROTO_AH:
+ case IPPROTO_AH:
return SADB_SATYPE_AH;
case IPPROTO_COMP:
return SADB_X_SATYPE_IPCOMP;
}
/**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ * convert a PF_KEY sa type to a protocol identifier
*/
-static protocol_id_t proto_satype2ike(u_int8_t proto)
+static u_int8_t satype2proto(u_int8_t satype)
{
- switch (proto)
+ switch (satype)
{
case SADB_SATYPE_ESP:
- return PROTO_ESP;
+ return IPPROTO_ESP;
case SADB_SATYPE_AH:
- return PROTO_AH;
+ return IPPROTO_AH;
case SADB_X_SATYPE_IPCOMP:
return IPPROTO_COMP;
default:
- return proto;
- }
-}
-
-/**
- * convert a IKEv2 specific protocol identifier to the IP protocol identifier
- */
-static u_int8_t proto_ike2ip(protocol_id_t proto)
-{
- switch (proto)
- {
- case PROTO_ESP:
- return IPPROTO_ESP;
- case PROTO_AH:
- return IPPROTO_AH;
- default:
- return proto;
+ return satype;
}
}
static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
{
pfkey_msg_t response;
- protocol_id_t protocol;
+ u_int8_t protocol;
u_int32_t spi, reqid;
bool hard;
return;
}
- protocol = proto_satype2ike(msg->sadb_msg_satype);
+ protocol = satype2proto(msg->sadb_msg_satype);
spi = response.sa->sadb_sa_spi;
reqid = response.x_sa2->sadb_x_sa2_reqid;
hard = response.lft_hard != NULL;
- if (protocol != PROTO_ESP && protocol != PROTO_AH)
+ if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
{
DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
"which is not a CHILD_SA", ntohl(spi), reqid);
spi = response.sa->sadb_sa_spi;
reqid = response.x_sa2->sadb_x_sa2_reqid;
- if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+ if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP)
{
sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
switch (sa->sa_family)
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
- protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_GETSPI;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
METHOD(kernel_ipsec_t, add_sa, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+ u_int8_t protocol, u_int32_t reqid, mark_t mark,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
#ifdef __APPLE__
}
METHOD(kernel_ipsec_t, update_sa, status_t,
- private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+ private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
bool encap, bool new_encap, mark_t mark)
{
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_GET;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_UPDATE;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
#ifdef __APPLE__
METHOD(kernel_ipsec_t, query_sa, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+ u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_GET;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
METHOD(kernel_ipsec_t, del_sa, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_DELETE;
- msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
req = (struct sadb_x_ipsecrequest*)(pol + 1);
- req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
+ req->sadb_x_ipsecrequest_proto = protocol;
/* !!! the length of this struct MUST be in octets instead of 64 bit words */
req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
METHOD(kernel_ipsec_t, get_spi, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
- protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
{
*spi = ++this->spi;
return SUCCESS;
METHOD(kernel_ipsec_t, add_sa, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+ u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
}
METHOD(kernel_ipsec_t, update_sa, status_t,
- private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+ private_load_tester_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src,
host_t *new_dst, bool encap, bool new_encap, mark_t mark)
{
METHOD(kernel_ipsec_t, query_sa, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+ u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
{
return NOT_SUPPORTED;
}
METHOD(kernel_ipsec_t, del_sa, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+ u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
{
return SUCCESS;
}
METHOD(kernel_ipsec_t, add_policy, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
/*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
u_int64_t other_usebytes;
};
+/**
+ * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
+ */
+static inline u_int8_t proto_ike2ip(protocol_id_t protocol)
+{
+ switch (protocol)
+ {
+ case PROTO_ESP:
+ return IPPROTO_ESP;
+ case PROTO_AH:
+ return IPPROTO_AH;
+ default:
+ return protocol;
+ }
+}
+
METHOD(child_sa_t, get_name, char*,
private_child_sa_t *this)
{
if (this->my_spi)
{
status = charon->kernel_interface->query_sa(charon->kernel_interface,
- this->other_addr, this->my_addr,
- this->my_spi, this->protocol,
- this->mark_in, &bytes);
+ this->other_addr, this->my_addr, this->my_spi,
+ proto_ike2ip(this->protocol), this->mark_in,
+ &bytes);
if (status == SUCCESS)
{
if (bytes > this->my_usebytes)
if (this->other_spi)
{
status = charon->kernel_interface->query_sa(charon->kernel_interface,
- this->my_addr, this->other_addr,
- this->other_spi, this->protocol,
- this->mark_out, &bytes);
+ this->my_addr, this->other_addr, this->other_spi,
+ proto_ike2ip(this->protocol), this->mark_out,
+ &bytes);
if (status == SUCCESS)
{
if (bytes > this->other_usebytes)
private_child_sa_t *this, protocol_id_t protocol)
{
if (charon->kernel_interface->get_spi(charon->kernel_interface,
- this->other_addr, this->my_addr, protocol,
- this->reqid, &this->my_spi) == SUCCESS)
+ this->other_addr, this->my_addr,
+ proto_ike2ip(protocol), this->reqid,
+ &this->my_spi) == SUCCESS)
{
return this->my_spi;
}
private_child_sa_t *this)
{
if (charon->kernel_interface->get_cpi(charon->kernel_interface,
- this->other_addr, this->my_addr, this->reqid,
- &this->my_cpi) == SUCCESS)
+ this->other_addr, this->my_addr,
+ this->reqid, &this->my_cpi) == SUCCESS)
{
return this->my_cpi;
}
}
status = charon->kernel_interface->add_sa(charon->kernel_interface,
- src, dst, spi, this->protocol, this->reqid,
+ src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
inbound ? this->mark_in : this->mark_out,
lifetime, enc_alg, encr, int_alg, integ, this->mode,
this->ipcomp, cpi, this->encap, update, src_ts, dst_ts);
{
/* install 3 policies: out, in and forward */
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
- this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
- this->other_spi, this->protocol, this->reqid, this->mark_out,
- this->mode, this->ipcomp, this->other_cpi, routed);
+ this->my_addr, this->other_addr, my_ts, other_ts,
+ POLICY_OUT, this->other_spi,
+ proto_ike2ip(this->protocol), this->reqid,
+ this->mark_out, this->mode, this->ipcomp,
+ this->other_cpi, routed);
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
- this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
- this->my_spi, this->protocol, this->reqid, this->mark_in,
- this->mode, this->ipcomp, this->my_cpi, routed);
+ this->other_addr, this->my_addr, other_ts, my_ts,
+ POLICY_IN, this->my_spi,
+ proto_ike2ip(this->protocol), this->reqid,
+ this->mark_in, this->mode, this->ipcomp,
+ this->my_cpi, routed);
if (this->mode != MODE_TRANSPORT)
{
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
- this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
- this->my_spi, this->protocol, this->reqid, this->mark_in,
- this->mode, this->ipcomp, this->my_cpi, routed);
+ this->other_addr, this->my_addr, other_ts, my_ts,
+ POLICY_FWD, this->my_spi,
+ proto_ike2ip(this->protocol), this->reqid,
+ this->mark_in, this->mode, this->ipcomp,
+ this->my_cpi, routed);
}
if (status != SUCCESS)
if (this->my_spi)
{
if (charon->kernel_interface->update_sa(charon->kernel_interface,
- this->my_spi, this->protocol,
+ this->my_spi, proto_ike2ip(this->protocol),
this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
this->other_addr, this->my_addr, other, me,
this->encap, encap, this->mark_in) == NOT_SUPPORTED)
if (this->other_spi)
{
if (charon->kernel_interface->update_sa(charon->kernel_interface,
- this->other_spi, this->protocol,
+ this->other_spi, proto_ike2ip(this->protocol),
this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
this->my_addr, this->other_addr, me, other,
this->encap, encap, this->mark_out) == NOT_SUPPORTED)
/* reinstall updated policies */
charon->kernel_interface->add_policy(charon->kernel_interface,
- me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
- this->protocol, this->reqid, this->mark_out, this->mode,
- this->ipcomp, this->other_cpi, FALSE);
+ me, other, my_ts, other_ts, POLICY_OUT,
+ this->other_spi, proto_ike2ip(this->protocol),
+ this->reqid, this->mark_out, this->mode,
+ this->ipcomp, this->other_cpi, FALSE);
charon->kernel_interface->add_policy(charon->kernel_interface,
- other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
- this->protocol, this->reqid, this->mark_in, this->mode,
- this->ipcomp, this->my_cpi, FALSE);
+ other, me, other_ts, my_ts, POLICY_IN,
+ this->my_spi, proto_ike2ip(this->protocol),
+ this->reqid, this->mark_in, this->mode,
+ this->ipcomp, this->my_cpi, FALSE);
if (this->mode != MODE_TRANSPORT)
{
charon->kernel_interface->add_policy(charon->kernel_interface,
- other, me, other_ts, my_ts, POLICY_FWD, this->my_spi,
- this->protocol, this->reqid, this->mark_in, this->mode,
- this->ipcomp, this->my_cpi, FALSE);
+ other, me, other_ts, my_ts, POLICY_FWD,
+ this->my_spi, proto_ike2ip(this->protocol),
+ this->reqid, this->mark_in, this->mode,
+ this->ipcomp, this->my_cpi, FALSE);
}
}
enumerator->destroy(enumerator);
}
charon->kernel_interface->del_sa(charon->kernel_interface,
this->other_addr, this->my_addr, this->my_spi,
- this->protocol, this->my_cpi, this->mark_in);
+ proto_ike2ip(this->protocol), this->my_cpi,
+ this->mark_in);
}
if (this->other_spi)
{
charon->kernel_interface->del_sa(charon->kernel_interface,
this->my_addr, this->other_addr, this->other_spi,
- this->protocol, this->other_cpi, this->mark_out);
+ proto_ike2ip(this->protocol), this->other_cpi,
+ this->mark_out);
}
if (this->config->install_policy(this->config))
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
charon->kernel_interface->del_policy(charon->kernel_interface,
- my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted);
+ my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted);
charon->kernel_interface->del_policy(charon->kernel_interface,
- other_ts, my_ts, POLICY_IN, this->mark_in, unrouted);
+ other_ts, my_ts, POLICY_IN, this->mark_in, unrouted);
if (this->mode != MODE_TRANSPORT)
{
charon->kernel_interface->del_policy(charon->kernel_interface,
- other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted);
+ other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted);
}
}
enumerator->destroy(enumerator);