From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 23 Jun 2022 13:59:56 +0000 (+0200)
Subject: kernel-interface: Add feature to indicate if query_sa() returns last use time
X-Git-Tag: 5.9.10rc1~8^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9131c34d3d99000800a7b7115d4162029602dfd;p=thirdparty%2Fstrongswan.git

kernel-interface: Add feature to indicate if query_sa() returns last use time

Currently supported by libipsec and PF_KEY on macOS (FreeBSD, like Linux,
reports the time the SA was first used in sadb_lifetime_usetime - it also
triggers rekeyings based on that, which Linux doesn't, it also triggers
them if an SA is never used).
---

diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
index 4b00527d65..1a47f6d8d7 100644
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
@@ -46,6 +46,12 @@ static void expire(uint8_t protocol, uint32_t spi, host_t *dst, bool hard)
 	charon->kernel->expire(charon->kernel, protocol, spi, dst, hard);
 }
 
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+	private_kernel_android_ipsec_t *this)
+{
+	return KERNEL_SA_USE_TIME;
+}
+
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_android_ipsec_t *this, host_t *src, host_t *dst,
 	uint8_t protocol, uint32_t *spi)
@@ -166,6 +172,7 @@ kernel_android_ipsec_t *kernel_android_ipsec_create()
 	INIT(this,
 		.public = {
 			.interface = {
+				.get_features = _get_features,
 				.get_spi = _get_spi,
 				.get_cpi = _get_cpi,
 				.add_sa  = _add_sa,
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
index c11738b409..2bc9d86572 100644
--- a/src/libcharon/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -79,6 +79,8 @@ enum kernel_feature_t {
 	KERNEL_NO_POLICY_UPDATES = (1<<3),
 	/** IPsec backend supports installing SPIs on policies */
 	KERNEL_POLICY_SPI = (1<<4),
+	/** IPsec backend reports use time per SA via query_sa() */
+	KERNEL_SA_USE_TIME = (1<<5),
 };
 
 /**
@@ -202,7 +204,11 @@ struct kernel_interface_t {
 						  kernel_ipsec_update_sa_t *data);
 
 	/**
-	 * Query the number of bytes processed by an SA from the SAD.
+	 * Query the number of bytes and packets processed by an SA from the SAD.
+	 *
+	 * Some implementations may also return the last use time (as indicated by
+	 * get_features()). This is a monotonic timestamp as returned by
+	 * time_monotonic().
 	 *
 	 * @param id			data identifying this SA
 	 * @param data			data to query the SA
@@ -247,11 +253,12 @@ struct kernel_interface_t {
 	 * Query the use time of a policy.
 	 *
 	 * The use time of a policy is the time the policy was used
-	 * for the last time.
+	 * for the last time. This is a monotonic timestamp as returned by
+	 * time_monotonic().
 	 *
 	 * @param id			data identifying this policy
 	 * @param data			data to query the policy
-	 * @param[out] use_time	the monotonic timestamp of this SA's last use
+	 * @param[out] use_time	the monotonic timestamp of this policy's last use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_policy)(kernel_interface_t *this,
diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 3e1c80e708..0c7fca0a75 100644
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -269,7 +269,11 @@ struct kernel_ipsec_t {
 						  kernel_ipsec_update_sa_t *data);
 
 	/**
-	 * Query the number of bytes processed by an SA from the SAD.
+	 * Query the number of bytes and packets processed by an SA from the SAD.
+	 *
+	 * Some implementations may also return the last use time (as indicated by
+	 * get_features()). This is a monotonic timestamp as returned by
+	 * time_monotonic().
 	 *
 	 * @param id			data identifying this SA
 	 * @param data			data to query the SA
@@ -314,12 +318,11 @@ struct kernel_ipsec_t {
 	 * Query the use time of a policy.
 	 *
 	 * The use time of a policy is the time the policy was used for the last
-	 * time. It is not the system time, but a monotonic timestamp as returned
-	 * by time_monotonic.
+	 * time. This is a monotonic timestamp as returned by time_monotonic().
 	 *
 	 * @param id			data identifying this policy
 	 * @param data			data to query the policy
-	 * @param[out] use_time	the monotonic timestamp of this SA's last use
+	 * @param[out] use_time	the monotonic timestamp of this policy's last use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_policy)(kernel_ipsec_t *this,
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index b3aa75ef35..d067ed58ea 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -231,7 +231,8 @@ static void expire(uint8_t protocol, uint32_t spi, host_t *dst, bool hard)
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
 	private_kernel_libipsec_ipsec_t *this)
 {
-	return KERNEL_REQUIRE_UDP_ENCAPSULATION | KERNEL_ESP_V3_TFC;
+	return KERNEL_REQUIRE_UDP_ENCAPSULATION | KERNEL_ESP_V3_TFC |
+		   KERNEL_SA_USE_TIME;
 }
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index e7046a7043..aa4b0f1629 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1659,6 +1659,16 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
 	return SUCCESS;
 }
 
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+	private_kernel_pfkey_ipsec_t *this)
+{
+#ifdef __APPLE__
+	return KERNEL_SA_USE_TIME;
+#else
+	return 0;
+#endif
+}
+
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	uint8_t protocol, uint32_t *spi)
@@ -2198,9 +2208,9 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 		/* OS X uses the "last" time of use in usetime */
 		*time = response.lft_current->sadb_lifetime_usetime;
 #else /* !__APPLE__ */
-		/* on Linux, sadb_lifetime_usetime is set to the "first" time of use,
-		 * which is actually correct according to PF_KEY. We have to query
-		 * policies for the last usetime. */
+		/* on Linux and FreeBSD, sadb_lifetime_usetime is set to the "first"
+		 * time of use, which is actually correct according to PF_KEY. We have
+		 * to query policies for the last usetime. */
 		*time = 0;
 #endif /* !__APPLE__ */
 	}
@@ -3308,6 +3318,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	INIT(this,
 		.public = {
 			.interface = {
+				.get_features = _get_features,
 				.get_spi = _get_spi,
 				.get_cpi = _get_cpi,
 				.add_sa  = _add_sa,