[hipl-dev] [Branch ~hipl-core/hipl/trunk] Rev 5391: esp token protection is now disabled by default
- From: noreply@xxxxxxxxxxxxx
- To: HIPL core team <hipl-dev@xxxxxxxxxxxxx>
- Date: Thu, 06 Jan 2011 11:33:32 -0000
------------------------------------------------------------
revno: 5391
committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
branch nick: hipl
timestamp: Thu 2011-01-06 12:30:37 +0100
message:
esp token protection is now disabled by default
esp token filtering was always active when traffic filtering took
place in the hipfw. Now, esp token filtering needs to be enabled at
the commandline during hipfw startup. The "-e" parameter is reused for
this purpose.
NOTE: End-hosts now have to specify "-ei" in order to run the esp
token protection extension.
modified:
firewall/esp_prot_conntrack.c
firewall/firewall.c
firewall/firewall.h
--
lp:hipl
https://code.launchpad.net/~hipl-core/hipl/trunk
Your team HIPL core team is subscribed to branch lp:hipl.
To unsubscribe from this branch go to
https://code.launchpad.net/~hipl-core/hipl/trunk/+edit-subscription
=== modified file 'firewall/esp_prot_conntrack.c'
--- firewall/esp_prot_conntrack.c 2011-01-04 18:13:58 +0000
+++ firewall/esp_prot_conntrack.c 2011-01-06 11:30:37 +0000
@@ -554,42 +554,42 @@
const struct esp_prot_preferred_tfms *prot_transforms = NULL;
int err = 0, i;
- HIP_DEBUG("\n");
-
- // initialize the ESP protection params in the connection
- tuple->connection->num_esp_prot_tfms = 0;
- memset(tuple->connection->esp_prot_tfms, 0, NUM_TRANSFORMS + 1);
-
- // check if message contains optional ESP protection transforms
- if ((prot_transforms = hip_get_param(common,
- HIP_PARAM_ESP_PROT_TRANSFORMS))) {
- HIP_DEBUG("ESP protection extension transforms found\n");
-
- // make sure we only process as many transforms as we can handle
- if (prot_transforms->num_transforms > NUM_TRANSFORMS + 1) {
- HIP_DEBUG("received more transforms than we can handle, " \
- "processing max\n");
-
- // transforms + UNUSED
- tuple->connection->num_esp_prot_tfms = NUM_TRANSFORMS + 1;
- } else {
- tuple->connection->num_esp_prot_tfms =
prot_transforms->num_transforms;
- }
-
- HIP_DEBUG("adding %i transforms...\n",
tuple->connection->num_esp_prot_tfms);
-
- // store the transforms
- for (i = 0; i < tuple->connection->num_esp_prot_tfms; i++) {
- // only store transforms we support
- if
(esp_prot_conntrack_tfms[prot_transforms->transforms[i]].is_used) {
- tuple->connection->esp_prot_tfms[i] =
prot_transforms->transforms[i];
-
- HIP_DEBUG("added transform %i: %u\n", i + 1,
- tuple->connection->esp_prot_tfms[i]);
+ if (hip_esp_protection) {
+ // initialize the ESP protection params in the connection
+ tuple->connection->num_esp_prot_tfms = 0;
+ memset(tuple->connection->esp_prot_tfms, 0, NUM_TRANSFORMS + 1);
+
+ // check if message contains optional ESP protection transforms
+ if ((prot_transforms = hip_get_param(common,
+ HIP_PARAM_ESP_PROT_TRANSFORMS))) {
+ HIP_DEBUG("ESP protection extension transforms found\n");
+
+ // make sure we only process as many transforms as we can handle
+ if (prot_transforms->num_transforms > NUM_TRANSFORMS + 1) {
+ HIP_DEBUG("received more transforms than we can handle, " \
+ "processing max\n");
+
+ // transforms + UNUSED
+ tuple->connection->num_esp_prot_tfms = NUM_TRANSFORMS + 1;
} else {
- tuple->connection->esp_prot_tfms[i] = ESP_PROT_TFM_UNUSED;
-
- HIP_DEBUG("unknown transform, set to UNUSED\n");
+ tuple->connection->num_esp_prot_tfms =
prot_transforms->num_transforms;
+ }
+
+ HIP_DEBUG("adding %i transforms...\n",
tuple->connection->num_esp_prot_tfms);
+
+ // store the transforms
+ for (i = 0; i < tuple->connection->num_esp_prot_tfms; i++) {
+ // only store transforms we support
+ if
(esp_prot_conntrack_tfms[prot_transforms->transforms[i]].is_used) {
+ tuple->connection->esp_prot_tfms[i] =
prot_transforms->transforms[i];
+
+ HIP_DEBUG("added transform %i: %u\n", i + 1,
+ tuple->connection->esp_prot_tfms[i]);
+ } else {
+ tuple->connection->esp_prot_tfms[i] = ESP_PROT_TFM_UNUSED;
+
+ HIP_DEBUG("unknown transform, set to UNUSED\n");
+ }
}
}
}
@@ -616,99 +616,99 @@
int hash_length = 0;
int err = 0;
- HIP_DEBUG("\n");
-
- HIP_ASSERT(common != NULL);
- HIP_ASSERT(tuple != NULL);
-
- // check if message contains optional ESP protection anchors
- if ((param = hip_get_param(common, HIP_PARAM_ESP_PROT_ANCHOR))) {
- prot_anchor = (const struct esp_prot_anchor *) param;
-
- /* create esp_tuple for direction of this message only storing
- * the sent anchor, no SPI known yet -> will be sent in R2
- *
- * @note this needs to be done as SPIs are signaled in one direction
- * but used in the other while anchors are signaled and used
- * in the same direction
- */
-
- /* check esp_tuple count for this direction, should be 0 */
- HIP_IFEL(tuple->esp_tuples, -1,
- "expecting empty esp_tuple list, but it is NOT\n");
-
- HIP_IFEL(!(esp_tuple = malloc(sizeof(struct esp_tuple))), 0,
- "failed to allocate memory\n");
- memset(esp_tuple, 0, sizeof(struct esp_tuple));
-
- // check if the anchor has a supported transform
- if (esp_prot_check_transform(tuple->connection->num_esp_prot_tfms,
- tuple->connection->esp_prot_tfms,
- prot_anchor->transform) >= 0) {
- // it's one of the supported and advertised transforms
- esp_tuple->esp_prot_tfm = prot_anchor->transform;
- HIP_DEBUG("using esp prot transform: %u\n",
esp_tuple->esp_prot_tfm);
-
- if (esp_tuple->esp_prot_tfm > ESP_PROT_TFM_UNUSED) {
- conntrack_tfm =
esp_prot_conntrack_resolve_transform(
- esp_tuple->esp_prot_tfm);
- hash_length = conntrack_tfm->hash_length;
- esp_tuple->hash_item_length =
ntohl(prot_anchor->hash_item_length);
-
- if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_TREE) {
- esp_tuple->hash_tree_depth = ceil(
- log_x(2, esp_tuple->hash_item_length));
- HIP_DEBUG("esp_tuple->hash_tree_depth: %i\n",
esp_tuple->hash_tree_depth);
-
- // compute full leaf set size
- esp_tuple->hash_item_length = pow(2,
ceil(esp_tuple->hash_tree_depth));
- HIP_DEBUG("esp_tuple->hash_item_length: %i\n",
esp_tuple->hash_item_length);
- }
-
- // store all contained anchors
- for (i = 0; i < num_parallel_hchains; i++) {
- if (!prot_anchor || prot_anchor->transform !=
esp_tuple->esp_prot_tfm) {
- // we expect an anchor and all anchors should have the
same transform
- err = -1;
- goto out_err;
- } else {
- // store peer_anchor
- memcpy(&esp_tuple->active_anchors[i][0],
&prot_anchor->anchors[0],
- hash_length);
- HIP_HEXDUMP("received anchor: ",
&esp_tuple->active_anchors[i][0],
- hash_length);
-
- // ...and make a backup of it for later verification
of UPDATEs
- memcpy(&esp_tuple->first_active_anchors[i][0],
&prot_anchor->anchors[0],
- hash_length);
- }
-
- // get next anchor
- param = hip_get_next_param(common, param);
- prot_anchor = (const struct esp_prot_anchor *) param;
- }
-
- // store number of parallel hchains
- esp_tuple->num_hchains = num_parallel_hchains;
-
- // add the tuple to this direction's esp_tuple list
- HIP_IFEL(!(tuple->esp_tuples =
append_to_slist(tuple->esp_tuples,
- esp_tuple)),
-1, "failed to insert esp_tuple\n");
+ if (hip_esp_protection) {
+ HIP_ASSERT(common != NULL);
+ HIP_ASSERT(tuple != NULL);
+
+ // check if message contains optional ESP protection anchors
+ if ((param = hip_get_param(common, HIP_PARAM_ESP_PROT_ANCHOR))) {
+ prot_anchor = (const struct esp_prot_anchor *) param;
+
+ /* create esp_tuple for direction of this message only storing
+ * the sent anchor, no SPI known yet -> will be sent in R2
+ *
+ * @note this needs to be done as SPIs are signaled in one
direction
+ * but used in the other while anchors are signaled and used
+ * in the same direction
+ */
+
+ /* check esp_tuple count for this direction, should be 0 */
+ HIP_IFEL(tuple->esp_tuples, -1,
+ "expecting empty esp_tuple list, but it is NOT\n");
+
+ HIP_IFEL(!(esp_tuple = malloc(sizeof(struct esp_tuple))), 0,
+ "failed to allocate memory\n");
+ memset(esp_tuple, 0, sizeof(struct esp_tuple));
+
+ // check if the anchor has a supported transform
+ if (esp_prot_check_transform(tuple->connection->num_esp_prot_tfms,
+ tuple->connection->esp_prot_tfms,
+ prot_anchor->transform) >= 0) {
+ // it's one of the supported and advertised transforms
+ esp_tuple->esp_prot_tfm = prot_anchor->transform;
+ HIP_DEBUG("using esp prot transform: %u\n",
esp_tuple->esp_prot_tfm);
+
+ if (esp_tuple->esp_prot_tfm > ESP_PROT_TFM_UNUSED) {
+ conntrack_tfm =
esp_prot_conntrack_resolve_transform(
+ esp_tuple->esp_prot_tfm);
+ hash_length = conntrack_tfm->hash_length;
+ esp_tuple->hash_item_length =
ntohl(prot_anchor->hash_item_length);
+
+ if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_TREE) {
+ esp_tuple->hash_tree_depth = ceil(
+ log_x(2, esp_tuple->hash_item_length));
+ HIP_DEBUG("esp_tuple->hash_tree_depth: %i\n",
esp_tuple->hash_tree_depth);
+
+ // compute full leaf set size
+ esp_tuple->hash_item_length = pow(2,
ceil(esp_tuple->hash_tree_depth));
+ HIP_DEBUG("esp_tuple->hash_item_length: %i\n",
esp_tuple->hash_item_length);
+ }
+
+ // store all contained anchors
+ for (i = 0; i < num_parallel_hchains; i++) {
+ if (!prot_anchor || prot_anchor->transform !=
esp_tuple->esp_prot_tfm) {
+ // we expect an anchor and all anchors should have
the same transform
+ err = -1;
+ goto out_err;
+ } else {
+ // store peer_anchor
+ memcpy(&esp_tuple->active_anchors[i][0],
&prot_anchor->anchors[0],
+ hash_length);
+ HIP_HEXDUMP("received anchor: ",
&esp_tuple->active_anchors[i][0],
+ hash_length);
+
+ // ...and make a backup of it for later
verification of UPDATEs
+ memcpy(&esp_tuple->first_active_anchors[i][0],
&prot_anchor->anchors[0],
+ hash_length);
+ }
+
+ // get next anchor
+ param = hip_get_next_param(common, param);
+ prot_anchor = (const struct esp_prot_anchor *) param;
+ }
+
+ // store number of parallel hchains
+ esp_tuple->num_hchains = num_parallel_hchains;
+
+ // add the tuple to this direction's esp_tuple list
+ HIP_IFEL(!(tuple->esp_tuples =
append_to_slist(tuple->esp_tuples,
+
esp_tuple)), -1, "failed to insert esp_tuple\n");
+ } else {
+ HIP_DEBUG("received anchor with non-matching transform,
DROPPING\n");
+
+ err = 1;
+ goto out_err;
+ }
} else {
- HIP_DEBUG("received anchor with non-matching transform,
DROPPING\n");
+ HIP_ERROR("received anchor with unknown transform,
DROPPING\n");
err = 1;
goto out_err;
}
- } else {
- HIP_ERROR("received anchor with unknown transform, DROPPING\n");
- err = 1;
- goto out_err;
+ // finally init the anchor cache needed for tracking UPDATEs
+ hip_ll_init(&esp_tuple->anchor_cache);
}
-
- // finally init the anchor cache needed for tracking UPDATEs
- hip_ll_init(&esp_tuple->anchor_cache);
}
out_err:
@@ -731,20 +731,20 @@
struct esp_tuple *esp_tuple = NULL;
int err = 0;
- HIP_DEBUG("\n");
-
- /* normally there should NOT be any esp_tuple for the other direction yet,
- * but when tracking anchor elements, the other one was already set up
- * when handling the I2 */
- if (other_dir_esps) {
- /* there should only be one esp_tuple in the other direction's
esp_tuple
- * list */
- HIP_IFEL(other_dir_esps->next, -1,
- "expecting 1 esp_tuple in the list, but there are several\n");
-
- // get the esp_tuple for the other direction
- HIP_IFEL(!(esp_tuple = other_dir_esps->data), -1,
- "expecting 1 esp_tuple in the list, but there is NONE\n");
+ if (hip_esp_protection) {
+ /* normally there should NOT be any esp_tuple for the other direction
yet,
+ * but when tracking anchor elements, the other one was already set up
+ * when handling the I2 */
+ if (other_dir_esps) {
+ /* there should only be one esp_tuple in the other direction's
esp_tuple
+ * list */
+ HIP_IFEL(other_dir_esps->next, -1,
+ "expecting 1 esp_tuple in the list, but there are
several\n");
+
+ // get the esp_tuple for the other direction
+ HIP_IFEL(!(esp_tuple = other_dir_esps->data), -1,
+ "expecting 1 esp_tuple in the list, but there is NONE\n");
+ }
}
out_err:
@@ -774,86 +774,86 @@
int hash_length = 0;
int err = 0;
- HIP_DEBUG("\n");
-
- HIP_ASSERT(common != NULL);
- HIP_ASSERT(tuple != NULL);
-
- // check if message contains optional ESP protection anchor
- if ((param = hip_get_param(common, HIP_PARAM_ESP_PROT_ANCHOR))) {
- prot_anchor = (const struct esp_prot_anchor *) param;
-
- // check if the anchor has a supported transform
- if (esp_prot_check_transform(tuple->connection->num_esp_prot_tfms,
- tuple->connection->esp_prot_tfms,
- prot_anchor->transform) >= 0) {
- // for BEX there should be only one ESP tuple for this direction
- HIP_IFEL(tuple->esp_tuples->next, -1,
- "expecting 1 esp_tuple in the list, but there are
several\n");
-
- HIP_IFEL(!(esp_tuple = (struct esp_tuple *)
tuple->esp_tuples->data), -1,
- "expecting 1 esp_tuple in the list, but there is NONE\n");
-
- esp_tuple->esp_prot_tfm = prot_anchor->transform;
- HIP_DEBUG("using esp prot transform: %u\n",
esp_tuple->esp_prot_tfm);
-
- if (esp_tuple->esp_prot_tfm > ESP_PROT_TFM_UNUSED) {
- conntrack_tfm =
esp_prot_conntrack_resolve_transform(
- esp_tuple->esp_prot_tfm);
- hash_length = conntrack_tfm->hash_length;
-
- esp_tuple->hash_item_length =
ntohl(prot_anchor->hash_item_length);
-
- if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_TREE) {
- esp_tuple->hash_tree_depth = ceil(
- log_x(2, esp_tuple->hash_item_length));
- HIP_DEBUG("esp_tuple->hash_tree_depth: %i\n",
esp_tuple->hash_tree_depth);
-
- // compute full leaf set size
- esp_tuple->hash_item_length = pow(2,
esp_tuple->hash_tree_depth);
- HIP_DEBUG("esp_tuple->hash_item_length: %i\n",
esp_tuple->hash_item_length);
- }
-
- // store all contained anchors
- for (i = 0; i < num_parallel_hchains; i++) {
- if (!prot_anchor || prot_anchor->transform !=
esp_tuple->esp_prot_tfm) {
- // we expect an anchor and all anchors should have the
same transform
- err = -1;
- goto out_err;
- } else {
- // store peer_anchor
- memcpy(&esp_tuple->active_anchors[i][0],
&prot_anchor->anchors[0],
- hash_length);
- HIP_HEXDUMP("received anchor: ",
&esp_tuple->active_anchors[i][0],
- hash_length);
-
- // ...and make a backup of it for later verification
of UPDATEs
- memcpy(&esp_tuple->first_active_anchors[i][0],
&prot_anchor->anchors[0],
- hash_length);
- }
-
- // get next anchor
- param = hip_get_next_param(common, param);
- prot_anchor = (const struct esp_prot_anchor *) param;
- }
-
- // store number of parallel hchains
- esp_tuple->num_hchains = num_parallel_hchains;
+ if (hip_esp_protection) {
+ HIP_ASSERT(common != NULL);
+ HIP_ASSERT(tuple != NULL);
+
+ // check if message contains optional ESP protection anchor
+ if ((param = hip_get_param(common, HIP_PARAM_ESP_PROT_ANCHOR))) {
+ prot_anchor = (const struct esp_prot_anchor *) param;
+
+ // check if the anchor has a supported transform
+ if (esp_prot_check_transform(tuple->connection->num_esp_prot_tfms,
+ tuple->connection->esp_prot_tfms,
+ prot_anchor->transform) >= 0) {
+ // for BEX there should be only one ESP tuple for this
direction
+ HIP_IFEL(tuple->esp_tuples->next, -1,
+ "expecting 1 esp_tuple in the list, but there are
several\n");
+
+ HIP_IFEL(!(esp_tuple = (struct esp_tuple *)
tuple->esp_tuples->data), -1,
+ "expecting 1 esp_tuple in the list, but there is
NONE\n");
+
+ esp_tuple->esp_prot_tfm = prot_anchor->transform;
+ HIP_DEBUG("using esp prot transform: %u\n",
esp_tuple->esp_prot_tfm);
+
+ if (esp_tuple->esp_prot_tfm > ESP_PROT_TFM_UNUSED) {
+ conntrack_tfm =
esp_prot_conntrack_resolve_transform(
+ esp_tuple->esp_prot_tfm);
+ hash_length = conntrack_tfm->hash_length;
+
+ esp_tuple->hash_item_length =
ntohl(prot_anchor->hash_item_length);
+
+ if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_TREE) {
+ esp_tuple->hash_tree_depth = ceil(
+ log_x(2, esp_tuple->hash_item_length));
+ HIP_DEBUG("esp_tuple->hash_tree_depth: %i\n",
esp_tuple->hash_tree_depth);
+
+ // compute full leaf set size
+ esp_tuple->hash_item_length = pow(2,
esp_tuple->hash_tree_depth);
+ HIP_DEBUG("esp_tuple->hash_item_length: %i\n",
esp_tuple->hash_item_length);
+ }
+
+ // store all contained anchors
+ for (i = 0; i < num_parallel_hchains; i++) {
+ if (!prot_anchor || prot_anchor->transform !=
esp_tuple->esp_prot_tfm) {
+ // we expect an anchor and all anchors should have
the same transform
+ err = -1;
+ goto out_err;
+ } else {
+ // store peer_anchor
+ memcpy(&esp_tuple->active_anchors[i][0],
&prot_anchor->anchors[0],
+ hash_length);
+ HIP_HEXDUMP("received anchor: ",
&esp_tuple->active_anchors[i][0],
+ hash_length);
+
+ // ...and make a backup of it for later
verification of UPDATEs
+ memcpy(&esp_tuple->first_active_anchors[i][0],
&prot_anchor->anchors[0],
+ hash_length);
+ }
+
+ // get next anchor
+ param = hip_get_next_param(common, param);
+ prot_anchor = (const struct esp_prot_anchor *) param;
+ }
+
+ // store number of parallel hchains
+ esp_tuple->num_hchains = num_parallel_hchains;
+ } else {
+ HIP_DEBUG("received anchor with non-matching transform,
DROPPING\n");
+
+ err = 1;
+ goto out_err;
+ }
} else {
- HIP_DEBUG("received anchor with non-matching transform,
DROPPING\n");
+ HIP_ERROR("received anchor with unknown transform,
DROPPING\n");
err = 1;
goto out_err;
}
- } else {
- HIP_ERROR("received anchor with unknown transform, DROPPING\n");
- err = 1;
- goto out_err;
+ // finally init the anchor cache needed for tracking UPDATEs
+ hip_ll_init(&esp_tuple->anchor_cache);
}
-
- // finally init the anchor cache needed for tracking UPDATEs
- hip_ll_init(&esp_tuple->anchor_cache);
}
out_err:
@@ -879,64 +879,64 @@
int err = 0;
long i = 0;
- HIP_DEBUG("\n");
-
- HIP_ASSERT(update != NULL);
- HIP_ASSERT(tuple != NULL);
-
- memset(esp_anchors, 0, MAX_NUM_PARALLEL_HCHAINS * sizeof(struct
esp_prot_anchor *));
- memset(esp_roots, 0, MAX_NUM_PARALLEL_HCHAINS * sizeof(struct
esp_prot_root *));
-
- seq = hip_get_param(update, HIP_PARAM_SEQ);
- esp_info = hip_get_param(update, HIP_PARAM_ESP_INFO);
- ack = hip_get_param(update, HIP_PARAM_ACK);
- // there might be several anchor elements
- param = hip_get_param(update, HIP_PARAM_ESP_PROT_ANCHOR);
-
- // distinguish packet types and process accordingly
- if (seq && !ack && !esp_info && param) {
- HIP_DEBUG("received 1. UPDATE packet of ANCHOR UPDATE\n");
-
- // get all anchors
- for (i = 0; i < num_parallel_hchains; i++) {
- esp_anchors[i] = (const struct esp_prot_anchor *) param;
-
- param = hip_get_next_param(update, param);
- }
-
- param = hip_get_param(update, HIP_PARAM_ESP_PROT_ROOT);
- if (param) {
- // get all roots
+ if (hip_esp_protection) {
+ HIP_ASSERT(update != NULL);
+ HIP_ASSERT(tuple != NULL);
+
+ memset(esp_anchors, 0, MAX_NUM_PARALLEL_HCHAINS * sizeof(struct
esp_prot_anchor *));
+ memset(esp_roots, 0, MAX_NUM_PARALLEL_HCHAINS * sizeof(struct
esp_prot_root *));
+
+ seq = hip_get_param(update, HIP_PARAM_SEQ);
+ esp_info = hip_get_param(update, HIP_PARAM_ESP_INFO);
+ ack = hip_get_param(update, HIP_PARAM_ACK);
+ // there might be several anchor elements
+ param = hip_get_param(update, HIP_PARAM_ESP_PROT_ANCHOR);
+
+ // distinguish packet types and process accordingly
+ if (seq && !ack && !esp_info && param) {
+ HIP_DEBUG("received 1. UPDATE packet of ANCHOR UPDATE\n");
+
+ // get all anchors
for (i = 0; i < num_parallel_hchains; i++) {
- esp_roots[i] = (const struct esp_prot_root *) param;
-
- param = hip_get_next_param(update, param);
- }
+ esp_anchors[i] = (const struct esp_prot_anchor *) param;
+
+ param = hip_get_next_param(update, param);
+ }
+
+ param = hip_get_param(update, HIP_PARAM_ESP_PROT_ROOT);
+ if (param) {
+ // get all roots
+ for (i = 0; i < num_parallel_hchains; i++) {
+ esp_roots[i] = (const struct esp_prot_root *) param;
+
+ param = hip_get_next_param(update, param);
+ }
+ }
+
+ // cache ANCHOR
+ HIP_IFEL(esp_prot_conntrack_cache_anchor(tuple, seq, esp_anchors,
esp_roots), -1,
+ "failed to cache ANCHOR parameter\n");
+ } else if (seq && ack && esp_info && param) {
+ /* either 2. UPDATE packet of mutual ANCHOR UPDATE or LOCATION
UPDATE */
+ // TODO implement
+
+ HIP_ERROR("not implemented yet\n");
+ err = -1;
+ } else if (!seq && ack && esp_info && !param) {
+ HIP_DEBUG("either received 2. UPDATE packet of ANCHOR UPDATE or 3.
of mutual one\n");
+
+ // lookup cached ANCHOR and update corresponding esp_tuple
+ HIP_IFEL(esp_prot_conntrack_update_anchor(tuple, ack, esp_info),
-1,
+ "failed to update anchor\n");
+ } else if (!seq && ack && esp_info && param) {
+ /* 3. UPDATE packet of LOCATION UPDATE */
+ // TODO implement
+
+ HIP_ERROR("not implemented yet\n");
+ err = -1;
+ } else {
+ HIP_DEBUG("unknown HIP-parameter combination, unhandled\n");
}
-
- // cache ANCHOR
- HIP_IFEL(esp_prot_conntrack_cache_anchor(tuple, seq, esp_anchors,
esp_roots), -1,
- "failed to cache ANCHOR parameter\n");
- } else if (seq && ack && esp_info && param) {
- /* either 2. UPDATE packet of mutual ANCHOR UPDATE or LOCATION UPDATE
*/
- // TODO implement
-
- HIP_ERROR("not implemented yet\n");
- err = -1;
- } else if (!seq && ack && esp_info && !param) {
- HIP_DEBUG("either received 2. UPDATE packet of ANCHOR UPDATE or 3. of
mutual one\n");
-
- // lookup cached ANCHOR and update corresponding esp_tuple
- HIP_IFEL(esp_prot_conntrack_update_anchor(tuple, ack, esp_info), -1,
- "failed to update anchor\n");
- } else if (!seq && ack && esp_info && param) {
- /* 3. UPDATE packet of LOCATION UPDATE */
- // TODO implement
-
- HIP_ERROR("not implemented yet\n");
- err = -1;
- } else {
- HIP_DEBUG("unknown HIP-parameter combination, unhandled\n");
}
out_err:
@@ -953,11 +953,13 @@
{
int err = 0, i;
- hip_ll_uninit(&esp_tuple->anchor_cache,
esp_prot_conntrack_free_cached_item);
+ if (hip_esp_protection) {
+ hip_ll_uninit(&esp_tuple->anchor_cache,
esp_prot_conntrack_free_cached_item);
- for (i = 0; i < esp_tuple->num_hchains; i++) {
- free(esp_tuple->active_roots[i]);
- free(esp_tuple->next_roots[i]);
+ for (i = 0; i < esp_tuple->num_hchains; i++) {
+ free(esp_tuple->active_roots[i]);
+ free(esp_tuple->next_roots[i]);
+ }
}
return err;
@@ -988,89 +990,89 @@
int err = 0;
long i;
- HIP_DEBUG("\n");
-
- HIP_ASSERT(ip6_src != NULL);
- HIP_ASSERT(ip6_dst != NULL);
- HIP_ASSERT(common != NULL);
- HIP_ASSERT(tuple != NULL);
-
- HIP_DEBUG("handling light update...\n");
-
- // get params from UPDATE message
- seq = hip_get_param(common, HIP_PARAM_SEQ);
- ack = hip_get_param(common, HIP_PARAM_ACK);
-
- if (seq) {
- HIP_DEBUG("received ANCHOR packet of LIGHT UPDATE\n");
-
- param = hip_get_param(common, HIP_PARAM_ESP_PROT_ANCHOR);
- for (i = 0; i < num_parallel_hchains; i++) {
- esp_anchors[i] = (const struct esp_prot_anchor *) param;
-
- param = hip_get_next_param(common, param);
- }
-
- param = hip_get_param(common, HIP_PARAM_ESP_PROT_BRANCH);
- for (i = 0; i < num_parallel_hchains; i++) {
- esp_branches[i] = (const struct esp_prot_branch *) param;
-
- param = hip_get_next_param(common, param);
- }
-
- param = hip_get_param(common, HIP_PARAM_ESP_PROT_SECRET);
- for (i = 0; i < num_parallel_hchains; i++) {
- esp_secrets[i] = (const struct esp_prot_secret *) param;
-
- param = hip_get_next_param(common, param);
- }
-
- param = hip_get_param(common, HIP_PARAM_ESP_PROT_ROOT);
- if (param) {
- for (i = 0; i < num_parallel_hchains; i++) {
- esp_roots[i] = (const struct esp_prot_root *) param;
-
- param = hip_get_next_param(common, param);
- }
+ if (hip_esp_protection) {
+ HIP_ASSERT(ip6_src != NULL);
+ HIP_ASSERT(ip6_dst != NULL);
+ HIP_ASSERT(common != NULL);
+ HIP_ASSERT(tuple != NULL);
+
+ HIP_DEBUG("handling light update...\n");
+
+ // get params from UPDATE message
+ seq = hip_get_param(common, HIP_PARAM_SEQ);
+ ack = hip_get_param(common, HIP_PARAM_ACK);
+
+ if (seq) {
+ HIP_DEBUG("received ANCHOR packet of LIGHT UPDATE\n");
+
+ param = hip_get_param(common, HIP_PARAM_ESP_PROT_ANCHOR);
+ for (i = 0; i < num_parallel_hchains; i++) {
+ esp_anchors[i] = (const struct esp_prot_anchor *) param;
+
+ param = hip_get_next_param(common, param);
+ }
+
+ param = hip_get_param(common, HIP_PARAM_ESP_PROT_BRANCH);
+ for (i = 0; i < num_parallel_hchains; i++) {
+ esp_branches[i] = (const struct esp_prot_branch *) param;
+
+ param = hip_get_next_param(common, param);
+ }
+
+ param = hip_get_param(common, HIP_PARAM_ESP_PROT_SECRET);
+ for (i = 0; i < num_parallel_hchains; i++) {
+ esp_secrets[i] = (const struct esp_prot_secret *) param;
+
+ param = hip_get_next_param(common, param);
+ }
+
+ param = hip_get_param(common, HIP_PARAM_ESP_PROT_ROOT);
+ if (param) {
+ for (i = 0; i < num_parallel_hchains; i++) {
+ esp_roots[i] = (const struct esp_prot_root *) param;
+
+ param = hip_get_next_param(common, param);
+ }
+ } else {
+ memset(esp_roots, 0, MAX_NUM_PARALLEL_HCHAINS * sizeof(struct
esp_prot_root *));
+ }
+
+ HIP_DEBUG("seq->update_id: %u\n", ntohl(seq->update_id));
+ HIP_DEBUG("tuple->lupdate_seq: %u\n", tuple->lupdate_seq);
+
+ // track SEQ
+ if (ntohl(seq->update_id) < tuple->lupdate_seq) {
+ HIP_DEBUG("old light update\n");
+
+ err = -1;
+ goto out_err;
+ } else {
+ HIP_DEBUG("new light update\n");
+
+ tuple->lupdate_seq = ntohl(seq->update_id);
+ }
+
+ // verify tree
+ HIP_IFEL(esp_prot_conntrack_verify_branch(tuple, esp_anchors,
esp_branches,
+ esp_secrets), -1,
+ "failed to verify
branch\n");
+
+ // cache update_anchor and root
+ HIP_IFEL(esp_prot_conntrack_cache_anchor(tuple, seq, esp_anchors,
esp_roots), -1,
+ "failed to cache the anchor\n");
+ } else if (ack) {
+ HIP_DEBUG("received ACK packet of LIGHT UPDATE\n");
+
+ esp_info = hip_get_param(common, HIP_PARAM_ESP_INFO);
+
+ // lookup cached ANCHOR and update corresponding esp_tuple
+ HIP_IFEL(esp_prot_conntrack_update_anchor(tuple, ack, esp_info),
-1,
+ "failed to update anchor\n");
} else {
- memset(esp_roots, 0, MAX_NUM_PARALLEL_HCHAINS * sizeof(struct
esp_prot_root *));
- }
-
- HIP_DEBUG("seq->update_id: %u\n", ntohl(seq->update_id));
- HIP_DEBUG("tuple->lupdate_seq: %u\n", tuple->lupdate_seq);
-
- // track SEQ
- if (ntohl(seq->update_id) < tuple->lupdate_seq) {
- HIP_DEBUG("old light update\n");
+ HIP_DEBUG("unknown HIP-parameter combination, unhandled\n");
err = -1;
- goto out_err;
- } else {
- HIP_DEBUG("new light update\n");
-
- tuple->lupdate_seq = ntohl(seq->update_id);
}
-
- // verify tree
- HIP_IFEL(esp_prot_conntrack_verify_branch(tuple, esp_anchors,
esp_branches,
- esp_secrets), -1,
- "failed to verify branch\n");
-
- // cache update_anchor and root
- HIP_IFEL(esp_prot_conntrack_cache_anchor(tuple, seq, esp_anchors,
esp_roots), -1,
- "failed to cache the anchor\n");
- } else if (ack) {
- HIP_DEBUG("received ACK packet of LIGHT UPDATE\n");
-
- esp_info = hip_get_param(common, HIP_PARAM_ESP_INFO);
-
- // lookup cached ANCHOR and update corresponding esp_tuple
- HIP_IFEL(esp_prot_conntrack_update_anchor(tuple, ack, esp_info), -1,
- "failed to update anchor\n");
- } else {
- HIP_DEBUG("unknown HIP-parameter combination, unhandled\n");
-
- err = -1;
}
out_err:
@@ -1095,165 +1097,165 @@
int esp_len = 0, use_hash_trees = 0, active_hchain = 0, err = 0, i;
uint32_t num_verify = 0, current_seq = 0;
- HIP_DEBUG("\n");
-
- if (esp_tuple->esp_prot_tfm > ESP_PROT_TFM_UNUSED) {
- conntrack_tfm = esp_prot_conntrack_resolve_transform(
- esp_tuple->esp_prot_tfm);
-
- esp = ctx->transport_hdr.esp;
- esp_len = ctx->ipq_packet->data_len - ctx->ip_hdr_len;
- if (ctx->udp_encap_hdr) {
- esp_len -= sizeof(struct udphdr);
- }
-
- // received seq no
- current_seq = ntohl(esp->esp_seq);
-
- HIP_DEBUG("stored seq no: %u\n", esp_tuple->seq_no);
- HIP_DEBUG("received seq no: %u\n", current_seq);
-
- HIP_DEBUG("esp_tuple->num_hchains: %i\n", esp_tuple->num_hchains);
-
- /** NOTE: seq no counting starts with 1 for first packet, but first
hchain with
- * has index 0 */
- active_hchain = (current_seq - 1) % esp_tuple->num_hchains;
- HIP_DEBUG("active_hchain: %i\n", active_hchain);
-
- if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_TREE) {
- use_hash_trees = 1;
-
- /* check ESP protection anchor if extension is in use */
- HIP_IFEL((err =
esp_prot_verify_htree_element(conntrack_tfm->hash_function,
-
conntrack_tfm->hash_length, esp_tuple->hash_tree_depth,
-
&esp_tuple->active_anchors[active_hchain][0],
-
&esp_tuple->next_anchors[active_hchain][0],
-
esp_tuple->active_roots[active_hchain],
-
esp_tuple->active_root_length,
-
esp_tuple->next_roots[active_hchain],
-
esp_tuple->next_root_length[active_hchain],
- ((unsigned char *)
esp) + sizeof(struct hip_esp))) < 0, -1,
- "failed to verify ESP protection hash\n");
- } else {
- /* calculate difference of SEQ no in order to determine how many
hashes
- * we have to calculate */
- if (ntohl(esp->esp_seq) - esp_tuple->seq_no > 0 &&
- ntohl(esp->esp_seq) - esp_tuple->seq_no <=
(unsigned)window_size) {
- HIP_DEBUG("seq number within verification window\n");
-
- num_verify = ntohl(esp->esp_seq) - esp_tuple->seq_no;
+ if (hip_esp_protection) {
+ if (esp_tuple->esp_prot_tfm > ESP_PROT_TFM_UNUSED) {
+ conntrack_tfm = esp_prot_conntrack_resolve_transform(
+ esp_tuple->esp_prot_tfm);
+
+ esp = ctx->transport_hdr.esp;
+ esp_len = ctx->ipq_packet->data_len - ctx->ip_hdr_len;
+ if (ctx->udp_encap_hdr) {
+ esp_len -= sizeof(struct udphdr);
+ }
+
+ // received seq no
+ current_seq = ntohl(esp->esp_seq);
+
+ HIP_DEBUG("stored seq no: %u\n", esp_tuple->seq_no);
+ HIP_DEBUG("received seq no: %u\n", current_seq);
+
+ HIP_DEBUG("esp_tuple->num_hchains: %i\n", esp_tuple->num_hchains);
+
+ /** NOTE: seq no counting starts with 1 for first packet, but
first hchain with
+ * has index 0 */
+ active_hchain = (current_seq - 1) % esp_tuple->num_hchains;
+ HIP_DEBUG("active_hchain: %i\n", active_hchain);
+
+ if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_TREE) {
+ use_hash_trees = 1;
/* check ESP protection anchor if extension is in use */
- HIP_IFEL((err =
esp_prot_verify_hchain_element(conntrack_tfm->hash_function,
-
conntrack_tfm->hash_length,
-
&esp_tuple->active_anchors[active_hchain][0],
-
&esp_tuple->next_anchors[active_hchain][0],
- ((unsigned char
*) esp) + sizeof(struct hip_esp),
- num_verify,
-
esp_tuple->active_roots[active_hchain],
-
esp_tuple->active_root_length,
-
esp_tuple->next_roots[active_hchain],
-
esp_tuple->next_root_length[active_hchain])) < 0, -1,
+ HIP_IFEL((err =
esp_prot_verify_htree_element(conntrack_tfm->hash_function,
+
conntrack_tfm->hash_length, esp_tuple->hash_tree_depth,
+
&esp_tuple->active_anchors[active_hchain][0],
+
&esp_tuple->next_anchors[active_hchain][0],
+
esp_tuple->active_roots[active_hchain],
+
esp_tuple->active_root_length,
+
esp_tuple->next_roots[active_hchain],
+
esp_tuple->next_root_length[active_hchain],
+ ((unsigned char
*) esp) + sizeof(struct hip_esp))) < 0, -1,
"failed to verify ESP protection hash\n");
- } else if ((esp_tuple->esp_prot_tfm == ESP_PROT_TFM_CUMULATIVE
- || esp_tuple->esp_prot_tfm == ESP_PROT_TFM_PARA_CUMUL)
- && esp_tuple->seq_no - ntohl(esp->esp_seq) > 0) {
- /* check for authed packet in cumulative authentication mode
when
- * we received a previous packet (reordering) */
-
- HIP_DEBUG("doing cumulative authentication for received
packet...\n");
-
- // get hash at corresponding offset in the ring-buffer
- cached_element = &esp_tuple->hash_buffer[ntohl(esp->esp_seq) %
ring_buffer_size];
-
- if (cached_element->seq == ntohl(esp->esp_seq)) {
- conntrack_tfm->hash_function((unsigned char *) esp,
esp_len, packet_hash);
-
- if (memcmp(cached_element->packet_hash, packet_hash,
conntrack_tfm->hash_length)) {
- HIP_DEBUG("unable to verify packet with cumulative
authentication\n");
+ } else {
+ /* calculate difference of SEQ no in order to determine how
many hashes
+ * we have to calculate */
+ if (ntohl(esp->esp_seq) - esp_tuple->seq_no > 0 &&
+ ntohl(esp->esp_seq) - esp_tuple->seq_no <=
(unsigned)window_size) {
+ HIP_DEBUG("seq number within verification window\n");
+
+ num_verify = ntohl(esp->esp_seq) - esp_tuple->seq_no;
+
+ /* check ESP protection anchor if extension is in use */
+ HIP_IFEL((err =
esp_prot_verify_hchain_element(conntrack_tfm->hash_function,
+
conntrack_tfm->hash_length,
+
&esp_tuple->active_anchors[active_hchain][0],
+
&esp_tuple->next_anchors[active_hchain][0],
+ ((unsigned
char *) esp) + sizeof(struct hip_esp),
+ num_verify,
+
esp_tuple->active_roots[active_hchain],
+
esp_tuple->active_root_length,
+
esp_tuple->next_roots[active_hchain],
+
esp_tuple->next_root_length[active_hchain])) < 0, -1,
+ "failed to verify ESP protection hash\n");
+ } else if ((esp_tuple->esp_prot_tfm == ESP_PROT_TFM_CUMULATIVE
+ || esp_tuple->esp_prot_tfm ==
ESP_PROT_TFM_PARA_CUMUL)
+ && esp_tuple->seq_no - ntohl(esp->esp_seq) > 0) {
+ /* check for authed packet in cumulative authentication
mode when
+ * we received a previous packet (reordering) */
+
+ HIP_DEBUG("doing cumulative authentication for received
packet...\n");
+
+ // get hash at corresponding offset in the ring-buffer
+ cached_element =
&esp_tuple->hash_buffer[ntohl(esp->esp_seq) % ring_buffer_size];
+
+ if (cached_element->seq == ntohl(esp->esp_seq)) {
+ conntrack_tfm->hash_function((unsigned char *) esp,
esp_len, packet_hash);
+
+ if (memcmp(cached_element->packet_hash, packet_hash,
conntrack_tfm->hash_length)) {
+ HIP_DEBUG("unable to verify packet with cumulative
authentication\n");
+
+ err = -1;
+ goto out_err;
+ } else {
+ HIP_DEBUG("packet verified with cumulative
authentication\n");
+
+ // cache packet hashes of previous packets below
+ }
+ } else {
+ HIP_DEBUG("no authentication state for currently
received packet\n");
err = -1;
goto out_err;
- } else {
- HIP_DEBUG("packet verified with cumulative
authentication\n");
-
- // cache packet hashes of previous packets below
}
} else {
- HIP_DEBUG("no authentication state for currently received
packet\n");
+ /* the difference either is so big that the packet would
not be verified
+ * or we received the current anchor element again */
+ HIP_DEBUG("seq no. difference == 0, higher than
DEFAULT_VERIFY_WINDOW or further behind than IPsec replay window/no cumulative
authentication\n");
err = -1;
goto out_err;
}
- } else {
- /* the difference either is so big that the packet would not
be verified
- * or we received the current anchor element again */
- HIP_DEBUG("seq no. difference == 0, higher than
DEFAULT_VERIFY_WINDOW or further behind than IPsec replay window/no cumulative
authentication\n");
-
- err = -1;
- goto out_err;
- }
-
- if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_CUMULATIVE ||
esp_tuple->esp_prot_tfm == ESP_PROT_TFM_PARA_CUMUL) {
- // track hashes of cumulative authentication mode if packet
was authed
- cumulative_ptr = (struct esp_cumulative_item *) (((unsigned
char *) esp) + sizeof(struct hip_esp) + conntrack_tfm->hash_length);
-
- for (i = 0; i < num_linear_elements + num_random_elements;
i++) {
- HIP_DEBUG("cumulative_ptr[i].seq: %u\n",
cumulative_ptr[i].seq);
-
- // keep the buffer filled with fresh elements only
- if (cumulative_ptr[i].seq >
esp_tuple->hash_buffer[cumulative_ptr[i].seq % ring_buffer_size].seq) {
- memcpy(&esp_tuple->hash_buffer[cumulative_ptr[i].seq %
ring_buffer_size],
- &cumulative_ptr[i],
- sizeof(struct esp_cumulative_item));
-
- HIP_DEBUG("cached cumulative token with SEQ: %u\n",
cumulative_ptr[i].seq);
- HIP_HEXDUMP("token: ", cumulative_ptr[i].packet_hash,
conntrack_tfm->hash_length);
+
+ if (esp_tuple->esp_prot_tfm == ESP_PROT_TFM_CUMULATIVE ||
esp_tuple->esp_prot_tfm == ESP_PROT_TFM_PARA_CUMUL) {
+ // track hashes of cumulative authentication mode if
packet was authed
+ cumulative_ptr = (struct esp_cumulative_item *)
(((unsigned char *) esp) + sizeof(struct hip_esp) + conntrack_tfm->hash_length);
+
+ for (i = 0; i < num_linear_elements + num_random_elements;
i++) {
+ HIP_DEBUG("cumulative_ptr[i].seq: %u\n",
cumulative_ptr[i].seq);
+
+ // keep the buffer filled with fresh elements only
+ if (cumulative_ptr[i].seq >
esp_tuple->hash_buffer[cumulative_ptr[i].seq % ring_buffer_size].seq) {
+
memcpy(&esp_tuple->hash_buffer[cumulative_ptr[i].seq % ring_buffer_size],
+ &cumulative_ptr[i],
+ sizeof(struct esp_cumulative_item));
+
+ HIP_DEBUG("cached cumulative token with SEQ:
%u\n", cumulative_ptr[i].seq);
+ HIP_HEXDUMP("token: ",
cumulative_ptr[i].packet_hash, conntrack_tfm->hash_length);
+ }
}
}
}
- }
-
- // this means there was a change in the anchors
- if (err > 0) {
- HIP_DEBUG("anchor change occurred for hchain[%i], handled now\n",
active_hchain);
-
- if (use_hash_trees) {
- // here we store roots, so we must NOT store hash token of
current ESP packet
- memcpy(&esp_tuple->active_anchors[active_hchain][0],
&esp_tuple->next_anchors[active_hchain][0],
- conntrack_tfm->hash_length);
- memcpy(&esp_tuple->first_active_anchors[active_hchain][0],
&esp_tuple->next_anchors[active_hchain][0],
- conntrack_tfm->hash_length);
- } else {
- // don't copy the next anchor, but the already verified hash
- memcpy( &esp_tuple->active_anchors[active_hchain][0],
((unsigned char *) esp) + sizeof(struct hip_esp),
- conntrack_tfm->hash_length);
- memcpy( &esp_tuple->first_active_anchors[active_hchain][0],
&esp_tuple->next_anchors[active_hchain][0],
- conntrack_tfm->hash_length);
+
+ // this means there was a change in the anchors
+ if (err > 0) {
+ HIP_DEBUG("anchor change occurred for hchain[%i], handled
now\n", active_hchain);
+
+ if (use_hash_trees) {
+ // here we store roots, so we must NOT store hash token of
current ESP packet
+ memcpy(&esp_tuple->active_anchors[active_hchain][0],
&esp_tuple->next_anchors[active_hchain][0],
+ conntrack_tfm->hash_length);
+ memcpy(&esp_tuple->first_active_anchors[active_hchain][0],
&esp_tuple->next_anchors[active_hchain][0],
+ conntrack_tfm->hash_length);
+ } else {
+ // don't copy the next anchor, but the already verified
hash
+ memcpy( &esp_tuple->active_anchors[active_hchain][0],
((unsigned char *) esp) + sizeof(struct hip_esp),
+ conntrack_tfm->hash_length);
+ memcpy(
&esp_tuple->first_active_anchors[active_hchain][0],
&esp_tuple->next_anchors[active_hchain][0],
+ conntrack_tfm->hash_length);
+ }
+
+ // change roots
+ /* the BEX-store does not have hierarchies, so no root is used
for
+ * the first hchain */
+ free(esp_tuple->active_roots[active_hchain]);
+ esp_tuple->active_roots[active_hchain] =
esp_tuple->next_roots[active_hchain];
+ esp_tuple->next_roots[active_hchain] = NULL;
+ esp_tuple->active_root_length =
esp_tuple->next_root_length[active_hchain];
+ esp_tuple->next_root_length[active_hchain] = 0;
+
+ HIP_DEBUG("esp_tuple->active_root_length: %i\n",
+ esp_tuple->active_root_length);
+ HIP_HEXDUMP("esp_tuple->active_root: ",
esp_tuple->active_roots[active_hchain],
+ esp_tuple->active_root_length);
+
+ // no error case
+ err = 0;
}
-
- // change roots
- /* the BEX-store does not have hierarchies, so no root is used for
- * the first hchain */
- free(esp_tuple->active_roots[active_hchain]);
- esp_tuple->active_roots[active_hchain] =
esp_tuple->next_roots[active_hchain];
- esp_tuple->next_roots[active_hchain] = NULL;
- esp_tuple->active_root_length =
esp_tuple->next_root_length[active_hchain];
- esp_tuple->next_root_length[active_hchain] = 0;
-
- HIP_DEBUG("esp_tuple->active_root_length: %i\n",
- esp_tuple->active_root_length);
- HIP_HEXDUMP("esp_tuple->active_root: ",
esp_tuple->active_roots[active_hchain],
- esp_tuple->active_root_length);
-
- // no error case
+ } else {
+ HIP_DEBUG("esp protection extension UNUSED\n");
+
+ // this explicitly is no error condition
err = 0;
}
- } else {
- HIP_DEBUG("esp protection extension UNUSED\n");
-
- // this explicitly is no error condition
- err = 0;
}
out_err:
=== modified file 'firewall/firewall.c'
--- firewall/firewall.c 2011-01-04 17:33:32 +0000
+++ firewall/firewall.c 2011-01-06 11:30:37 +0000
@@ -137,7 +137,6 @@
/* extension-specific state */
static int hip_userspace_ipsec = 0;
-static int hip_esp_protection = 0;
static int restore_filter_traffic = HIP_FW_FILTER_TRAFFIC_BY_DEFAULT;
static int restore_accept_hip_esp_traffic =
HIP_FW_ACCEPT_HIP_ESP_TRAFFIC_BY_DEFAULT;
@@ -148,6 +147,7 @@
int hip_lsi_support = 0;
int system_based_opp_mode = 0;
int esp_relay = 0;
+int hip_esp_protection = 0;
#ifdef CONFIG_HIP_MIDAUTH
int use_midauth = 0;
#endif
@@ -299,16 +299,14 @@
{
int err = 0;
- if (hip_esp_protection) {
- // userspace ipsec is a prerequisite for esp protection
- if (hip_userspace_ipsec) {
+ // userspace ipsec is a prerequisite for esp protection
+ if (hip_esp_protection && hip_userspace_ipsec) {
HIP_IFEL(esp_prot_init(), -1, "failed to init esp protection\n");
- } else {
- HIP_ERROR("userspace ipsec needs to be turned on for this to
work\n");
+ } else {
+ HIP_ERROR("userspace ipsec needs to be turned on for this to work\n");
- err = 1;
- goto out_err;
- }
+ err = 1;
+ goto out_err;
}
out_err:
@@ -344,7 +342,7 @@
{
int err = 0;
- if (filter_traffic) {
+ if (hip_esp_protection && filter_traffic) {
HIP_IFEL(esp_prot_conntrack_init(), -1,
"failed to init esp protection conntracking\n");
}
@@ -362,7 +360,7 @@
{
int err = 0;
- if (filter_traffic) {
+ if (hip_esp_protection && filter_traffic) {
HIP_IFEL(esp_prot_conntrack_uninit(), -1,
"failed to uninit esp protection conntracking\n");
}
@@ -2004,7 +2002,6 @@
log_level = LOGDEBUG_ALL;
break;
case 'e':
- hip_userspace_ipsec = 1;
hip_esp_protection = 1;
break;
case 'f':
=== modified file 'firewall/firewall.h'
--- firewall/firewall.h 2010-12-27 14:44:02 +0000
+++ firewall/firewall.h 2011-01-06 11:30:37 +0000
@@ -33,6 +33,7 @@
extern int hip_kernel_ipsec_fallback;
extern int hip_lsi_support;
extern int esp_relay;
+extern int hip_esp_protection;
extern int use_midauth;
extern int hip_fw_sock;
extern int hip_fw_async_sock;
Other related posts:
