Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / a04ffa7f20ab0b962ac153075fd5fe34de15f92f^! / . / server / XfrmController.h
commita04ffa7f20ab0b962ac153075fd5fe34de15f92f[log] [tgz]
authorBenedict Wong <benedictwong@google.com>Wed May 09 21:42:42 2018 -0700
committerBenedict Wong <benedictwong@google.com>Thu Aug 30 11:22:41 2018 -0700
tree083fb1d84f31506325a1d42aac5471c304dcdb82
parentad600cb86a32f490a6d2855fc32fb480edc0360b [diff] [blame]
Use independent address families for SP selector and template

This patch allows Security Policy selectors and templates to have
different address families, allowing for wildcard selectors, but
specified templates. This is required for IPsec tunnel mode to work
properly, as selectors match inner addresses (and thus must be dual
IPv4/IPv6), while templates match outer addresses.

Bug: 79384676
Test: CTS tests passing, ip xfrm monitor shows correct results
Change-Id: I60214e17f50f91deb1ffdc71158131d237d1e642

diff --git a/server/XfrmController.h b/server/XfrmController.h
index 96a2fae..851f976 100644
--- a/server/XfrmController.h
+++ b/server/XfrmController.h

@@ -103,7 +103,7 @@
 };
 
 // minimally sufficient structure to match either an SA or a Policy
-struct XfrmId {
+struct XfrmCommonInfo {
     xfrm_address_t dstAddr; // network order
     xfrm_address_t srcAddr;
     int addrFamily;  // AF_INET or AF_INET6
@@ -112,7 +112,7 @@
     xfrm_mark mark;
 };
 
-struct XfrmSaInfo : XfrmId {
+struct XfrmSaInfo : XfrmCommonInfo {
     XfrmAlgo auth;
     XfrmAlgo crypt;
     XfrmAlgo aead;
@@ -121,6 +121,12 @@
     XfrmEncap encap;
 };
 
+struct XfrmSpInfo : XfrmSaInfo {
+    // Address family in XfrmCommonInfo used for template/SA matching, need separate addrFamily
+    // for selectors
+    int selAddrFamily;  // AF_INET or AF_INET6
+};
+
 class XfrmController {
 public:
     XfrmController();
@@ -157,21 +163,22 @@
     static netdutils::Status
     ipSecRemoveTransportModeTransform(const android::base::unique_fd& socket);
 
-    static netdutils::Status ipSecAddSecurityPolicy(int32_t transformId, int32_t direction,
+    static netdutils::Status ipSecAddSecurityPolicy(int32_t transformId, int32_t selAddrFamily,
+                                                    int32_t direction,
                                                     const std::string& tmplSrcAddress,
                                                     const std::string& tmplDstAddress, int32_t spi,
                                                     int32_t markValue, int32_t markMask);
 
-    static netdutils::Status ipSecUpdateSecurityPolicy(int32_t transformId, int32_t direction,
+    static netdutils::Status ipSecUpdateSecurityPolicy(int32_t transformId, int32_t selAddrFamily,
+                                                       int32_t direction,
                                                        const std::string& tmplSrcAddress,
                                                        const std::string& tmplDstAddress,
                                                        int32_t spi, int32_t markValue,
                                                        int32_t markMask);
 
-    static netdutils::Status ipSecDeleteSecurityPolicy(int32_t transformId, int32_t direction,
-                                                       const std::string& tmplSrcAddress,
-                                                       const std::string& tmplDstAddress,
-                                                       int32_t markValue, int32_t markMask);
+    static netdutils::Status ipSecDeleteSecurityPolicy(int32_t transformId, int32_t selAddrFamily,
+                                                       int32_t direction, int32_t markValue,
+                                                       int32_t markMask);
 
     static int addVirtualTunnelInterface(const std::string& deviceName,
                                          const std::string& localAddress,
@@ -300,11 +307,13 @@
                   "is needed.");
 #endif
 
-    // helper function for filling in the XfrmId (and XfrmSaInfo) structure
-    static netdutils::Status fillXfrmId(const std::string& sourceAddress,
-                                        const std::string& destinationAddress, int32_t spi,
-                                        int32_t markValue, int32_t markMask, int32_t transformId,
-                                        XfrmId* xfrmId);
+    // helper functions for filling in the XfrmCommonInfo (and XfrmSaInfo) structure
+    static netdutils::Status fillXfrmCommonInfo(const std::string& sourceAddress,
+                                                const std::string& destinationAddress, int32_t spi,
+                                                int32_t markValue, int32_t markMask,
+                                                int32_t transformId, XfrmCommonInfo* info);
+    static netdutils::Status fillXfrmCommonInfo(int32_t spi, int32_t markValue, int32_t markMask,
+                                                int32_t transformId, XfrmCommonInfo* info);
 
     // Top level functions for managing a Transport Mode Transform
     static netdutils::Status addTransportModeTransform(const XfrmSaInfo& record);
@@ -312,7 +321,7 @@
 
     // TODO(messagerefactor): FACTOR OUT ALL MESSAGE BUILDING CODE BELOW HERE
     // Shared between SA and SP
-    static void fillXfrmSelector(const XfrmSaInfo& record, xfrm_selector* selector);
+    static void fillXfrmSelector(const int record, xfrm_selector* selector);
 
     // Shared between Transport and Tunnel Mode
     static int fillNlAttrXfrmAlgoEnc(const XfrmAlgo& in_algo, nlattr_algo_crypt* algo);
@@ -326,33 +335,34 @@
     static int fillUserSaInfo(const XfrmSaInfo& record, xfrm_usersa_info* usersa);
 
     // Functions for deleting a Transport Mode SA
-    static netdutils::Status deleteSecurityAssociation(const XfrmId& record,
+    static netdutils::Status deleteSecurityAssociation(const XfrmCommonInfo& record,
                                                        const XfrmSocket& sock);
-    static int fillUserSaId(const XfrmId& record, xfrm_usersa_id* said);
-    static int fillUserTemplate(const XfrmSaInfo& record, xfrm_user_tmpl* tmpl);
+    static int fillUserSaId(const XfrmCommonInfo& record, xfrm_usersa_id* said);
+    static int fillUserTemplate(const XfrmSpInfo& record, xfrm_user_tmpl* tmpl);
 
-    static int fillTransportModeUserSpInfo(const XfrmSaInfo& record, XfrmDirection direction,
-                                           xfrm_userpolicy_info* usersp);
-    static int fillNlAttrUserTemplate(const XfrmSaInfo& record, nlattr_user_tmpl* tmpl);
-    static int fillUserPolicyId(const XfrmSaInfo& record, XfrmDirection direction,
+    static int fillUserSpInfo(const XfrmSpInfo& record, XfrmDirection direction,
+                              xfrm_userpolicy_info* usersp);
+    static int fillNlAttrUserTemplate(const XfrmSpInfo& record, nlattr_user_tmpl* tmpl);
+    static int fillUserPolicyId(const XfrmSpInfo& record, XfrmDirection direction,
                                 xfrm_userpolicy_id* policy_id);
-    static int fillNlAttrXfrmMark(const XfrmId& record, nlattr_xfrm_mark* mark);
+    static int fillNlAttrXfrmMark(const XfrmCommonInfo& record, nlattr_xfrm_mark* mark);
     static int fillNlAttrXfrmOutputMark(const __u32 output_mark_value,
                                         nlattr_xfrm_output_mark* output_mark);
 
     static netdutils::Status allocateSpi(const XfrmSaInfo& record, uint32_t minSpi, uint32_t maxSpi,
                                          uint32_t* outSpi, const XfrmSocket& sock);
 
-    static netdutils::Status processSecurityPolicy(int32_t transformId, int32_t direction,
+    static netdutils::Status processSecurityPolicy(int32_t transformId, int32_t selAddrFamily,
+                                                   int32_t direction,
                                                    const std::string& tmplSrcAddress,
                                                    const std::string& tmplDstAddress, int32_t spi,
                                                    int32_t markValue, int32_t markMask,
                                                    int32_t msgType);
-    static netdutils::Status updateTunnelModeSecurityPolicy(const XfrmSaInfo& record,
+    static netdutils::Status updateTunnelModeSecurityPolicy(const XfrmSpInfo& record,
                                                             const XfrmSocket& sock,
                                                             XfrmDirection direction,
                                                             uint16_t msgType);
-    static netdutils::Status deleteTunnelModeSecurityPolicy(const XfrmSaInfo& record,
+    static netdutils::Status deleteTunnelModeSecurityPolicy(const XfrmSpInfo& record,
                                                             const XfrmSocket& sock,
                                                             XfrmDirection direction);
     static netdutils::Status flushInterfaces();