Imported Upstream version 5.3.1

11 files changed, 200 insertions, 65 deletions

diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
index e6d571b83..d8ff6753f 100644
--- a/src/charon-tkm/src/tkm/tkm_id_manager.c
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -19,8 +19,6 @@
 #include <utils/debug.h>
 #include <threading/rwlock.h>
 
-#define TKM_LIMIT 100
-
 ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA,
 	"NONCE_CONTEXT",
 	"DH_CONTEXT",
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index 734b1ec55..7a0672aa8 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -132,7 +132,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	}
 
 	esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
-	if (!tkm->sad->insert(tkm->sad, reqid, esa_id, local, peer, spi_rem,
+	if (!tkm->sad->insert(tkm->sad, esa_id, reqid, local, peer, spi_loc, spi_rem,
 						  protocol))
 	{
 		DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
@@ -164,6 +164,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			DBG1(DBG_KNL, "child SA (%llu, no PFS) creation failed", esa_id);
 			goto failure;
 		}
+		tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
 		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
 	}
 	/* creation of subsequent child SA with PFS: nonce and dh context are set */
@@ -176,6 +177,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			DBG1(DBG_KNL, "child SA (%llu) creation failed", esa_id);
 			goto failure;
 		}
+		tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
 		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
 	}
 	if (ike_esa_select(esa_id) != TKM_OK)
@@ -217,11 +219,22 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
-	esa_id_type esa_id;
+	esa_id_type esa_id, other_esa_id;
 
 	esa_id = tkm->sad->get_esa_id(tkm->sad, src, dst, spi, protocol);
 	if (esa_id)
 	{
+		other_esa_id = tkm->sad->get_other_esa_id(tkm->sad, esa_id);
+		if (other_esa_id)
+		{
+			DBG1(DBG_KNL, "selecting child SA (esa: %llu)", other_esa_id);
+			if (ike_esa_select(other_esa_id) != TKM_OK)
+			{
+				DBG1(DBG_KNL, "error selecting other child SA (esa: %llu)",
+						other_esa_id);
+			}
+		}
+
 		DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
 			 ntohl(spi));
 		if (ike_esa_reset(esa_id) != TKM_OK)
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
index 3394b58af..2556f6b8b 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -72,9 +72,14 @@ struct sad_entry_t {
 	host_t *dst;
 
 	/**
-	 * SPI of CHILD SA.
+	 * Local SPI of CHILD SA.
 	 */
-	u_int32_t spi;
+	u_int32_t spi_loc;
+
+	/**
+	 * Remote SPI of CHILD SA.
+	 */
+	u_int32_t spi_rem;
 
 	/**
 	 * Protocol of CHILD SA (ESP/AH).
@@ -97,7 +102,7 @@ static void sad_entry_destroy(sad_entry_t *entry)
 }
 
 /**
- * Find a list entry with given src, dst, spi and proto values.
+ * Find a list entry with given src, dst, (remote) spi and proto values.
  */
 static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
 							const host_t * const dst, const u_int32_t * const spi,
@@ -110,7 +115,7 @@ static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
 
 	return src->ip_equals(entry->src, (host_t *)src) &&
 		   dst->ip_equals(entry->dst, (host_t *)dst) &&
-		   entry->spi == *spi && entry->proto == *proto;
+		   entry->spi_rem == *spi && entry->proto == *proto;
 }
 
 /**
@@ -121,9 +126,29 @@ static bool sad_entry_match_dst(sad_entry_t * const entry,
 								const u_int32_t * const spi,
 								const u_int8_t * const proto)
 {
-	return entry->reqid == *reqid &&
-		   entry->spi   == *spi &&
-		   entry->proto == *proto;
+	return entry->reqid   == *reqid &&
+		   entry->spi_rem == *spi   &&
+		   entry->proto   == *proto;
+}
+
+/**
+ * Find a list entry with given esa id.
+ */
+static bool sad_entry_match_esa_id(sad_entry_t * const entry,
+								   const esa_id_type * const esa_id)
+{
+	return entry->esa_id == *esa_id;
+}
+
+/**
+ * Find a list entry with given reqid and different esa id.
+ */
+static bool sad_entry_match_other_esa(sad_entry_t * const entry,
+									  const esa_id_type * const esa_id,
+									  const u_int32_t * const reqid)
+{
+	return entry->reqid  == *reqid &&
+		   entry->esa_id != *esa_id;
 }
 
 /**
@@ -140,13 +165,15 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
 		   left->reqid == right->reqid &&
 		   left->src->ip_equals(left->src, right->src) &&
 		   left->dst->ip_equals(left->dst, right->dst) &&
-		   left->spi == right->spi && left->proto == right->proto;
+		   left->spi_loc == right->spi_loc &&
+		   left->spi_rem == right->spi_rem &&
+		   left->proto == right->proto;
 }
 
 METHOD(tkm_kernel_sad_t, insert, bool,
 	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id,
 	const u_int32_t reqid, const host_t * const src, const host_t * const dst,
-	const u_int32_t spi, const u_int8_t proto)
+	const u_int32_t spi_loc, const u_int32_t spi_rem, const u_int8_t proto)
 {
 	status_t result;
 	sad_entry_t *new_entry;
@@ -156,7 +183,8 @@ METHOD(tkm_kernel_sad_t, insert, bool,
 		 .reqid = reqid,
 		 .src = (host_t *)src,
 		 .dst = (host_t *)dst,
-		 .spi = spi,
+		 .spi_loc = spi_loc,
+		 .spi_rem = spi_rem,
 		 .proto = proto,
 	);
 
@@ -167,8 +195,8 @@ METHOD(tkm_kernel_sad_t, insert, bool,
 	if (result == NOT_FOUND)
 	{
 		DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, reqid: %u, src: %H, "
-			 "dst: %H, spi: %x, proto: %u)", esa_id, reqid, src, dst,
-			 ntohl(spi), proto);
+			 "dst: %H, spi_loc: %x, spi_rem: %x,proto: %u)", esa_id, reqid, src,
+			 dst, ntohl(spi_loc), ntohl(spi_rem), proto);
 		new_entry->src = src->clone((host_t *)src);
 		new_entry->dst = dst->clone((host_t *)dst);
 		this->data->insert_last(this->data, new_entry);
@@ -209,6 +237,42 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
 	return id;
 }
 
+METHOD(tkm_kernel_sad_t, get_other_esa_id, esa_id_type,
+	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id)
+{
+	esa_id_type id = 0;
+	sad_entry_t *entry = NULL;
+	u_int32_t reqid;
+	status_t res;
+
+	this->mutex->lock(this->mutex);
+	res = this->data->find_first(this->data,
+								 (linked_list_match_t)sad_entry_match_esa_id,
+								 (void**)&entry, &esa_id);
+	if (res == SUCCESS && entry)
+	{
+		reqid = entry->reqid;
+	}
+	else
+	{
+		DBG3(DBG_KNL, "no SAD entry found for ESA id %llu", esa_id);
+		this->mutex->unlock(this->mutex);
+		return id;
+	}
+
+	res = this->data->find_first(this->data,
+								 (linked_list_match_t)sad_entry_match_other_esa,
+								 (void**)&entry, &esa_id, &reqid);
+	if (res == SUCCESS && entry)
+	{
+		id = entry->esa_id;
+		DBG3(DBG_KNL, "returning ESA id %llu of other SAD entry with reqid %u",
+			 id, reqid);
+	}
+	this->mutex->unlock(this->mutex);
+	return id;
+}
+
 METHOD(tkm_kernel_sad_t, get_dst_host, host_t *,
 	private_tkm_kernel_sad_t * const this, const u_int32_t reqid,
 	const u_int32_t spi, const u_int8_t proto)
@@ -289,6 +353,7 @@ tkm_kernel_sad_t *tkm_kernel_sad_create()
 		.public = {
 			.insert = _insert,
 			.get_esa_id = _get_esa_id,
+			.get_other_esa_id = _get_other_esa_id,
 			.get_dst_host = _get_dst_host,
 			.remove = __remove,
 			.destroy = _destroy,
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
index 38b19dd01..3a84deffc 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -40,21 +40,22 @@ struct tkm_kernel_sad_t {
 	 * @param reqid			reqid of the SA
 	 * @param src			source address of CHILD SA
 	 * @param dst			destination address of CHILD SA
-	 * @param spi			SPI of CHILD SA
+	 * @param spi_loc		Local SPI of CHILD SA
+	 * @param spi_rem		Remote SPI of CHILD SA
 	 * @param proto			protocol of CHILD SA (ESP/AH)
 	 * @return				TRUE if entry was inserted, FALSE otherwise
 	 */
 	bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id,
 				   const u_int32_t reqid, const host_t * const src,
-				   const host_t * const dst, const u_int32_t spi,
-				   const u_int8_t proto);
+				   const host_t * const dst, const u_int32_t spi_loc,
+				   const u_int32_t spi_rem, const u_int8_t proto);
 
 	/**
 	 * Get ESA id for entry with given parameters.
 	 *
 	 * @param src			source address of CHILD SA
 	 * @param dst			destination address of CHILD SA
-	 * @param spi			SPI of CHILD SA
+	 * @param spi			Remote SPI of CHILD SA
 	 * @param proto			protocol of CHILD SA (ESP/AH)
 	 * @return				ESA id of entry if found, 0 otherwise
 	 */
@@ -63,10 +64,20 @@ struct tkm_kernel_sad_t {
 				 const u_int32_t spi, const u_int8_t proto);
 
 	/**
+	 * Get ESA id for entry associated with same security policy as the
+	 * specified ESA.
+	 *
+	 * @param esa_id		id of ESA identifying the security policy
+	 * @return				ESA id of entry if found, 0 otherwise
+	 */
+	esa_id_type (*get_other_esa_id)(tkm_kernel_sad_t * const this,
+									const esa_id_type esa_id);
+
+	/**
 	 * Get destination host for entry with given parameters.
 	 *
 	 * @param reqid			reqid of CHILD SA
-	 * @param spi			SPI of CHILD SA
+	 * @param spi			Remote SPI of CHILD SA
 	 * @param proto			protocol of CHILD SA (ESP/AH)
 	 * @return				destination host of entry if found, NULL otherwise
 	 */
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 80721fafe..1e1fa4f30 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -102,6 +102,7 @@ static void aead_create_from_keys(aead_t **in, aead_t **out,
 	*in = *out = NULL;
 	signer_t *signer_i, *signer_r;
 	crypter_t *crypter_i, *crypter_r;
+	iv_gen_t *ivg_i, *ivg_r;
 
 	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
 	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
@@ -145,15 +146,21 @@ static void aead_create_from_keys(aead_t **in, aead_t **out,
 		return;
 	}
 
+	ivg_i = iv_gen_create_for_alg(enc_alg);
+	ivg_r = iv_gen_create_for_alg(enc_alg);
+	if (!ivg_i || !ivg_r)
+	{
+		return;
+	}
 	if (initiator)
 	{
-		*in = aead_create(crypter_r, signer_r);
-		*out = aead_create(crypter_i, signer_i);
+		*in = aead_create(crypter_r, signer_r, ivg_r);
+		*out = aead_create(crypter_i, signer_i, ivg_i);
 	}
 	else
 	{
-		*in = aead_create(crypter_i, signer_i);
-		*out = aead_create(crypter_r, signer_r);
+		*in = aead_create(crypter_i, signer_i, ivg_i);
+		*out = aead_create(crypter_r, signer_r, ivg_r);
 	}
 }
 
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
index bb1218266..f57527602 100644
--- a/src/charon-tkm/src/tkm/tkm_listener.c
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -14,6 +14,8 @@
  * for more details.
  */
 
+#include <stdarg.h>
+
 #include <daemon.h>
 #include <encoding/payloads/auth_payload.h>
 #include <utils/chunk.h>
@@ -209,6 +211,13 @@ METHOD(listener_t, alert, bool,
 	{
 		tkm_keymat_t *keymat;
 		isa_id_type isa_id;
+		int is_first;
+
+		is_first = va_arg(args, int);
+		if (!is_first)
+		{
+			return TRUE;
+		}
 
 		keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
 		isa_id = keymat->get_isa_id(keymat);
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c
index a07326798..336f16ecd 100644
--- a/src/charon-tkm/src/tkm/tkm_nonceg.c
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.c
@@ -33,23 +33,32 @@ struct private_tkm_nonceg_t {
 	tkm_nonceg_t public;
 
 	/**
-	 * Context id.
+	 * Nonce chunk.
 	 */
-	nc_id_type context_id;
-
+	chunk_t nonce;
 };
 
 METHOD(nonce_gen_t, get_nonce, bool,
 	private_tkm_nonceg_t *this, size_t size, u_int8_t *buffer)
 {
 	nonce_type nonce;
+	uint64_t nc_id;
+
+	nc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE);
+	if (!nc_id)
+	{
+		return FALSE;
+	}
 
-	if (ike_nc_create(this->context_id, size, &nonce) != TKM_OK)
+	if (ike_nc_create(nc_id, size, &nonce) != TKM_OK)
 	{
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
 		return FALSE;
 	}
 
 	memcpy(buffer, &nonce.data, size);
+	this->nonce = chunk_clone(chunk_create(buffer, size));
+	tkm->chunk_map->insert(tkm->chunk_map, &this->nonce, nc_id);
 	return TRUE;
 }
 
@@ -57,24 +66,28 @@ METHOD(nonce_gen_t, allocate_nonce, bool,
 	private_tkm_nonceg_t *this, size_t size, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(size);
-	if (get_nonce(this, chunk->len, chunk->ptr))
-	{
-		tkm->chunk_map->insert(tkm->chunk_map, chunk, this->context_id);
-		return TRUE;
-	}
-	return FALSE;
+	return get_nonce(this, chunk->len, chunk->ptr);
 }
 
 METHOD(nonce_gen_t, destroy, void,
 	private_tkm_nonceg_t *this)
 {
-	free(this);
-}
+	uint64_t nc_id;
 
-METHOD(tkm_nonceg_t, get_id, nc_id_type,
-	private_tkm_nonceg_t *this)
-{
-	return this->context_id;
+	nc_id = tkm->chunk_map->get_id(tkm->chunk_map, &this->nonce);
+	if (nc_id)
+	{
+		DBG1(DBG_IKE, "resetting stale nonce context %llu", nc_id);
+
+		if (ike_nc_reset(nc_id) != TKM_OK)
+		{
+			DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
+		}
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
+		tkm->chunk_map->remove(tkm->chunk_map, &this->nonce);
+	}
+	chunk_free(&this->nonce);
+	free(this);
 }
 
 /*
@@ -91,16 +104,8 @@ tkm_nonceg_t *tkm_nonceg_create()
 				.allocate_nonce = _allocate_nonce,
 				.destroy = _destroy,
 			},
-			.get_id = _get_id,
 		},
-		.context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE),
 	);
 
-	if (!this->context_id)
-	{
-		free(this);
-		return NULL;
-	}
-
 	return &this->public;
 }
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.h b/src/charon-tkm/src/tkm/tkm_nonceg.h
index ceadb081f..d158551fe 100644
--- a/src/charon-tkm/src/tkm/tkm_nonceg.h
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.h
@@ -36,14 +36,6 @@ struct tkm_nonceg_t {
 	 * Implements nonce_gen_t.
 	 */
 	nonce_gen_t nonce_gen;
-
-	/**
-	 * Get nonce context id.
-	 *
-	 * @return	context id of this nonce generator.
-	 */
-	nc_id_type (*get_id)(tkm_nonceg_t * const this);
-
 };
 
 /**
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
index b9ab3cb5e..2a033d237 100644
--- a/src/charon-tkm/tests/kernel_sad_tests.c
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -34,7 +34,7 @@ START_TEST(test_insert)
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
 
-	fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50),
 				"Error inserting SAD entry");
 
 	sad->destroy(sad);
@@ -47,9 +47,9 @@ START_TEST(test_insert_duplicate)
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
 
-	fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50),
 				"Error inserting SAD entry");
-	fail_if(sad->insert(sad, 1, 2, addr, addr, 42, 50),
+	fail_if(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50),
 			"Expected error inserting duplicate entry");
 
 	sad->destroy(sad);
@@ -61,7 +61,7 @@ START_TEST(test_get_esa_id)
 {
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
-	fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
 				"Error inserting SAD entry");
 	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
 				"Error getting esa id");
@@ -81,11 +81,42 @@ START_TEST(test_get_esa_id_nonexistent)
 }
 END_TEST
 
+START_TEST(test_get_other_esa_id)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
+				"Error inserting SAD entry");
+	fail_unless(sad->insert(sad, 24, 54, addr, addr, 27, 42, 50),
+				"Error inserting SAD entry");
+	fail_unless(sad->get_other_esa_id(sad, 23) == 24,
+				"Error getting other esa id");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_other_esa_id_nonexistent)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->get_other_esa_id(sad, 1) == 0,
+				"Got other esa id for nonexistent SAD entry");
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
+				"Error inserting SAD entry");
+	fail_unless(sad->get_other_esa_id(sad, 23) == 0,
+				"Got own esa id");
+
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
 START_TEST(test_get_dst_host)
 {
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
-	fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
 				"Error inserting SAD entry");
 
 	host_t *dst = sad->get_dst_host(sad, 54, 42, 50);
@@ -108,7 +139,7 @@ START_TEST(test_remove)
 {
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
-	fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
 				"Error inserting SAD entry");
 	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
 				"Error getting esa id");
@@ -151,6 +182,11 @@ Suite *make_kernel_sad_tests()
 	tcase_add_test(tc, test_get_esa_id_nonexistent);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("get_other_esa_id");
+	tcase_add_test(tc, test_get_other_esa_id);
+	tcase_add_test(tc, test_get_other_esa_id_nonexistent);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("get_dst_host");
 	tcase_add_test(tc, test_get_dst_host);
 	tcase_add_test(tc, test_get_dst_host_nonexistent);
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 889965a78..d087bee3f 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -46,7 +46,6 @@ START_TEST(test_derive_ike_keys)
 	fail_if(!ng, "Unable to create nonce generator");
 	fail_unless(ng->nonce_gen.allocate_nonce(&ng->nonce_gen, 32, &nonce),
 			"Unable to allocate nonce");
-	ng->nonce_gen.destroy(&ng->nonce_gen);
 
 	tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
 	fail_if(!dh, "Unable to create DH");
@@ -69,6 +68,7 @@ START_TEST(test_derive_ike_keys)
 	fail_if(aead->get_block_size(aead) != 16, "Block size mismatch %d",
 			aead->get_block_size(aead));
 
+	ng->nonce_gen.destroy(&ng->nonce_gen);
 	proposal->destroy(proposal);
 	dh->dh.destroy(&dh->dh);
 	ike_sa_id->destroy(ike_sa_id);
diff --git a/src/charon-tkm/tests/nonceg_tests.c b/src/charon-tkm/tests/nonceg_tests.c
index 6f524cb22..d150891eb 100644
--- a/src/charon-tkm/tests/nonceg_tests.c
+++ b/src/charon-tkm/tests/nonceg_tests.c
@@ -27,7 +27,6 @@ START_TEST(test_nonceg_creation)
 
 	ng = tkm_nonceg_create();
 	fail_if(ng == NULL, "Error creating tkm nonce generator");
-	fail_if(ng->get_id(ng) == 0, "Invalid context id (0)");
 
 	ng->nonce_gen.destroy(&ng->nonce_gen);
 }