summaryrefslogtreecommitdiff
path: root/src/libcharon/plugins/kernel_netlink
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2017-09-01 17:21:25 +0200
committerYves-Alexis Perez <corsac@corsac.net>2017-09-01 17:21:25 +0200
commit11d6b62db969bdd808d0f56706cb18f113927a31 (patch)
tree8aa7d8fb611c3da6a3523cb78a082f62ffd0dac8 /src/libcharon/plugins/kernel_netlink
parentbba25e2ff6c4a193acb54560ea4417537bd2954e (diff)
downloadvyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.tar.gz
vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.zip
New upstream version 5.6.0
Diffstat (limited to 'src/libcharon/plugins/kernel_netlink')
-rw-r--r--src/libcharon/plugins/kernel_netlink/Makefile.in8
-rw-r--r--src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c14
-rw-r--r--src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c14
3 files changed, 28 insertions, 8 deletions
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index 7f25c5202..8d653104e 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -352,8 +352,6 @@ RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -454,6 +452,8 @@ random_device = @random_device@
resolv_conf = @resolv_conf@
routing_table = @routing_table@
routing_table_prio = @routing_table_prio@
+ruby_CFLAGS = @ruby_CFLAGS@
+ruby_LIBS = @ruby_LIBS@
runstatedir = @runstatedir@
s_plugins = @s_plugins@
sbindir = @sbindir@
@@ -482,6 +482,10 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
tss2_CFLAGS = @tss2_CFLAGS@
tss2_LIBS = @tss2_LIBS@
+tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
+tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
+tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index c411b829d..8ddaa71d3 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1141,7 +1141,7 @@ static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
private_kernel_netlink_ipsec_t *this)
{
- return KERNEL_ESP_V3_TFC;
+ return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI;
}
/**
@@ -2409,11 +2409,13 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
struct xfrm_user_tmpl *tmpl;
struct {
uint8_t proto;
+ uint32_t spi;
bool use;
} protos[] = {
- { IPPROTO_COMP, ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
- { IPPROTO_ESP, ipsec->cfg.esp.use },
- { IPPROTO_AH, ipsec->cfg.ah.use },
+ { IPPROTO_COMP, htonl(ntohs(ipsec->cfg.ipcomp.cpi)),
+ ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
+ { IPPROTO_ESP, ipsec->cfg.esp.spi, ipsec->cfg.esp.use },
+ { IPPROTO_AH, ipsec->cfg.ah.spi, ipsec->cfg.ah.use },
};
ipsec_mode_t proto_mode = ipsec->cfg.mode;
int count = 0;
@@ -2441,6 +2443,10 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
}
tmpl->reqid = ipsec->cfg.reqid;
tmpl->id.proto = protos[i].proto;
+ if (policy->direction == POLICY_OUT)
+ {
+ tmpl->id.spi = protos[i].spi;
+ }
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
tmpl->mode = mode2kernel(proto_mode);
tmpl->optional = protos[i].proto == IPPROTO_COMP &&
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
index cf85cb0a6..f3b5b1d4a 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -265,9 +265,10 @@ static bool read_and_queue(private_netlink_socket_t *this, bool block)
{
struct nlmsghdr *hdr;
char buf[this->buflen];
- ssize_t len;
+ ssize_t len, read_len;
+ bool wipe = FALSE;
- len = read_msg(this, buf, sizeof(buf), block);
+ len = read_len = read_msg(this, buf, sizeof(buf), block);
if (len == -1)
{
return TRUE;
@@ -277,6 +278,11 @@ static bool read_and_queue(private_netlink_socket_t *this, bool block)
hdr = (struct nlmsghdr*)buf;
while (NLMSG_OK(hdr, len))
{
+ if (this->protocol == NETLINK_XFRM &&
+ hdr->nlmsg_type == XFRM_MSG_NEWSA)
+ { /* wipe potential IPsec SA keys */
+ wipe = TRUE;
+ }
if (!queue(this, hdr))
{
break;
@@ -284,6 +290,10 @@ static bool read_and_queue(private_netlink_socket_t *this, bool block)
hdr = NLMSG_NEXT(hdr, len);
}
}
+ if (wipe)
+ {
+ memwipe(buf, read_len);
+ }
return FALSE;
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-26 05:29:24 +0000