diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2017-11-21 10:22:31 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-11-21 10:22:31 +0100 |
| commit | e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (patch) | |
| tree | ae0c8b5f4cd8289d0797882ea18969f33ea59a1e /src/libcharon/plugins/kernel_pfkey | |
| parent | 11d6b62db969bdd808d0f56706cb18f113927a31 (diff) | |
| download | vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.tar.gz vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.zip | |
New upstream version 5.6.1
Diffstat (limited to 'src/libcharon/plugins/kernel_pfkey')
| -rw-r--r-- | src/libcharon/plugins/kernel_pfkey/Makefile.in | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 18 |
2 files changed, 19 insertions, 1 deletions
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in index 0ef880035..0d3d3775b 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index fd1adb2ae..710107889 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1740,7 +1740,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, #ifdef __linux__ sa->sadb_sa_replay = min(data->replay_window, 32); #else - sa->sadb_sa_replay = (data->replay_window + 7) / 8; + sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX); #endif } sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg); @@ -1749,6 +1749,19 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } PFKEY_EXT_ADD(msg, sa); +#ifdef SADB_X_EXT_SA_REPLAY + if (data->inbound) + { + struct sadb_x_sa_replay *replay; + + replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg); + replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY; + replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay)); + replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32); + PFKEY_EXT_ADD(msg, replay); + } +#endif + sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2; sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange)); @@ -1960,6 +1973,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t, PFKEY_EXT_COPY(msg, response.lft_soft); PFKEY_EXT_COPY(msg, response.lft_hard); +#ifndef __FreeBSD__ + /* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */ if (response.key_encr) { PFKEY_EXT_COPY(msg, response.key_encr); @@ -1969,6 +1984,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, { PFKEY_EXT_COPY(msg, response.key_auth); } +#endif #ifdef HAVE_NATT if (data->new_encap) |