summaryrefslogtreecommitdiff
path: root/src/charon-tkm
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon-tkm')
-rw-r--r--src/charon-tkm/src/tkm/tkm_id_manager.c2
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_ipsec.c17
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_sad.c89
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_sad.h21
-rw-r--r--src/charon-tkm/src/tkm/tkm_keymat.c15
-rw-r--r--src/charon-tkm/src/tkm/tkm_listener.c9
-rw-r--r--src/charon-tkm/src/tkm/tkm_nonceg.c53
-rw-r--r--src/charon-tkm/src/tkm/tkm_nonceg.h8
-rw-r--r--src/charon-tkm/tests/kernel_sad_tests.c48
-rw-r--r--src/charon-tkm/tests/keymat_tests.c2
-rw-r--r--src/charon-tkm/tests/nonceg_tests.c1
11 files changed, 200 insertions, 65 deletions
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
index e6d571b83..d8ff6753f 100644
--- a/src/charon-tkm/src/tkm/tkm_id_manager.c
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -19,8 +19,6 @@
#include <utils/debug.h>
#include <threading/rwlock.h>
-#define TKM_LIMIT 100
-
ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA,
"NONCE_CONTEXT",
"DH_CONTEXT",
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index 734b1ec55..7a0672aa8 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -132,7 +132,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
}
esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
- if (!tkm->sad->insert(tkm->sad, reqid, esa_id, local, peer, spi_rem,
+ if (!tkm->sad->insert(tkm->sad, esa_id, reqid, local, peer, spi_loc, spi_rem,
protocol))
{
DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
@@ -164,6 +164,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
DBG1(DBG_KNL, "child SA (%llu, no PFS) creation failed", esa_id);
goto failure;
}
+ tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
}
/* creation of subsequent child SA with PFS: nonce and dh context are set */
@@ -176,6 +177,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
DBG1(DBG_KNL, "child SA (%llu) creation failed", esa_id);
goto failure;
}
+ tkm->chunk_map->remove(tkm->chunk_map, nonce_loc);
tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
}
if (ike_esa_select(esa_id) != TKM_OK)
@@ -217,11 +219,22 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
{
- esa_id_type esa_id;
+ esa_id_type esa_id, other_esa_id;
esa_id = tkm->sad->get_esa_id(tkm->sad, src, dst, spi, protocol);
if (esa_id)
{
+ other_esa_id = tkm->sad->get_other_esa_id(tkm->sad, esa_id);
+ if (other_esa_id)
+ {
+ DBG1(DBG_KNL, "selecting child SA (esa: %llu)", other_esa_id);
+ if (ike_esa_select(other_esa_id) != TKM_OK)
+ {
+ DBG1(DBG_KNL, "error selecting other child SA (esa: %llu)",
+ other_esa_id);
+ }
+ }
+
DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
ntohl(spi));
if (ike_esa_reset(esa_id) != TKM_OK)
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
index 3394b58af..2556f6b8b 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -72,9 +72,14 @@ struct sad_entry_t {
host_t *dst;
/**
- * SPI of CHILD SA.
+ * Local SPI of CHILD SA.
*/
- u_int32_t spi;
+ u_int32_t spi_loc;
+
+ /**
+ * Remote SPI of CHILD SA.
+ */
+ u_int32_t spi_rem;
/**
* Protocol of CHILD SA (ESP/AH).
@@ -97,7 +102,7 @@ static void sad_entry_destroy(sad_entry_t *entry)
}
/**
- * Find a list entry with given src, dst, spi and proto values.
+ * Find a list entry with given src, dst, (remote) spi and proto values.
*/
static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
const host_t * const dst, const u_int32_t * const spi,
@@ -110,7 +115,7 @@ static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
return src->ip_equals(entry->src, (host_t *)src) &&
dst->ip_equals(entry->dst, (host_t *)dst) &&
- entry->spi == *spi && entry->proto == *proto;
+ entry->spi_rem == *spi && entry->proto == *proto;
}
/**
@@ -121,9 +126,29 @@ static bool sad_entry_match_dst(sad_entry_t * const entry,
const u_int32_t * const spi,
const u_int8_t * const proto)
{
- return entry->reqid == *reqid &&
- entry->spi == *spi &&
- entry->proto == *proto;
+ return entry->reqid == *reqid &&
+ entry->spi_rem == *spi &&
+ entry->proto == *proto;
+}
+
+/**
+ * Find a list entry with given esa id.
+ */
+static bool sad_entry_match_esa_id(sad_entry_t * const entry,
+ const esa_id_type * const esa_id)
+{
+ return entry->esa_id == *esa_id;
+}
+
+/**
+ * Find a list entry with given reqid and different esa id.
+ */
+static bool sad_entry_match_other_esa(sad_entry_t * const entry,
+ const esa_id_type * const esa_id,
+ const u_int32_t * const reqid)
+{
+ return entry->reqid == *reqid &&
+ entry->esa_id != *esa_id;
}
/**
@@ -140,13 +165,15 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
left->reqid == right->reqid &&
left->src->ip_equals(left->src, right->src) &&
left->dst->ip_equals(left->dst, right->dst) &&
- left->spi == right->spi && left->proto == right->proto;
+ left->spi_loc == right->spi_loc &&
+ left->spi_rem == right->spi_rem &&
+ left->proto == right->proto;
}
METHOD(tkm_kernel_sad_t, insert, bool,
private_tkm_kernel_sad_t * const this, const esa_id_type esa_id,
const u_int32_t reqid, const host_t * const src, const host_t * const dst,
- const u_int32_t spi, const u_int8_t proto)
+ const u_int32_t spi_loc, const u_int32_t spi_rem, const u_int8_t proto)
{
status_t result;
sad_entry_t *new_entry;
@@ -156,7 +183,8 @@ METHOD(tkm_kernel_sad_t, insert, bool,
.reqid = reqid,
.src = (host_t *)src,
.dst = (host_t *)dst,
- .spi = spi,
+ .spi_loc = spi_loc,
+ .spi_rem = spi_rem,
.proto = proto,
);
@@ -167,8 +195,8 @@ METHOD(tkm_kernel_sad_t, insert, bool,
if (result == NOT_FOUND)
{
DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, reqid: %u, src: %H, "
- "dst: %H, spi: %x, proto: %u)", esa_id, reqid, src, dst,
- ntohl(spi), proto);
+ "dst: %H, spi_loc: %x, spi_rem: %x,proto: %u)", esa_id, reqid, src,
+ dst, ntohl(spi_loc), ntohl(spi_rem), proto);
new_entry->src = src->clone((host_t *)src);
new_entry->dst = dst->clone((host_t *)dst);
this->data->insert_last(this->data, new_entry);
@@ -209,6 +237,42 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
return id;
}
+METHOD(tkm_kernel_sad_t, get_other_esa_id, esa_id_type,
+ private_tkm_kernel_sad_t * const this, const esa_id_type esa_id)
+{
+ esa_id_type id = 0;
+ sad_entry_t *entry = NULL;
+ u_int32_t reqid;
+ status_t res;
+
+ this->mutex->lock(this->mutex);
+ res = this->data->find_first(this->data,
+ (linked_list_match_t)sad_entry_match_esa_id,
+ (void**)&entry, &esa_id);
+ if (res == SUCCESS && entry)
+ {
+ reqid = entry->reqid;
+ }
+ else
+ {
+ DBG3(DBG_KNL, "no SAD entry found for ESA id %llu", esa_id);
+ this->mutex->unlock(this->mutex);
+ return id;
+ }
+
+ res = this->data->find_first(this->data,
+ (linked_list_match_t)sad_entry_match_other_esa,
+ (void**)&entry, &esa_id, &reqid);
+ if (res == SUCCESS && entry)
+ {
+ id = entry->esa_id;
+ DBG3(DBG_KNL, "returning ESA id %llu of other SAD entry with reqid %u",
+ id, reqid);
+ }
+ this->mutex->unlock(this->mutex);
+ return id;
+}
+
METHOD(tkm_kernel_sad_t, get_dst_host, host_t *,
private_tkm_kernel_sad_t * const this, const u_int32_t reqid,
const u_int32_t spi, const u_int8_t proto)
@@ -289,6 +353,7 @@ tkm_kernel_sad_t *tkm_kernel_sad_create()
.public = {
.insert = _insert,
.get_esa_id = _get_esa_id,
+ .get_other_esa_id = _get_other_esa_id,
.get_dst_host = _get_dst_host,
.remove = __remove,
.destroy = _destroy,
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
index 38b19dd01..3a84deffc 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -40,21 +40,22 @@ struct tkm_kernel_sad_t {
* @param reqid reqid of the SA
* @param src source address of CHILD SA
* @param dst destination address of CHILD SA
- * @param spi SPI of CHILD SA
+ * @param spi_loc Local SPI of CHILD SA
+ * @param spi_rem Remote SPI of CHILD SA
* @param proto protocol of CHILD SA (ESP/AH)
* @return TRUE if entry was inserted, FALSE otherwise
*/
bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id,
const u_int32_t reqid, const host_t * const src,
- const host_t * const dst, const u_int32_t spi,
- const u_int8_t proto);
+ const host_t * const dst, const u_int32_t spi_loc,
+ const u_int32_t spi_rem, const u_int8_t proto);
/**
* Get ESA id for entry with given parameters.
*
* @param src source address of CHILD SA
* @param dst destination address of CHILD SA
- * @param spi SPI of CHILD SA
+ * @param spi Remote SPI of CHILD SA
* @param proto protocol of CHILD SA (ESP/AH)
* @return ESA id of entry if found, 0 otherwise
*/
@@ -63,10 +64,20 @@ struct tkm_kernel_sad_t {
const u_int32_t spi, const u_int8_t proto);
/**
+ * Get ESA id for entry associated with same security policy as the
+ * specified ESA.
+ *
+ * @param esa_id id of ESA identifying the security policy
+ * @return ESA id of entry if found, 0 otherwise
+ */
+ esa_id_type (*get_other_esa_id)(tkm_kernel_sad_t * const this,
+ const esa_id_type esa_id);
+
+ /**
* Get destination host for entry with given parameters.
*
* @param reqid reqid of CHILD SA
- * @param spi SPI of CHILD SA
+ * @param spi Remote SPI of CHILD SA
* @param proto protocol of CHILD SA (ESP/AH)
* @return destination host of entry if found, NULL otherwise
*/
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 80721fafe..1e1fa4f30 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -102,6 +102,7 @@ static void aead_create_from_keys(aead_t **in, aead_t **out,
*in = *out = NULL;
signer_t *signer_i, *signer_r;
crypter_t *crypter_i, *crypter_r;
+ iv_gen_t *ivg_i, *ivg_r;
signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
@@ -145,15 +146,21 @@ static void aead_create_from_keys(aead_t **in, aead_t **out,
return;
}
+ ivg_i = iv_gen_create_for_alg(enc_alg);
+ ivg_r = iv_gen_create_for_alg(enc_alg);
+ if (!ivg_i || !ivg_r)
+ {
+ return;
+ }
if (initiator)
{
- *in = aead_create(crypter_r, signer_r);
- *out = aead_create(crypter_i, signer_i);
+ *in = aead_create(crypter_r, signer_r, ivg_r);
+ *out = aead_create(crypter_i, signer_i, ivg_i);
}
else
{
- *in = aead_create(crypter_i, signer_i);
- *out = aead_create(crypter_r, signer_r);
+ *in = aead_create(crypter_i, signer_i, ivg_i);
+ *out = aead_create(crypter_r, signer_r, ivg_r);
}
}
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
index bb1218266..f57527602 100644
--- a/src/charon-tkm/src/tkm/tkm_listener.c
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -14,6 +14,8 @@
* for more details.
*/
+#include <stdarg.h>
+
#include <daemon.h>
#include <encoding/payloads/auth_payload.h>
#include <utils/chunk.h>
@@ -209,6 +211,13 @@ METHOD(listener_t, alert, bool,
{
tkm_keymat_t *keymat;
isa_id_type isa_id;
+ int is_first;
+
+ is_first = va_arg(args, int);
+ if (!is_first)
+ {
+ return TRUE;
+ }
keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
isa_id = keymat->get_isa_id(keymat);
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c
index a07326798..336f16ecd 100644
--- a/src/charon-tkm/src/tkm/tkm_nonceg.c
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.c
@@ -33,23 +33,32 @@ struct private_tkm_nonceg_t {
tkm_nonceg_t public;
/**
- * Context id.
+ * Nonce chunk.
*/
- nc_id_type context_id;
-
+ chunk_t nonce;
};
METHOD(nonce_gen_t, get_nonce, bool,
private_tkm_nonceg_t *this, size_t size, u_int8_t *buffer)
{
nonce_type nonce;
+ uint64_t nc_id;
+
+ nc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE);
+ if (!nc_id)
+ {
+ return FALSE;
+ }
- if (ike_nc_create(this->context_id, size, &nonce) != TKM_OK)
+ if (ike_nc_create(nc_id, size, &nonce) != TKM_OK)
{
+ tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
return FALSE;
}
memcpy(buffer, &nonce.data, size);
+ this->nonce = chunk_clone(chunk_create(buffer, size));
+ tkm->chunk_map->insert(tkm->chunk_map, &this->nonce, nc_id);
return TRUE;
}
@@ -57,24 +66,28 @@ METHOD(nonce_gen_t, allocate_nonce, bool,
private_tkm_nonceg_t *this, size_t size, chunk_t *chunk)
{
*chunk = chunk_alloc(size);
- if (get_nonce(this, chunk->len, chunk->ptr))
- {
- tkm->chunk_map->insert(tkm->chunk_map, chunk, this->context_id);
- return TRUE;
- }
- return FALSE;
+ return get_nonce(this, chunk->len, chunk->ptr);
}
METHOD(nonce_gen_t, destroy, void,
private_tkm_nonceg_t *this)
{
- free(this);
-}
+ uint64_t nc_id;
-METHOD(tkm_nonceg_t, get_id, nc_id_type,
- private_tkm_nonceg_t *this)
-{
- return this->context_id;
+ nc_id = tkm->chunk_map->get_id(tkm->chunk_map, &this->nonce);
+ if (nc_id)
+ {
+ DBG1(DBG_IKE, "resetting stale nonce context %llu", nc_id);
+
+ if (ike_nc_reset(nc_id) != TKM_OK)
+ {
+ DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
+ }
+ tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
+ tkm->chunk_map->remove(tkm->chunk_map, &this->nonce);
+ }
+ chunk_free(&this->nonce);
+ free(this);
}
/*
@@ -91,16 +104,8 @@ tkm_nonceg_t *tkm_nonceg_create()
.allocate_nonce = _allocate_nonce,
.destroy = _destroy,
},
- .get_id = _get_id,
},
- .context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE),
);
- if (!this->context_id)
- {
- free(this);
- return NULL;
- }
-
return &this->public;
}
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.h b/src/charon-tkm/src/tkm/tkm_nonceg.h
index ceadb081f..d158551fe 100644
--- a/src/charon-tkm/src/tkm/tkm_nonceg.h
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.h
@@ -36,14 +36,6 @@ struct tkm_nonceg_t {
* Implements nonce_gen_t.
*/
nonce_gen_t nonce_gen;
-
- /**
- * Get nonce context id.
- *
- * @return context id of this nonce generator.
- */
- nc_id_type (*get_id)(tkm_nonceg_t * const this);
-
};
/**
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
index b9ab3cb5e..2a033d237 100644
--- a/src/charon-tkm/tests/kernel_sad_tests.c
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -34,7 +34,7 @@ START_TEST(test_insert)
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50),
"Error inserting SAD entry");
sad->destroy(sad);
@@ -47,9 +47,9 @@ START_TEST(test_insert_duplicate)
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50),
"Error inserting SAD entry");
- fail_if(sad->insert(sad, 1, 2, addr, addr, 42, 50),
+ fail_if(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50),
"Expected error inserting duplicate entry");
sad->destroy(sad);
@@ -61,7 +61,7 @@ START_TEST(test_get_esa_id)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
"Error inserting SAD entry");
fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
"Error getting esa id");
@@ -81,11 +81,42 @@ START_TEST(test_get_esa_id_nonexistent)
}
END_TEST
+START_TEST(test_get_other_esa_id)
+{
+ host_t *addr = host_create_from_string("127.0.0.1", 1024);
+ tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
+ "Error inserting SAD entry");
+ fail_unless(sad->insert(sad, 24, 54, addr, addr, 27, 42, 50),
+ "Error inserting SAD entry");
+ fail_unless(sad->get_other_esa_id(sad, 23) == 24,
+ "Error getting other esa id");
+ sad->destroy(sad);
+ addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_other_esa_id_nonexistent)
+{
+ host_t *addr = host_create_from_string("127.0.0.1", 1024);
+ tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+ fail_unless(sad->get_other_esa_id(sad, 1) == 0,
+ "Got other esa id for nonexistent SAD entry");
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
+ "Error inserting SAD entry");
+ fail_unless(sad->get_other_esa_id(sad, 23) == 0,
+ "Got own esa id");
+
+ sad->destroy(sad);
+ addr->destroy(addr);
+}
+END_TEST
+
START_TEST(test_get_dst_host)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
"Error inserting SAD entry");
host_t *dst = sad->get_dst_host(sad, 54, 42, 50);
@@ -108,7 +139,7 @@ START_TEST(test_remove)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50),
"Error inserting SAD entry");
fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
"Error getting esa id");
@@ -151,6 +182,11 @@ Suite *make_kernel_sad_tests()
tcase_add_test(tc, test_get_esa_id_nonexistent);
suite_add_tcase(s, tc);
+ tc = tcase_create("get_other_esa_id");
+ tcase_add_test(tc, test_get_other_esa_id);
+ tcase_add_test(tc, test_get_other_esa_id_nonexistent);
+ suite_add_tcase(s, tc);
+
tc = tcase_create("get_dst_host");
tcase_add_test(tc, test_get_dst_host);
tcase_add_test(tc, test_get_dst_host_nonexistent);
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 889965a78..d087bee3f 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -46,7 +46,6 @@ START_TEST(test_derive_ike_keys)
fail_if(!ng, "Unable to create nonce generator");
fail_unless(ng->nonce_gen.allocate_nonce(&ng->nonce_gen, 32, &nonce),
"Unable to allocate nonce");
- ng->nonce_gen.destroy(&ng->nonce_gen);
tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
fail_if(!dh, "Unable to create DH");
@@ -69,6 +68,7 @@ START_TEST(test_derive_ike_keys)
fail_if(aead->get_block_size(aead) != 16, "Block size mismatch %d",
aead->get_block_size(aead));
+ ng->nonce_gen.destroy(&ng->nonce_gen);
proposal->destroy(proposal);
dh->dh.destroy(&dh->dh);
ike_sa_id->destroy(ike_sa_id);
diff --git a/src/charon-tkm/tests/nonceg_tests.c b/src/charon-tkm/tests/nonceg_tests.c
index 6f524cb22..d150891eb 100644
--- a/src/charon-tkm/tests/nonceg_tests.c
+++ b/src/charon-tkm/tests/nonceg_tests.c
@@ -27,7 +27,6 @@ START_TEST(test_nonceg_creation)
ng = tkm_nonceg_create();
fail_if(ng == NULL, "Error creating tkm nonce generator");
- fail_if(ng->get_id(ng) == 0, "Invalid context id (0)");
ng->nonce_gen.destroy(&ng->nonce_gen);
}