]> git.ipfire.org Git - people/ms/strongswan.git/commitdiff
projects / people / ms / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 441d083)
kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD
authorTobias Brunner <tobias@strongswan.org>
Fri, 3 Nov 2017 08:37:44 +0000 (09:37 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Nov 2017 15:34:12 +0000 (16:34 +0100)
The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.

Fixes #2457.

src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c patch | blob | blame | history

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index fd1adb2aef5d4c50df8dda983ff96058c4b2e9aa..eca0bc1321fff60a6b324558329f66c300fa3af4 100644 (file)
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1960,6 +1960,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
        PFKEY_EXT_COPY(msg, response.lft_soft);
        PFKEY_EXT_COPY(msg, response.lft_hard);
 
+#ifndef __FreeBSD__
+       /* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */
        if (response.key_encr)
        {
                PFKEY_EXT_COPY(msg, response.key_encr);
@@ -1969,6 +1971,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
        {
                PFKEY_EXT_COPY(msg, response.key_auth);
        }
+#endif
 
 #ifdef HAVE_NATT
        if (data->new_encap)
Michael's strongswan development tree