]> git.ipfire.org Git - people/ms/strongswan.git/commitdiff
projects / people / ms / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 21a500a)
kernel-pfkey: Support anti-replay windows > 2k
authorTobias Brunner <tobias@strongswan.org>
Tue, 7 Nov 2017 13:26:14 +0000 (14:26 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Nov 2017 15:35:38 +0000 (16:35 +0100)
FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.

Fixes #2461.

src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c patch | blob | blame | history

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index eca0bc1321fff60a6b324558329f66c300fa3af4..710107889fca3ccb3ac0944499921a449aac4f68 100644 (file)
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1740,7 +1740,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 #ifdef __linux__
                        sa->sadb_sa_replay = min(data->replay_window, 32);
 #else
-                       sa->sadb_sa_replay = (data->replay_window + 7) / 8;
+                       sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX);
 #endif
                }
                sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
@@ -1749,6 +1749,19 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        }
        PFKEY_EXT_ADD(msg, sa);
 
+#ifdef SADB_X_EXT_SA_REPLAY
+       if (data->inbound)
+       {
+               struct sadb_x_sa_replay *replay;
+
+               replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg);
+               replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY;
+               replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay));
+               replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32);
+               PFKEY_EXT_ADD(msg, replay);
+       }
+#endif
+
        sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
        sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
        sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
Michael's strongswan development tree