kernel-pfkey: Don't use TS from acquire in tunnel mode

The addresses are actually the endpoints of the SA, not information on
the matched packet (except that the RFC says to set the ports and
protocol of the packet in the source address, which the Linux kernel
doesn't do).  So these are useless, unless transport mode is used, where
the addresses are needed for the wildcard trap policy use case.

The RFC mentions a PROXY address (a single one, not two), that could
apparently be something like the source address in tunnel mode.
However, the description of how this is used in the RFC is quite weird
and neither Linux nor FreeBSD send such an attribute in SADB_ACQUIRE.

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 41e13a832af98fe17180975d829b7e2c9d008a56..f9ac579ad271e4aa2a165829234398fae707e62f 100644 (file)
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1326,6 +1326,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
        pfkey_msg_t response;
        kernel_acquire_data_t data = {};
        uint32_t index, reqid = 0;
+       uint8_t mode = 0;
        policy_entry_t *policy;
        policy_sa_t *sa;
 
@@ -1350,6 +1351,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
        if (response.x_sa2)
        {
                reqid = response.x_sa2->sadb_x_sa2_reqid;
+               mode = response.x_sa2->sadb_x_sa2_mode;
        }
        else
        {
@@ -1360,6 +1362,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
                        policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
                {
                        reqid = sa->sa->cfg.reqid;
+                       mode = sa->sa->cfg.mode;
                }
                else
                {
@@ -1371,13 +1374,24 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
 
        if (reqid)
        {
-               data.src = sadb_address2ts(response.src);
-               data.dst = sadb_address2ts(response.dst);
+               /* while we could pass the sequence number from the acquire in order
+                * to use it in the SA install, we currently don't do that. the reason
+                * is that the addresses we get here are the endpoints of the SA, not
+                * information about the matched packet (except for the ports, according
+                * to the RFC, although the Linux kernel doesn't do that). so these are
+                * only useful in transport mode with wildcard policies. in tunnel mode,
+                * where narrowing could occur and the sequence number would be
+                * relevant, these TS are useless and might not even match the policy */
+               if (mode == IPSEC_MODE_TRANSPORT)
+               {
+                       data.src = sadb_address2ts(response.src);
+                       data.dst = sadb_address2ts(response.dst);
+               }
 
                charon->kernel->acquire(charon->kernel, reqid, &data);
 
-               data.src->destroy(data.src);
-               data.dst->destroy(data.dst);
+               DESTROY_IF(data.src);
+               DESTROY_IF(data.dst);
        }
 }