certificate chain, are also used as constraints against the signature scheme
used by peers during IKEv2.
+charon.spi_min = 0xc0000000
+ The lower limit for SPIs requested from the kernel for IPsec SAs.
+
+charon.spi_max = 0xcfffffff
+ The upper limit for SPIs requested from the kernel for IPsec SAs.
+
charon.start-scripts {}
Section containing a list of scripts (name = path) that are executed when
the daemon is started.
#include <kernel/kernel_ipsec.h>
#include <kernel/kernel_net.h>
+/**
+ * Default range for SPIs requested from kernels
+ */
+#define KERNEL_SPI_MIN 0xc0000000
+#define KERNEL_SPI_MAX 0xcfffffff
+
/**
* Bitfield of optional features a kernel backend supports.
*
/*
- * Copyright (C) 2006-2016 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008-2016 Andreas Steffen
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
{
- if (get_spi_internal(this, src, dst, protocol,
- 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+ uint32_t spi_min, spi_max;
+
+ spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+ KERNEL_SPI_MIN, lib->ns);
+ spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+ KERNEL_SPI_MAX, lib->ns);
+
+ if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
+ max(spi_min, spi_max), spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get SPI");
return FAILED;
/*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
* Copyright (C) 2008 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
{
- if (get_spi_internal(this, src, dst, protocol,
- 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+ uint32_t spi_min, spi_max;
+
+ spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+ KERNEL_SPI_MIN, lib->ns);
+ spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+ KERNEL_SPI_MAX, lib->ns);
+
+ if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
+ max(spi_min, spi_max), spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get SPI");
return FAILED;
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
* Copyright (C) 2012 Giuliano Grassi
* Copyright (C) 2012 Ralf Sager
* Hochschule fuer Technik Rapperswil
private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint8_t protocol,
uint32_t *spi)
{
- uint32_t spi_new;
+ uint32_t spi_min, spi_max, spi_new;
+
+ spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+ KERNEL_SPI_MIN, lib->ns);
+ spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+ KERNEL_SPI_MAX, lib->ns);
+ if (spi_min > spi_max)
+ {
+ spi_new = spi_min;
+ spi_min = spi_max;
+ spi_max = spi_new;
+ }
this->mutex->lock(this->mutex);
if (!this->rng)
DBG1(DBG_ESP, "failed to allocate SPI");
return FAILED;
}
+ spi_new = spi_min + spi_new % (spi_max - spi_min + 1);
/* make sure the SPI is valid (not in range 0-255) */
spi_new |= 0x00000100;
spi_new = htonl(spi_new);
projects / thirdparty / strongswan.git / commitdiff
