From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 3 Nov 2017 08:37:44 +0000 (+0100)
Subject: kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD
X-Git-Tag: 5.6.1rc1~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21a500a092e4a2a0f91118846fede5f445d59d31;p=thirdparty%2Fstrongswan.git

kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD

The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.

Fixes #2457.
---

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index fd1adb2aef..eca0bc1321 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1960,6 +1960,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	PFKEY_EXT_COPY(msg, response.lft_soft);
 	PFKEY_EXT_COPY(msg, response.lft_hard);
 
+#ifndef __FreeBSD__
+	/* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */
 	if (response.key_encr)
 	{
 		PFKEY_EXT_COPY(msg, response.key_encr);
@@ -1969,6 +1971,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	{
 		PFKEY_EXT_COPY(msg, response.key_auth);
 	}
+#endif
 
 #ifdef HAVE_NATT
 	if (data->new_encap)