From: Tobias Brunner Date: Thu, 11 May 2023 15:04:00 +0000 (+0200) Subject: libipsec: Move restrictions regarding UDP encapsulation to users X-Git-Tag: 5.9.11rc1~8^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29e8cb3f903dfe329ad3ec59f10f1495f3c4373f;p=thirdparty%2Fstrongswan.git libipsec: Move restrictions regarding UDP encapsulation to users --- diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c index 7af027e751..b2caed97cc 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c @@ -71,6 +71,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_android_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data) { + if (!data->encap) + { + DBG1(DBG_ESP, "failed to add SAD entry: only UDP encapsulation is " + "supported"); + return FAILED; + } return ipsec->sas->add_sa(ipsec->sas, id->src, id->dst, id->spi, id->proto, data->reqid, id->mark, data->tfc, data->lifetime, data->enc_alg, data->enc_key, data->int_alg, data->int_key, @@ -82,6 +88,12 @@ METHOD(kernel_ipsec_t, update_sa, status_t, private_kernel_android_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_update_sa_t *data) { + if (!data->new_encap) + { + DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP " + "encapsulation"); + return NOT_SUPPORTED; + } return ipsec->sas->update_sa(ipsec->sas, id->spi, id->proto, data->cpi, id->src, id->dst, data->new_src, data->new_dst, data->encap, data->new_encap, id->mark); diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c index 8df2e3dbc5..1747518335 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c @@ -263,6 +263,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_libipsec_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data) { + if (!data->encap) + { + DBG1(DBG_ESP, "failed to add SAD entry: only UDP encapsulation is " + "supported"); + return FAILED; + } return ipsec->sas->add_sa(ipsec->sas, id->src, id->dst, id->spi, id->proto, data->reqid, id->mark, data->tfc, data->lifetime, data->enc_alg, data->enc_key, data->int_alg, data->int_key, diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 76006a851c..56698f3f08 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -518,12 +518,6 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, DBG2(DBG_ESP, " using integrity algorithm %N with key size %d", integrity_algorithm_names, int_alg, int_key.len * 8); - if (!encap) - { - DBG1(DBG_ESP, " IPsec SA: only UDP encapsulation is supported"); - return FAILED; - } - sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi, encap, esn, inbound); @@ -574,13 +568,6 @@ METHOD(ipsec_sa_mgr_t, update_sa, status_t, DBG2(DBG_ESP, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", ntohl(spi), src, dst, new_src, new_dst); - if (!new_encap) - { - DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP " - "encapsulation"); - return NOT_SUPPORTED; - } - this->mutex->lock(this->mutex); if (this->sas->find_first(this->sas, match_entry_by_spi_src_dst_cb, (void**)&entry, spi, src, dst) &&