kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD

The FreeBSD kernel explicitly rejects messages containing keys for mature SAs. Fixes #2457.
author: Tobias Brunner <tobias@strongswan.org> 2017-11-03 09:37:44 +0100
committer: Tobias Brunner <tobias@strongswan.org> 2017-11-08 16:34:12 +0100
commit: 21a500a092e4a2a0f91118846fede5f445d59d31 (patch)
tree: c2eb4f2859de69bed70ac9533712de65a57572cb /src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
parent: 441d083cfb883ec2f02b168d67d18f371416bf9a (diff)
download: strongswan-21a500a092e4a2a0f91118846fede5f445d59d31.tar.bz2
strongswan-21a500a092e4a2a0f91118846fede5f445d59d31.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index fd1adb2ae..eca0bc132 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1960,6 +1960,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	PFKEY_EXT_COPY(msg, response.lft_soft);
 	PFKEY_EXT_COPY(msg, response.lft_hard);
 
+#ifndef __FreeBSD__
+	/* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */
 	if (response.key_encr)
 	{
 		PFKEY_EXT_COPY(msg, response.key_encr);
@@ -1969,6 +1971,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	{
 		PFKEY_EXT_COPY(msg, response.key_auth);
 	}
+#endif
 
 #ifdef HAVE_NATT
 	if (data->new_encap)
author	Tobias Brunner <tobias@strongswan.org>	2017-11-03 09:37:44 +0100
committer	Tobias Brunner <tobias@strongswan.org>	2017-11-08 16:34:12 +0100
commit	21a500a092e4a2a0f91118846fede5f445d59d31 (patch)
tree	c2eb4f2859de69bed70ac9533712de65a57572cb /src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
parent	441d083cfb883ec2f02b168d67d18f371416bf9a (diff)
download	strongswan-21a500a092e4a2a0f91118846fede5f445d59d31.tar.bz2 strongswan-21a500a092e4a2a0f91118846fede5f445d59d31.tar.xz