diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:44:33 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:44:33 +0200 |
| commit | d7a59f1976f1d917f5cc934a95f1a809148cb160 (patch) | |
| tree | dc86ddef6984aa1b1f0856728b749b0900bd1519 /src | |
| parent | fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210 (diff) | |
| download | strongswan-d7a59f1976f1d917f5cc934a95f1a809148cb160.tar.bz2 strongswan-d7a59f1976f1d917f5cc934a95f1a809148cb160.tar.xz | |
Install fallback drop policies to avoid transmitting unencrypted packets.
During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy
is first uninstalled and then the new one is installed. In the short
time in between, where no policy is available in the kernel, unencrypted
packets could have been transmitted.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/sa/child_sa.c | 17 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_ipsec.h | 2 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 3 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 3 |
4 files changed, 25 insertions, 0 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 4c97b52eb..e262a2b8f 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -715,6 +715,17 @@ METHOD(child_sa_t, add_policies, status_t, enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { + /* install outbound drop policy to avoid packets leaving unencrypted + * when updating policies */ + if (priority == POLICY_PRIORITY_DEFAULT) + { + status |= hydra->kernel_interface->add_policy( + hydra->kernel_interface, + this->my_addr, this->other_addr, my_ts, other_ts, + POLICY_OUT, POLICY_DROP, &other_sa, + this->mark_out, POLICY_PRIORITY_FALLBACK); + } + /* install 3 policies: out, in and forward */ status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, @@ -963,6 +974,12 @@ METHOD(child_sa_t, destroy, void, other_ts, my_ts, POLICY_FWD, this->reqid, this->mark_in, priority); } + if (priority == POLICY_PRIORITY_DEFAULT) + { + hydra->kernel_interface->del_policy(hydra->kernel_interface, + my_ts, other_ts, POLICY_OUT, this->reqid, + this->mark_out, POLICY_PRIORITY_FALLBACK); + } } enumerator->destroy(enumerator); } diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 375945917..986e21fca 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -98,6 +98,8 @@ enum policy_priority_t { POLICY_PRIORITY_DEFAULT, /** Priority for trap policies */ POLICY_PRIORITY_ROUTED, + /** Priority for fallback drop policies */ + POLICY_PRIORITY_FALLBACK, }; /** diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 26919a613..06720a0f4 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -575,6 +575,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy, u_int32_t priority = PRIO_BASE; switch (prio) { + case POLICY_PRIORITY_FALLBACK: + priority <<= 1; + /* fall-through */ case POLICY_PRIORITY_ROUTED: priority <<= 1; /* fall-through */ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index f96dbcf23..2b07fc2b2 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -509,6 +509,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy, u_int32_t priority = PRIO_BASE; switch (prio) { + case POLICY_PRIORITY_FALLBACK: + priority <<= 1; + /* fall-through */ case POLICY_PRIORITY_ROUTED: priority <<= 1; /* fall-through */ |