diff options
-rw-r--r-- | conf/options/charon.opt | 6 | ||||
-rw-r--r-- | src/libcharon/kernel/kernel_interface.h | 6 | ||||
-rw-r--r-- | src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 13 | ||||
-rw-r--r-- | src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 13 | ||||
-rw-r--r-- | src/libipsec/ipsec_sa_mgr.c | 16 |
5 files changed, 46 insertions, 8 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 7c56fc1e5..493d73f16 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -350,6 +350,12 @@ charon.signature_authentication_constraints = yes certificate chain, are also used as constraints against the signature scheme used by peers during IKEv2. +charon.spi_min = 0xc0000000 + The lower limit for SPIs requested from the kernel for IPsec SAs. + +charon.spi_max = 0xcfffffff + The upper limit for SPIs requested from the kernel for IPsec SAs. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h index 96c9ffa62..d601ebd4e 100644 --- a/src/libcharon/kernel/kernel_interface.h +++ b/src/libcharon/kernel/kernel_interface.h @@ -57,6 +57,12 @@ typedef enum kernel_feature_t kernel_feature_t; #include <kernel/kernel_net.h> /** + * Default range for SPIs requested from kernels + */ +#define KERNEL_SPI_MIN 0xc0000000 +#define KERNEL_SPI_MAX 0xcfffffff + +/** * Bitfield of optional features a kernel backend supports. * * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 0dd793ffa..becf6b5dc 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2016 Tobias Brunner + * Copyright (C) 2006-2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008-2016 Andreas Steffen * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser @@ -1211,8 +1211,15 @@ METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) { - if (get_spi_internal(this, src, dst, protocol, - 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS) + uint32_t spi_min, spi_max; + + spi_min = lib->settings->get_int(lib->settings, "%s.spi_min", + KERNEL_SPI_MIN, lib->ns); + spi_max = lib->settings->get_int(lib->settings, "%s.spi_max", + KERNEL_SPI_MAX, lib->ns); + + if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max), + max(spi_min, spi_max), spi) != SUCCESS) { DBG1(DBG_KNL, "unable to get SPI"); return FAILED; diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index c99fe67ec..17878147b 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -1586,8 +1586,15 @@ METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) { - if (get_spi_internal(this, src, dst, protocol, - 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS) + uint32_t spi_min, spi_max; + + spi_min = lib->settings->get_int(lib->settings, "%s.spi_min", + KERNEL_SPI_MIN, lib->ns); + spi_max = lib->settings->get_int(lib->settings, "%s.spi_max", + KERNEL_SPI_MAX, lib->ns); + + if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max), + max(spi_min, spi_max), spi) != SUCCESS) { DBG1(DBG_KNL, "unable to get SPI"); return FAILED; diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index ec35c6ea3..031d599a1 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * Hochschule fuer Technik Rapperswil @@ -398,7 +398,18 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) { - uint32_t spi_new; + uint32_t spi_min, spi_max, spi_new; + + spi_min = lib->settings->get_int(lib->settings, "%s.spi_min", + KERNEL_SPI_MIN, lib->ns); + spi_max = lib->settings->get_int(lib->settings, "%s.spi_max", + KERNEL_SPI_MAX, lib->ns); + if (spi_min > spi_max) + { + spi_new = spi_min; + spi_min = spi_max; + spi_max = spi_new; + } this->mutex->lock(this->mutex); if (!this->rng) @@ -421,6 +432,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, DBG1(DBG_ESP, "failed to allocate SPI"); return FAILED; } + spi_new = spi_min + spi_new % (spi_max - spi_min + 1); /* make sure the SPI is valid (not in range 0-255) */ spi_new |= 0x00000100; spi_new = htonl(spi_new); |