From d0ab667c99a7ac4ecfe6cb0f941843a6751a600e Mon Sep 17 00:00:00 2001
From: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Date: Wed, 12 Sep 2012 11:52:08 +0200
Subject: Use rng to generate local ESP SPIs

---
 src/charon-tkm/src/charon-tkm.c           |  2 +-
 src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 20 +++++++++++++++++---
 src/charon-tkm/tests/keymat_tests.c       |  1 +
 3 files changed, 19 insertions(+), 4 deletions(-)

(limited to 'src/charon-tkm')

diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 1d21e7daf..f7b59008c 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -28,7 +28,6 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <plugins/kernel_netlink/kernel_netlink_net.h>
-
 #include <library.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
@@ -288,6 +287,7 @@ int main(int argc, char *argv[])
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+			PLUGIN_DEPENDS(RNG, RNG_WEAK),
 		PLUGIN_CALLBACK(kernel_net_register, kernel_netlink_net_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-net"),
 
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index 3a58e23fe..ce6a26e5b 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -38,6 +38,11 @@ struct private_tkm_kernel_ipsec_t {
 	 */
 	tkm_kernel_ipsec_t public;
 
+	/**
+	 * RNG used for SPI generation.
+	 */
+	rng_t *rng;
+
 	/**
 	 * Local CHILD SA SPI.
 	 */
@@ -50,9 +55,9 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-	/* fake SPI for now */
-	*spi = 92726226;
-	return SUCCESS;
+	const bool result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
+											 (u_int8_t *)spi);
+	return result ? SUCCESS : FAILED;
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
@@ -209,6 +214,7 @@ METHOD(kernel_ipsec_t, enable_udp_decap, bool,
 METHOD(kernel_ipsec_t, destroy, void,
 	private_tkm_kernel_ipsec_t *this)
 {
+	DESTROY_IF(this->rng);
 	free(this);
 }
 
@@ -238,8 +244,16 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
 				.destroy = _destroy,
 			},
 		},
+		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 		.esp_spi_loc = 0,
 	);
 
+	if (!this->rng)
+	{
+		DBG1(DBG_KNL, "unable to create RNG");
+		destroy(this);
+		return NULL;
+	}
+
 	return &this->public;
 }
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 0d74ad55c..82ecf1ce3 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -43,6 +43,7 @@ START_TEST(test_derive_ike_keys)
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+			PLUGIN_DEPENDS(RNG, RNG_WEAK),
 		PLUGIN_CALLBACK(kernel_net_register, kernel_netlink_net_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-net"),
 	};
-- 
cgit v1.2.3