From 3c1290510366dc8c0dea4202f24dc1e01198aefe Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 8 Jun 2016 16:06:53 +0200 Subject: ipsec: Add function to compare two ipsec_sa_cfg_t instances memeq() is currently used to compare these but if there is padding that is not initialized the same for two instances the comparison fails. Using this function ensures the objects are compared correctly. --- src/libstrongswan/ipsec/ipsec_types.c | 16 ++++++++++++++++ src/libstrongswan/ipsec/ipsec_types.h | 9 +++++++++ 2 files changed, 25 insertions(+) (limited to 'src') diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c index f2ee11ee8..a52a1eb51 100644 --- a/src/libstrongswan/ipsec/ipsec_types.c +++ b/src/libstrongswan/ipsec/ipsec_types.c @@ -37,6 +37,22 @@ ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH, "IPCOMP_LZJH" ); +/* + * See header + */ +bool ipsec_sa_cfg_equals(ipsec_sa_cfg_t *a, ipsec_sa_cfg_t *b) +{ + return a->mode == b->mode && + a->reqid == b->reqid && + a->policy_count == b->policy_count && + a->esp.use == b->esp.use && + a->esp.spi == b->esp.spi && + a->ah.use == b->ah.use && + a->ah.spi == b->ah.spi && + a->ipcomp.transform == b->ipcomp.transform && + a->ipcomp.cpi == b->ipcomp.cpi; +} + /* * See header */ diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h index cbc0d089b..c93d95562 100644 --- a/src/libstrongswan/ipsec/ipsec_types.h +++ b/src/libstrongswan/ipsec/ipsec_types.h @@ -142,6 +142,15 @@ struct ipsec_sa_cfg_t { } ipcomp; }; +/** + * Compare two ipsec_sa_cfg_t objects for equality. + * + * @param a first object + * @param b second object + * @return TRUE if both objects are equal + */ +bool ipsec_sa_cfg_equals(ipsec_sa_cfg_t *a, ipsec_sa_cfg_t *b); + /** * A lifetime_cfg_t defines the lifetime limits of an SA. * -- cgit v1.2.3 From 87ed9a5ffb1935f16390cadc94caf2d0cd319bbc Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 8 Jun 2016 16:10:30 +0200 Subject: kernel-netlink: Use ipsec_sa_cfg_equals() and compare marks properly --- src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index add4761f6..ab896a4ae 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -414,8 +414,9 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa) { return sa->src->ip_equals(sa->src, other_sa->src) && sa->dst->ip_equals(sa->dst, other_sa->dst) && - memeq(&sa->mark, &other_sa->mark, sizeof(mark_t)) && - memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t)); + sa->mark.value == other_sa->mark.value && + sa->mark.mask == other_sa->mark.mask && + ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg); } /** -- cgit v1.2.3 From 1ba2b015fae7b9f37500e9aff515cd532e5a8781 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 8 Jun 2016 16:11:07 +0200 Subject: kernel-pfkey: Use ipsec_sa_cfg_equals() --- src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index be223b7d9..a0fd42995 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -352,7 +352,7 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa) { return sa->src->ip_equals(sa->src, other_sa->src) && sa->dst->ip_equals(sa->dst, other_sa->dst) && - memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t)); + ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg); } /** -- cgit v1.2.3