------------------------------------------------------------ revno: 6283 committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx> branch nick: trunk timestamp: Fri 2012-02-17 11:45:47 +0100 message: fix IPsec SA state build-up for updates conveying new SPI values The hipd currently only supports mobility updates, whereas rekeying is not supported. Hence, our SA processing only considers the new SPI portion of ESP_INFO parameters. However, other implementations support rekeying and might send updates, where the old SPI does not match the new one indicating a rekeying event. In this case, we also need to consider the old SPI contained in the ESP_INFO parameter in order to allow the deletion of old SA entries. Otherwise, our SADB will fill up with stale SA entries. modified: hipd/hadb.c hipd/input.c lib/core/state.h modules/update/hipd/update_param_handling.c -- lp:hipl https://code.launchpad.net/~hipl-core/hipl/trunk Your team HIPL core team is subscribed to branch lp:hipl. To unsubscribe from this branch go to https://code.launchpad.net/~hipl-core/hipl/trunk/+edit-subscription
=== modified file 'hipd/hadb.c' --- hipd/hadb.c 2012-01-25 20:45:27 +0000 +++ hipd/hadb.c 2012-02-17 10:45:47 +0000 @@ -1456,28 +1456,31 @@ */ void hip_delete_security_associations_and_sp(struct hip_hadb_state *const ha) { - int prev_spi_out = ha->spi_outbound_current; - int prev_spi_in = ha->spi_inbound_current; - // Delete previous security policies hip_delete_hit_sp_pair(&ha->hit_our, &ha->hit_peer, 1); hip_delete_hit_sp_pair(&ha->hit_peer, &ha->hit_our, 1); // Delete the previous SAs - HIP_DEBUG("Previous SPI out =0x%x\n", prev_spi_out); - HIP_DEBUG("Previous SPI in =0x%x\n", prev_spi_in); + HIP_DEBUG("Previous SPI out =0x%x\n", ha->spi_outbound_old); + HIP_DEBUG("Previous SPI in =0x%x\n", ha->spi_inbound_current); HIP_DEBUG_IN6ADDR("Our current active addr", &ha->our_addr); HIP_DEBUG_IN6ADDR("Peer's current active addr", &ha->peer_addr); - hip_delete_sa(prev_spi_out, + hip_delete_sa(ha->spi_outbound_old, &ha->peer_addr, HIP_SPI_DIRECTION_OUT, ha); - hip_delete_sa(prev_spi_in, + hip_delete_sa(ha->spi_inbound_current, &ha->our_addr, HIP_SPI_DIRECTION_IN, ha); + + /* Also make sure that the new SPI is not used twice for the connection */ + hip_delete_sa(ha->spi_outbound_new, + &ha->peer_addr, + HIP_SPI_DIRECTION_OUT, + ha); } /** === modified file 'hipd/input.c' --- hipd/input.c 2012-01-30 11:29:16 +0000 +++ hipd/input.c 2012-02-17 10:45:47 +0000 @@ -1077,7 +1077,7 @@ return -EINVAL; } - ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi); + ctx->hadb_entry->spi_outbound_old = ntohl(esp_info->old_spi); /* Copy SPI out value here or otherwise ICE code has zero SPI */ ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi); @@ -1666,7 +1666,7 @@ HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg, HIP_PARAM_ESP_INFO)), -EINVAL, "Parameter SPI not found.\n"); - ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi); + ctx->hadb_entry->spi_outbound_old = ntohl(esp_info->old_spi); /* Copy SPI out value here or otherwise ICE code has zero SPI */ ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi); === modified file 'lib/core/state.h' --- lib/core/state.h 2011-12-21 11:39:54 +0000 +++ lib/core/state.h 2012-02-17 10:45:47 +0000 @@ -317,7 +317,7 @@ int inbound_sa_count; int spi_inbound_current; - int spi_outbound_current; + int spi_outbound_old; int spi_outbound_new; /* modular state */ === modified file 'modules/update/hipd/update_param_handling.c' --- modules/update/hipd/update_param_handling.c 2012-01-14 14:20:17 +0000 +++ modules/update/hipd/update_param_handling.c 2012-02-17 10:45:47 +0000 @@ -143,6 +143,7 @@ // set the new spi value for the association // TODO add rekeying functionality here + ctx->hadb_entry->spi_outbound_old = ntohl(esp_info->old_spi); ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi); }