[hipl-dev] [Branch ~hipl-core/hipl/trunk] Rev 6283: fix IPsec SA state build-up for updates conveying new SPI values

  • From: noreply@xxxxxxxxxxxxx
  • To: HIPL core team <hipl-dev@xxxxxxxxxxxxx>
  • Date: Fri, 17 Feb 2012 10:54:13 -0000

------------------------------------------------------------
revno: 6283
committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
branch nick: trunk
timestamp: Fri 2012-02-17 11:45:47 +0100
message:
  fix IPsec SA state build-up for updates conveying new SPI values
  
  The hipd currently only supports mobility updates, whereas rekeying is
  not supported. Hence, our SA processing only considers the new SPI
  portion of ESP_INFO parameters. However, other implementations
  support rekeying and might send updates, where the old SPI does not
  match the new one indicating a rekeying event. In this case, we also
  need to consider the old SPI contained in the ESP_INFO parameter in
  order to allow the deletion of old SA entries. Otherwise, our SADB
  will fill up with stale SA entries.
modified:
  hipd/hadb.c
  hipd/input.c
  lib/core/state.h
  modules/update/hipd/update_param_handling.c


--
lp:hipl
https://code.launchpad.net/~hipl-core/hipl/trunk

Your team HIPL core team is subscribed to branch lp:hipl.
To unsubscribe from this branch go to 
https://code.launchpad.net/~hipl-core/hipl/trunk/+edit-subscription

=== modified file 'hipd/hadb.c'
--- hipd/hadb.c 2012-01-25 20:45:27 +0000
+++ hipd/hadb.c 2012-02-17 10:45:47 +0000
@@ -1456,28 +1456,31 @@
  */
 void hip_delete_security_associations_and_sp(struct hip_hadb_state *const ha)
 {
-    int prev_spi_out = ha->spi_outbound_current;
-    int prev_spi_in  = ha->spi_inbound_current;
-
     // Delete previous security policies
     hip_delete_hit_sp_pair(&ha->hit_our, &ha->hit_peer, 1);
     hip_delete_hit_sp_pair(&ha->hit_peer, &ha->hit_our, 1);
 
     // Delete the previous SAs
-    HIP_DEBUG("Previous SPI out =0x%x\n", prev_spi_out);
-    HIP_DEBUG("Previous SPI in =0x%x\n", prev_spi_in);
+    HIP_DEBUG("Previous SPI out =0x%x\n", ha->spi_outbound_old);
+    HIP_DEBUG("Previous SPI in =0x%x\n", ha->spi_inbound_current);
 
     HIP_DEBUG_IN6ADDR("Our current active addr", &ha->our_addr);
     HIP_DEBUG_IN6ADDR("Peer's current active addr", &ha->peer_addr);
 
-    hip_delete_sa(prev_spi_out,
+    hip_delete_sa(ha->spi_outbound_old,
                   &ha->peer_addr,
                   HIP_SPI_DIRECTION_OUT,
                   ha);
-    hip_delete_sa(prev_spi_in,
+    hip_delete_sa(ha->spi_inbound_current,
                   &ha->our_addr,
                   HIP_SPI_DIRECTION_IN,
                   ha);
+
+    /* Also make sure that the new SPI is not used twice for the connection */
+    hip_delete_sa(ha->spi_outbound_new,
+                  &ha->peer_addr,
+                  HIP_SPI_DIRECTION_OUT,
+                  ha);
 }
 
 /**

=== modified file 'hipd/input.c'
--- hipd/input.c        2012-01-30 11:29:16 +0000
+++ hipd/input.c        2012-02-17 10:45:47 +0000
@@ -1077,7 +1077,7 @@
         return -EINVAL;
     }
 
-    ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi);
+    ctx->hadb_entry->spi_outbound_old = ntohl(esp_info->old_spi);
     /* Copy SPI out value here or otherwise ICE code has zero SPI */
     ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
 
@@ -1666,7 +1666,7 @@
     HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg, HIP_PARAM_ESP_INFO)),
              -EINVAL, "Parameter SPI not found.\n");
 
-    ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi);
+    ctx->hadb_entry->spi_outbound_old = ntohl(esp_info->old_spi);
     /* Copy SPI out value here or otherwise ICE code has zero SPI */
     ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
 

=== modified file 'lib/core/state.h'
--- lib/core/state.h    2011-12-21 11:39:54 +0000
+++ lib/core/state.h    2012-02-17 10:45:47 +0000
@@ -317,7 +317,7 @@
     int inbound_sa_count;
 
     int spi_inbound_current;
-    int spi_outbound_current;
+    int spi_outbound_old;
     int spi_outbound_new;
 
     /* modular state */

=== modified file 'modules/update/hipd/update_param_handling.c'
--- modules/update/hipd/update_param_handling.c 2012-01-14 14:20:17 +0000
+++ modules/update/hipd/update_param_handling.c 2012-02-17 10:45:47 +0000
@@ -143,6 +143,7 @@
 
         // set the new spi value for the association
         // TODO add rekeying functionality here
+        ctx->hadb_entry->spi_outbound_old = ntohl(esp_info->old_spi);
         ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
     }

Other related posts:

  • » [hipl-dev] [Branch ~hipl-core/hipl/trunk] Rev 6283: fix IPsec SA state build-up for updates conveying new SPI values - noreply
  1. Home
  2. hipl-dev
  3. Archive
  4. 02-2012