Install fallback drop policies to avoid transmitting unencrypted packets.
authorTobias Brunner <tobias@strongswan.org>
Wed, 27 Jul 2011 11:44:33 +0000 (13:44 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 27 Jul 2011 11:44:33 +0000 (13:44 +0200)
commitd7a59f1976f1d917f5cc934a95f1a809148cb160
treedc86ddef6984aa1b1f0856728b749b0900bd1519
parentfbedc6a45b9c18f13972c8e1a7ada0ef5fb67210
Install fallback drop policies to avoid transmitting unencrypted packets.

During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy
is first uninstalled and then the new one is installed.  In the short
time in between, where no policy is available in the kernel, unencrypted
packets could have been transmitted.
src/libcharon/sa/child_sa.c
src/libhydra/kernel/kernel_ipsec.h
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c