kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
authorTobias Brunner <tobias@strongswan.org>
Mon, 16 Jan 2017 16:01:33 +0000 (17:01 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 25 Jan 2017 16:30:57 +0000 (17:30 +0100)
Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.

Fixes #2212.

src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index 1b22ea5..97cf780 100644 (file)
@@ -1717,6 +1717,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        sa->sadb_sa_exttype = SADB_EXT_SA;
        sa->sadb_sa_len = PFKEY_LEN(len);
        sa->sadb_sa_spi = id->spi;
+       sa->sadb_sa_state = SADB_SASTATE_MATURE;
        if (id->proto == IPPROTO_COMP)
        {
                sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM,
@@ -1889,6 +1890,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
        sa->sadb_sa_exttype = SADB_EXT_SA;
        sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
        sa->sadb_sa_spi = id->spi;
+       sa->sadb_sa_state = SADB_SASTATE_MATURE;
        PFKEY_EXT_ADD(msg, sa);
 
        /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though