child-sa: Set replay window on both inbound and outbound SA
authorMartin Willi <martin@revosec.ch>
Wed, 18 Jun 2014 14:50:18 +0000 (16:50 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 18 Jun 2014 14:54:19 +0000 (16:54 +0200)
While the outbound SA actually does not need a replay window, the kernel rejects
zero replay windows on SAs using ESN. The ESN flag is required to use the full
sequence number in ICV calculation, hence we set the replay window.

This restores the behavior we had before 30c009c2.

src/libcharon/sa/child_sa.c

index bcb0ca2..a96ab4e 100644 (file)
@@ -639,7 +639,6 @@ METHOD(child_sa_t, install, status_t,
        host_t *src, *dst;
        status_t status;
        bool update = FALSE;
-       u_int32_t replay_window = 0;
 
        /* now we have to decide which spi to use. Use self allocated, if "in",
         * or the one in the proposal, if not "in" (others). Additionally,
@@ -654,9 +653,6 @@ METHOD(child_sa_t, install, status_t,
                }
                this->my_spi = spi;
                this->my_cpi = cpi;
-
-               /* required on inbound SA only */
-               replay_window = this->config->get_replay_window(this->config);
        }
        else
        {
@@ -726,8 +722,8 @@ METHOD(child_sa_t, install, status_t,
                                src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
                                inbound ? this->mark_in : this->mark_out, tfc,
                                lifetime, enc_alg, encr, int_alg, integ, this->mode,
-                               this->ipcomp, cpi, replay_window, initiator, this->encap,
-                               esn, update, src_ts, dst_ts);
+                               this->ipcomp, cpi, this->config->get_replay_window(this->config),
+                               initiator, this->encap, esn, update, src_ts, dst_ts);
 
        free(lifetime);