Use rng to generate local ESP SPIs
authorAdrian-Ken Rueegsegger <ken@codelabs.ch>
Wed, 12 Sep 2012 09:52:08 +0000 (11:52 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 14:23:48 +0000 (15:23 +0100)
src/charon-tkm/src/charon-tkm.c
src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
src/charon-tkm/tests/keymat_tests.c

index 1d21e7d..f7b5900 100644 (file)
@@ -28,7 +28,6 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <plugins/kernel_netlink/kernel_netlink_net.h>
-
 #include <library.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
@@ -288,6 +287,7 @@ int main(int argc, char *argv[])
                        PLUGIN_PROVIDE(DH, MODP_4096_BIT),
                PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
                        PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+                       PLUGIN_DEPENDS(RNG, RNG_WEAK),
                PLUGIN_CALLBACK(kernel_net_register, kernel_netlink_net_create),
                        PLUGIN_PROVIDE(CUSTOM, "kernel-net"),
 
index 3a58e23..ce6a26e 100644 (file)
@@ -39,6 +39,11 @@ struct private_tkm_kernel_ipsec_t {
        tkm_kernel_ipsec_t public;
 
        /**
+        * RNG used for SPI generation.
+        */
+       rng_t *rng;
+
+       /**
         * Local CHILD SA SPI.
         */
        uint32_t esp_spi_loc;
@@ -50,9 +55,9 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
        u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
        DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-       /* fake SPI for now */
-       *spi = 92726226;
-       return SUCCESS;
+       const bool result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
+                                                                                        (u_int8_t *)spi);
+       return result ? SUCCESS : FAILED;
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
@@ -209,6 +214,7 @@ METHOD(kernel_ipsec_t, enable_udp_decap, bool,
 METHOD(kernel_ipsec_t, destroy, void,
        private_tkm_kernel_ipsec_t *this)
 {
+       DESTROY_IF(this->rng);
        free(this);
 }
 
@@ -238,8 +244,16 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
                                .destroy = _destroy,
                        },
                },
+               .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
                .esp_spi_loc = 0,
        );
 
+       if (!this->rng)
+       {
+               DBG1(DBG_KNL, "unable to create RNG");
+               destroy(this);
+               return NULL;
+       }
+
        return &this->public;
 }
index 0d74ad5..82ecf1c 100644 (file)
@@ -43,6 +43,7 @@ START_TEST(test_derive_ike_keys)
                        PLUGIN_PROVIDE(DH, MODP_4096_BIT),
                PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
                        PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+                       PLUGIN_DEPENDS(RNG, RNG_WEAK),
                PLUGIN_CALLBACK(kernel_net_register, kernel_netlink_net_create),
                        PLUGIN_PROVIDE(CUSTOM, "kernel-net"),
        };