Use rng to generate local ESP SPIs

2025-11-27 00:00:29 -05:00 · 2012-09-12 11:52:08 +02:00 · 2012-09-12 11:52:08 +02:00 · d0ab667c99
commit d0ab667c99
parent 6ed5c3bb1e
3 changed files with 19 additions and 4 deletions
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@ -28,7 +28,6 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <plugins/kernel_netlink/kernel_netlink_net.h>
-
 #include <library.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
@ -288,6 +287,7 @@ int main(int argc, char *argv[])
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+			PLUGIN_DEPENDS(RNG, RNG_WEAK),
 		PLUGIN_CALLBACK(kernel_net_register, kernel_netlink_net_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-net"),

--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@ -38,6 +38,11 @@ struct private_tkm_kernel_ipsec_t {
 	 */
 	tkm_kernel_ipsec_t public;

+	/**
+	 * RNG used for SPI generation.
+	 */
+	rng_t *rng;
+
 	/**
 	 * Local CHILD SA SPI.
 	 */
@ -50,9 +55,9 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-	/* fake SPI for now */
-	*spi = 92726226;
-	return SUCCESS;
+	const bool result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
+											 (u_int8_t *)spi);
+	return result ? SUCCESS : FAILED;
 }

 METHOD(kernel_ipsec_t, get_cpi, status_t,
@ -209,6 +214,7 @@ METHOD(kernel_ipsec_t, enable_udp_decap, bool,
 METHOD(kernel_ipsec_t, destroy, void,
 	private_tkm_kernel_ipsec_t *this)
 {
+	DESTROY_IF(this->rng);
 	free(this);
 }

@ -238,8 +244,16 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
 				.destroy = _destroy,
 			},
 		},
+		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 		.esp_spi_loc = 0,
 	);

+	if (!this->rng)
+	{
+		DBG1(DBG_KNL, "unable to create RNG");
+		destroy(this);
+		return NULL;
+	}
+
 	return &this->public;
 }
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@ -43,6 +43,7 @@ START_TEST(test_derive_ike_keys)
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+			PLUGIN_DEPENDS(RNG, RNG_WEAK),
 		PLUGIN_CALLBACK(kernel_net_register, kernel_netlink_net_create),
 			PLUGIN_PROVIDE(CUSTOM, "kernel-net"),
 	};