libipsec: Pass separate inbound/update flags to the IPsec SA manager

Similar to other kernel interfaces, the libipsec backends uses the flag for
different purposes, and therefore should get separate flags.

diff --git a/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c b/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c
index a0aefaa4e25b2ed084687000094c1302d83f2969..29099d487e985c42c7fcc01e4168d94ae9936c80 100644 (file)
--- a/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c
+++ b/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.c
@@ -66,12 +66,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
        u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
        u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-       bool initiator, bool encap, bool esn, bool inbound,
+       bool initiator, bool encap, bool esn, bool inbound, bool update,
        linked_list_t *src_ts, linked_list_t *dst_ts)
 {
        return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
                                                          tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
-                                                         mode, ipcomp, cpi, initiator, encap, esn, inbound);
+                                                         mode, ipcomp, cpi, initiator, encap, esn,
+                                                         inbound, update);
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,

diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index eabcb931115929543cfae571a92586c95c3b287b..6246dc50535ab4a287946c99de2d0bf8dcd626bb 100644 (file)
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -259,7 +259,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 {
        return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
                                                          tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
-                                                         mode, ipcomp, cpi, initiator, encap, esn, inbound);
+                                                         mode, ipcomp, cpi, initiator, encap, esn,
+                                                         inbound, update);
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,

diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index 3496fc79c04a6e190f15bb80958ad0076c5e181f..07ffa9e4f351ee8260e44da3597a3d98828c5eab 100644 (file)
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -439,7 +439,8 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
        u_int8_t protocol, u_int32_t reqid,     mark_t mark, u_int32_t tfc,
        lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
        u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound)
+       u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+       bool update)
 {
        ipsec_sa_entry_t *entry;
        ipsec_sa_t *sa_new;
@@ -462,7 +463,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 
        this->mutex->lock(this->mutex);
 
-       if (inbound)
+       if (update)
        {       /* remove any pre-allocated SPIs */
                u_int32_t *spi_alloc;
 

diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index 8d3f64fbb9187c962988e259a53ed6887dca569d..a57eab4e705d71570db86320b587776edeaee360 100644 (file)
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -73,6 +73,7 @@ struct ipsec_sa_mgr_t {
         * @param encap                 enable UDP encapsulation (must be TRUE)
         * @param esn                   Extended Sequence Numbers (currently not supported)
         * @param inbound               TRUE if this is an inbound SA, FALSE otherwise
+        * @param update                TRUE if an SPI has already been allocated for SA
         * @return                              SUCCESS if operation completed
         */
        status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
@@ -81,7 +82,7 @@ struct ipsec_sa_mgr_t {
                                           u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg,
                                           chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
                                           u_int16_t cpi, bool initiator, bool encap, bool esn,
-                                          bool inbound);
+                                          bool inbound, bool update);
 
        /**
         * Update the hosts on an installed SA.