From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 28 Mar 2025 14:06:52 +0000 (+0100)
Subject: ike-sa: Add possibility to store private extensions/conditions
X-Git-Tag: 6.0.2dr1~47
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07978c16b3f2e42529eed255dc1cebcf3757162f;p=thirdparty%2Fstrongswan.git

ike-sa: Add possibility to store private extensions/conditions

This avoids conflicts with upstream changes if patched versions of
strongSwan require a number of private extensions and conditions.  For
example, the following extensions can be used as usual via the
`enable|supports_extension()` methods:

	#define PRIVATE_EXT_1 (EXT_PRIVATE_MARKER | (1<<0))
	#define PRIVATE_EXT_2 (EXT_PRIVATE_MARKER | (1<<1))

Defining an enum would also be possible but because the type won't match
the values would have to be cast to `ike_extension_t` when using the
methods.

Similarly, `COND_PRIVATE_MARKER` may be used to define private conditions
that can be used with the `set|has_condition()` methods.

Because the MSB is explicitly not set in `private_extensions|conditions`,
these members may directly be checked against private values, e.g.:

	if (this->private_extensions & PRIVATE_EXT_1)
	{
	}
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a14e9ab3b4..87de1cc84d 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -188,15 +188,25 @@ struct private_ike_sa_t {
 	identification_t *other_id;
 
 	/**
-	 * set of extensions the peer supports
+	 * Set of extensions the peer supports
 	 */
 	ike_extension_t extensions;
 
 	/**
-	 * set of condition flags currently enabled for this IKE_SA
+	 * Set of private xtensions the peer supports
+	 */
+	ike_extension_t private_extensions;
+
+	/**
+	 * Set of condition flags currently enabled for this IKE_SA
 	 */
 	ike_condition_t conditions;
 
+	/**
+	 * Set of private condition flags currently enabled for this IKE_SA
+	 */
+	ike_condition_t private_conditions;
+
 	/**
 	 * Array containing the child sa's of the current IKE_SA.
 	 */
@@ -755,29 +765,42 @@ METHOD(ike_sa_t, set_ike_cfg, void,
 METHOD(ike_sa_t, enable_extension, void,
 	private_ike_sa_t *this, ike_extension_t extension)
 {
-	this->extensions |= extension;
+	ike_extension_t *ptr;
+	ptr = (extension & EXT_PRIVATE_MARKER) ? &this->private_extensions
+										   : &this->extensions;
+	*ptr |= (extension & ~EXT_PRIVATE_MARKER);
 }
 
 METHOD(ike_sa_t, supports_extension, bool,
 	private_ike_sa_t *this, ike_extension_t extension)
 {
-	return (this->extensions & extension) != FALSE;
+	ike_extension_t *ptr;
+	ptr = (extension & EXT_PRIVATE_MARKER) ? &this->private_extensions
+										   : &this->extensions;
+	return (*ptr & extension) != 0;
 }
 
 METHOD(ike_sa_t, has_condition, bool,
 	private_ike_sa_t *this, ike_condition_t condition)
 {
-	return (this->conditions & condition) != FALSE;
+	ike_condition_t *ptr;
+	ptr = (condition & COND_PRIVATE_MARKER) ? &this->private_conditions
+										    : &this->conditions;
+	return (*ptr & condition) != 0;
 }
 
 METHOD(ike_sa_t, set_condition, void,
 	private_ike_sa_t *this, ike_condition_t condition, bool enable)
 {
+	ike_condition_t *ptr;
+
 	if (has_condition(this, condition) != enable)
 	{
+		ptr = (condition & COND_PRIVATE_MARKER) ? &this->private_conditions
+											    : &this->conditions;
 		if (enable)
 		{
-			this->conditions |= condition;
+			*ptr |= (condition & ~COND_PRIVATE_MARKER);
 			switch (condition)
 			{
 				case COND_NAT_HERE:
@@ -799,7 +822,7 @@ METHOD(ike_sa_t, set_condition, void,
 		}
 		else
 		{
-			this->conditions &= ~condition;
+			*ptr &= ~(condition & ~COND_PRIVATE_MARKER);
 			switch (condition)
 			{
 				case COND_NAT_HERE:
@@ -2921,7 +2944,9 @@ METHOD(ike_sa_t, inherit_pre, void,
 
 	/* apply extensions and conditions with a few exceptions */
 	this->extensions = other->extensions;
+	this->private_extensions = other->private_extensions;
 	this->conditions = other->conditions;
+	this->private_conditions = other->private_conditions;
 	this->conditions &= ~COND_STALE;
 	this->conditions &= ~COND_REAUTHENTICATING;
 }
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index ea81de2103..94f4fe7cce 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -80,6 +80,8 @@ typedef struct ike_sa_t ike_sa_t;
 
 /**
  * Extensions (or optional features) the peer supports
+ *
+ * Private extensions can be defined by using the EXT_PRIVATE_MARKER marker.
  */
 enum ike_extension_t {
 
@@ -174,10 +176,17 @@ enum ike_extension_t {
 	 * IKEv2 Intermediate Exchange, RFC 9242
 	 */
 	EXT_IKE_INTERMEDIATE = (1<<17),
+
+	/**
+	 * MSB marker to separate private extensions
+	 */
+	EXT_PRIVATE_MARKER = (1<<31),
 };
 
 /**
  * Conditions of an IKE_SA, change during its lifetime
+ *
+ * Private conditions can be defined by using the COND_PRIVATE_MARKER marker.
  */
 enum ike_condition_t {
 
@@ -260,6 +269,11 @@ enum ike_condition_t {
 	 * An OCSP status request was received
 	 */
 	COND_OCSP_REQUEST = (1<<15),
+
+	/**
+	 * MSB marker to separate private conditions
+	 */
+	COND_PRIVATE_MARKER = (1<<31),
 };
 
 /**