From: Tobias Brunner Date: Fri, 28 Mar 2025 15:06:58 +0000 (+0100) Subject: ha: Support sync of private IKE_SA extensions and conditions X-Git-Tag: 6.0.2dr1~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=46674e64c19e86c1735c4f82ac838ed4de2834dc;p=thirdparty%2Fstrongswan.git ha: Support sync of private IKE_SA extensions and conditions This requires a new protocol version as private extensions would enable unrelated regular extensions, even when sending the private extension as second attribute (which would work for conditions as they are explicitly enabled/disabled). --- diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 83be91ab15..5ef52546c7 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -371,13 +371,13 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message */ static void set_conditions(ike_sa_t *ike_sa, ike_condition_t conditions) { - ike_condition_t i; + ike_condition_t i, private = (conditions & COND_PRIVATE_MARKER); - for (i = 0; i < sizeof(i) * 8; ++i) + for (i = 0; i < (sizeof(i) * 8) - 1; ++i) { - ike_condition_t cond = (1 << i); + ike_condition_t cond = (1 << i) | private; - ike_sa->set_condition(ike_sa, cond, (conditions & cond) != 0); + ike_sa->set_condition(ike_sa, cond, (conditions & cond) == cond); } } @@ -386,13 +386,13 @@ static void set_conditions(ike_sa_t *ike_sa, ike_condition_t conditions) */ static void set_extensions(ike_sa_t *ike_sa, ike_extension_t extensions) { - ike_extension_t i; + ike_extension_t i, private = (extensions & EXT_PRIVATE_MARKER); - for (i = 0; i < sizeof(i) * 8; ++i) + for (i = 0; i < (sizeof(i) * 8) - 1; ++i) { - ike_extension_t ext = (1 << i); + ike_extension_t ext = (1 << i) | private; - if (extensions & ext) + if ((extensions & ext) == ext) { ike_sa->enable_extension(ike_sa, ext); } diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index f6983ff466..56c79a7b06 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -49,15 +49,15 @@ struct private_ha_ike_t { }; /** - * Copy conditions of IKE_SA to message as HA_CONDITIONS attribute + * Copy (private) conditions of IKE_SA to message as HA_CONDITIONS attribute */ -static void copy_conditions(ha_message_t *m, ike_sa_t *ike_sa) +static void copy_conditions(ha_message_t *m, ike_sa_t *ike_sa, bool private) { - ike_condition_t i, conditions = 0; + ike_condition_t i, conditions = private ? COND_PRIVATE_MARKER : 0; - for (i = 0; i < sizeof(i) * 8; ++i) + for (i = 0; i < (sizeof(i) * 8) - 1; ++i) { - ike_condition_t cond = (1 << i); + ike_condition_t cond = (1 << i) | (private ? COND_PRIVATE_MARKER : 0); conditions |= (ike_sa->has_condition(ike_sa, cond) ? cond : 0); } @@ -66,15 +66,15 @@ static void copy_conditions(ha_message_t *m, ike_sa_t *ike_sa) } /** - * Copy extensions of IKE_SA to message as HA_EXTENSIONS attribute + * Copy (private) extensions of IKE_SA to message as HA_EXTENSIONS attribute */ -static void copy_extensions(ha_message_t *m, ike_sa_t *ike_sa) +static void copy_extensions(ha_message_t *m, ike_sa_t *ike_sa, bool private) { - ike_extension_t i, extensions = 0; + ike_extension_t i, extensions = private ? EXT_PRIVATE_MARKER : 0; - for (i = 0; i < sizeof(i) * 8; ++i) + for (i = 0; i < (sizeof(i) * 8) - 1; ++i) { - ike_extension_t ext = (1 << i); + ike_extension_t ext = (1 << i) | (private ? EXT_PRIVATE_MARKER : 0); extensions |= (ike_sa->supports_extension(ike_sa, ext) ? ext : 0); } @@ -212,8 +212,10 @@ METHOD(listener_t, ike_updown, bool, } m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa)); m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa)); - copy_conditions(m, ike_sa); - copy_extensions(m, ike_sa); + copy_conditions(m, ike_sa, FALSE); + copy_conditions(m, ike_sa, TRUE); + copy_extensions(m, ike_sa, FALSE); + copy_extensions(m, ike_sa, TRUE); m->add_attribute(m, HA_CONFIG_NAME, peer_cfg->get_name(peer_cfg)); enumerator = ike_sa->create_peer_address_enumerator(ike_sa); while (enumerator->enumerate(enumerator, (void**)&addr)) diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h index 04a77618c3..58b87a7d67 100644 --- a/src/libcharon/plugins/ha/ha_message.h +++ b/src/libcharon/plugins/ha/ha_message.h @@ -33,7 +33,7 @@ /** * Protocol version of this implementation */ -#define HA_MESSAGE_VERSION 4 +#define HA_MESSAGE_VERSION 5 typedef struct ha_message_t ha_message_t; typedef enum ha_message_type_t ha_message_type_t;