From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 19 Mar 2025 12:28:44 +0000 (+0100)
Subject: ike: Support optional acquire sequence numbers when creating CHILD_SAs
X-Git-Tag: 6.0.2dr1~6^2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82c82cbbd633cfaf3ecc66b022d33369a32f661c;p=thirdparty%2Fstrongswan.git

ike: Support optional acquire sequence numbers when creating CHILD_SAs
---

diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 94f4fe7cce..c6fa62ff3e 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -412,6 +412,8 @@ struct child_init_args_t {
 	traffic_selector_t *dst;
 	/** Optional security label of triggering packet */
 	sec_label_t *label;
+	/** Optional sequence number associated with the acquire triggering the SA */
+	uint32_t seq;
 };
 
 /**
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index c5a8e9a457..672a04927d 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1009,7 +1009,7 @@ static status_t process_request(private_task_manager_t *this,
 					break;
 				}
 				task = (task_t *)quick_mode_create(this->ike_sa, NULL,
-												   NULL, NULL);
+												   NULL, NULL, 0);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 				break;
 			case INFORMATIONAL_V1:
@@ -1697,12 +1697,13 @@ METHOD(task_manager_t, queue_child, void,
 
 	if (args)
 	{
-		task = quick_mode_create(this->ike_sa, cfg, args->src, args->dst);
+		task = quick_mode_create(this->ike_sa, cfg, args->src, args->dst,
+								 args->seq);
 		task->use_reqid(task, args->reqid);
 	}
 	else
 	{
-		task = quick_mode_create(this->ike_sa, cfg, NULL, NULL);
+		task = quick_mode_create(this->ike_sa, cfg, NULL, NULL, 0);
 	}
 	queue_task(this, &task->task);
 }
@@ -1816,7 +1817,7 @@ METHOD(task_manager_t, queue_child_rekey, void,
 			child_sa->set_state(child_sa, CHILD_REKEYING);
 			cfg = child_sa->get_config(child_sa);
 			task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
-				get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
+				get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE), 0);
 			reqid = child_sa->get_reqid_ref(child_sa);
 			if (reqid)
 			{
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 3589241cce..ea54b24d21 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1546,7 +1546,8 @@ METHOD(task_t, destroy, void,
  * Described in header.
  */
 quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
-							traffic_selector_t *tsi, traffic_selector_t *tsr)
+								traffic_selector_t *tsi, traffic_selector_t *tsr,
+								uint32_t seq)
 {
 	private_quick_mode_t *this;
 
@@ -1565,6 +1566,9 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
 			.rekey = _rekey,
 			.abort = _abort_,
 		},
+		.child = {
+			.seq = seq,
+		},
 		.ike_sa = ike_sa,
 		.initiator = config != NULL,
 		.config = config,
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
index 85e986dc61..dbfbbaa801 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -102,9 +102,11 @@ struct quick_mode_t {
  * @param config		child_cfg if task initiator, NULL if responder
  * @param tsi			source of triggering packet, or NULL
  * @param tsr			destination of triggering packet, or NULL
+ * @param seq			optional sequence number of triggering acquire, or 0
  * @return				task to handle by the task_manager
  */
 quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
-							traffic_selector_t *tsi, traffic_selector_t *tsr);
+								traffic_selector_t *tsi, traffic_selector_t *tsr,
+								uint32_t seq);
 
 #endif /** QUICK_MODE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 1e213aaaf5..2180bd9099 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1168,7 +1168,7 @@ static status_t process_request(private_task_manager_t *this,
 				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
 				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
-													NULL, NULL);
+													NULL, NULL, 0);
 				array_insert(this->passive_tasks, ARRAY_TAIL, task);
 				break;
 			}
@@ -1222,7 +1222,7 @@ static status_t process_request(private_task_manager_t *this,
 					else
 					{
 						task = (task_t*)child_create_create(this->ike_sa, NULL,
-															FALSE, NULL, NULL);
+															FALSE, NULL, NULL, 0);
 					}
 				}
 				else
@@ -2196,7 +2196,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 		}
 		cfg = child_sa->get_config(child_sa);
 		child_create = child_create_create(new, cfg->get_ref(cfg),
-										   FALSE, NULL, NULL);
+										   FALSE, NULL, NULL, 0);
 		reqid = child_sa->get_reqid_ref(child_sa);
 		if (reqid)
 		{
@@ -2375,13 +2375,14 @@ METHOD(task_manager_t, queue_child, void,
 
 	if (args)
 	{
-		task = child_create_create(this->ike_sa, cfg, FALSE, args->src, args->dst);
+		task = child_create_create(this->ike_sa, cfg, FALSE, args->src,
+								   args->dst, args->seq);
 		task->use_reqid(task, args->reqid);
 		task->use_label(task, args->label);
 	}
 	else
 	{
-		task = child_create_create(this->ike_sa, cfg, FALSE, NULL, NULL);
+		task = child_create_create(this->ike_sa, cfg, FALSE, NULL, NULL, 0);
 	}
 	queue_task(this, &task->task);
 }
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index ee76433f73..9efaed28f4 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -249,7 +249,8 @@ static void schedule_delayed_retry(private_child_create_t *this)
 
 	task = child_create_create(this->ike_sa,
 							   this->config->get_ref(this->config), FALSE,
-							   this->packet_tsi, this->packet_tsr);
+							   this->packet_tsi, this->packet_tsr,
+							   this->child.seq);
 	task->use_reqid(task, this->child.reqid);
 	task->use_marks(task, this->child.mark_in, this->child.mark_out);
 	task->use_if_ids(task, this->child.if_id_in, this->child.if_id_out);
@@ -2669,8 +2670,9 @@ METHOD(task_t, destroy, void,
  * Described in header.
  */
 child_create_t *child_create_create(ike_sa_t *ike_sa,
-							child_cfg_t *config, bool rekey,
-							traffic_selector_t *tsi, traffic_selector_t *tsr)
+									child_cfg_t *config, bool rekey,
+									traffic_selector_t *tsi,
+									traffic_selector_t *tsr, uint32_t seq)
 {
 	private_child_create_t *this;
 
@@ -2693,6 +2695,9 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
 				.destroy = _destroy,
 			},
 		},
+		.child = {
+			.seq = seq,
+		},
 		.ike_sa = ike_sa,
 		.config = config,
 		.packet_tsi = tsi ? tsi->clone(tsi) : NULL,
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h
index 0a65ba17a0..f3ff0cc7d6 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.h
+++ b/src/libcharon/sa/ikev2/tasks/child_create.h
@@ -140,10 +140,12 @@ struct child_create_t {
  * @param rekey			whether we do a rekey or not
  * @param tsi			source of triggering packet, or NULL
  * @param tsr			destination of triggering packet, or NULL
+ * @param seq			optional sequence number of triggering acquire, or 0
  * @return				child_create task to handle by the task_manager
  */
 child_create_t *child_create_create(ike_sa_t *ike_sa,
-							child_cfg_t *config, bool rekey,
-							traffic_selector_t *tsi, traffic_selector_t *tsr);
+									child_cfg_t *config, bool rekey,
+									traffic_selector_t *tsi,
+									traffic_selector_t *tsr, uint32_t seq);
 
 #endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index e2e198b285..3282a21f7a 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -556,7 +556,7 @@ METHOD(task_t, build_i, status_t,
 		child_cfg = child_sa->get_config(child_sa);
 		this->ike_sa->queue_task(this->ike_sa, (task_t*)
 				child_create_create(this->ike_sa, child_cfg->get_ref(child_cfg),
-									FALSE, NULL, NULL));
+									FALSE, NULL, NULL, 0));
 	}
 	return NEED_MORE;
 }
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index 6c73d0671a..86161423b7 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -275,7 +275,7 @@ METHOD(task_t, build_i, status_t,
 
 		config = this->child_sa->get_config(this->child_sa);
 		this->child_create = child_create_create(this->ike_sa,
-									config->get_ref(config), TRUE, NULL, NULL);
+								config->get_ref(config), TRUE, NULL, NULL, 0);
 
 		proposal = this->child_sa->get_proposal(this->child_sa);
 		if (proposal->get_algorithm(proposal, KEY_EXCHANGE_METHOD,
@@ -1240,7 +1240,8 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 		this->public.task.build = _build_r;
 		this->public.task.process = _process_r;
 		this->initiator = FALSE;
-		this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
+		this->child_create = child_create_create(ike_sa, NULL, TRUE,
+												 NULL, NULL, 0);
 	}
 
 	return &this->public;