ike-sa: Accept optional security label when initiating CHILD_SAs

author Tobias Brunner <tobias@strongswan.org>

Mon, 20 Dec 2021 15:16:00 +0000 (16:16 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Thu, 14 Apr 2022 16:42:01 +0000 (18:42 +0200)
author Tobias Brunner <tobias@strongswan.org>
Mon, 20 Dec 2021 15:16:00 +0000 (16:16 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Thu, 14 Apr 2022 16:42:01 +0000 (18:42 +0200)
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c

index 9bd351d6041bdcea82d2c2cfc393534589935d7e..b7db0694635c6f76c07c0179b74a637bfde2bfd7 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -2077,6 +2077,7 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
                 {
                         child_init_args_t args = {
                                 .reqid = child_sa->get_reqid(child_sa),
+                               .label = child_sa->get_label(child_sa),
                         };
                         child_cfg = child_sa->get_config(child_sa);
                         DBG1(DBG_IKE, "restarting CHILD_SA %s",
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h

index 8fc9a3cdd6ad60cc7fa500efd8f44b6cea0c3bee..8e4549258facd33195048b11c4ea0217aa9d7fd3 100644 (file)
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -380,6 +380,8 @@ struct child_init_args_t {
         traffic_selector_t *src;
         /** Optional destination of triggering packet */
         traffic_selector_t *dst;
+       /** Optional security label of triggering packet */
+       sec_label_t *label;
  };
  
  /**
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c

index b359c67bb2ca3004fbf1f48f9004be18672460fc..555fb86c72a21aac89bfc6345d4dd2e9c20f5f2b 100644 (file)
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -2110,6 +2110,7 @@ METHOD(task_manager_t, queue_child, void,
         {
                 task = child_create_create(this->ike_sa, cfg, FALSE, args->src, args->dst);
                 task->use_reqid(task, args->reqid);
+               task->use_label(task, args->label);
         }
         else
         {
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c

index 13cbee3f5bcd1270b2b25988703d7b1119c5738c..b570a36e03a7e610a145aff68c22c41097c9f943 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -366,6 +366,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
                 child_cfg = child_sa->get_config(child_sa);
                 child_cfg->get_ref(child_cfg);
                 args.reqid = child_sa->get_reqid(child_sa);
+               args.label = child_sa->get_label(child_sa);
+               if (args.label)
+               {
+                       args.label = args.label->clone(args.label);
+               }
                 action = child_sa->get_close_action(child_sa);
  
                 this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
@@ -385,6 +390,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
                         }
                 }
                 child_cfg->destroy(child_cfg);
+               DESTROY_IF(args.label);
                 if (status != SUCCESS)
                 {
                         break;
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c

index 29ae6de67627649c67fc6013df825f8306ce1101..37b05c94365d6b59f5a8f57abc409df02b5c09c2 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -396,6 +396,7 @@ METHOD(task_t, process_i, status_t,
         {
                 child_cfg_t *child_cfg;
                 child_init_args_t args = {};
+               status_t status;
  
                 if (this->collision &&
                         this->collision->get_type(this->collision) == TASK_CHILD_DELETE)
@@ -414,10 +415,17 @@ METHOD(task_t, process_i, status_t,
                 child_cfg = this->child_sa->get_config(this->child_sa);
                 child_cfg->get_ref(child_cfg);
                 args.reqid = this->child_sa->get_reqid(this->child_sa);
+               args.label = this->child_sa->get_label(this->child_sa);
+               if (args.label)
+               {
+                       args.label = args.label->clone(args.label);
+               }
                 charon->bus->child_updown(charon->bus, this->child_sa, FALSE);
                 this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
-               return this->ike_sa->initiate(this->ike_sa,
-                                                                         child_cfg->get_ref(child_cfg), &args);
+               status = this->ike_sa->initiate(this->ike_sa,
+                                                                               child_cfg->get_ref(child_cfg), &args);
+               DESTROY_IF(args.label);
+               return status;
         }
  
         if (this->child_create->task.process(&this->child_create->task,
author	Tobias Brunner <tobias@strongswan.org>
	Mon, 20 Dec 2021 15:16:00 +0000 (16:16 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 14 Apr 2022 16:42:01 +0000 (18:42 +0200)
src/libcharon/sa/ike_sa.c		patch \| blob \| blame \| history
src/libcharon/sa/ike_sa.h		patch \| blob \| blame \| history
src/libcharon/sa/ikev2/task_manager_v2.c		patch \| blob \| blame \| history
src/libcharon/sa/ikev2/tasks/child_delete.c		patch \| blob \| blame \| history
src/libcharon/sa/ikev2/tasks/child_rekey.c		patch \| blob \| blame \| history