From: Tobias Brunner Date: Thu, 11 May 2023 13:46:03 +0000 (+0200) Subject: ipsec-sa: Store whether to use UDP encapsulation on the SA X-Git-Tag: 5.9.11rc1~8^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbd570707789739fa8d181224951abd92f119d49;p=thirdparty%2Fstrongswan.git ipsec-sa: Store whether to use UDP encapsulation on the SA --- diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c index cfbaaff40e..e67444bcbe 100644 --- a/src/libipsec/ipsec_sa.c +++ b/src/libipsec/ipsec_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -69,6 +69,11 @@ struct private_ipsec_sa_t { */ ipsec_mode_t mode; + /** + * TRUE if UDP encapsulation should be used when sending + */ + bool encap; + /** * TRUE if extended sequence numbers are used */ @@ -133,6 +138,18 @@ METHOD(ipsec_sa_t, set_destination, void, this->dst = addr->clone(addr); } +METHOD(ipsec_sa_t, get_encap, bool, + private_ipsec_sa_t *this) +{ + return this->encap; +} + +METHOD(ipsec_sa_t, set_encap, void, + private_ipsec_sa_t *this, bool encap) +{ + this->encap = encap; +} + METHOD(ipsec_sa_t, get_spi, uint32_t, private_ipsec_sa_t *this) { @@ -285,11 +302,6 @@ ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst, DBG1(DBG_ESP, " IPsec SA: protocol not supported"); return NULL; } - if (!encap) - { - DBG1(DBG_ESP, " IPsec SA: only UDP encapsulation is supported"); - return NULL; - } if (esn) { DBG1(DBG_ESP, " IPsec SA: ESN not supported"); @@ -313,6 +325,8 @@ ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst, .get_destination = _get_destination, .set_source = _set_source, .set_destination = _set_destination, + .get_encap = _get_encap, + .set_encap = _set_encap, .get_spi = _get_spi, .get_reqid = _get_reqid, .get_protocol = _get_protocol, @@ -333,6 +347,7 @@ ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst, .protocol = protocol, .reqid = reqid, .mode = mode, + .encap = encap, .esn = esn, .inbound = inbound, ); diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h index bc2c3a0cfb..64c584b490 100644 --- a/src/libipsec/ipsec_sa.h +++ b/src/libipsec/ipsec_sa.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -66,6 +66,20 @@ struct ipsec_sa_t { */ void (*set_destination)(ipsec_sa_t *this, host_t *addr); + /** + * Get whether UDP encapsulation should be used for this SA + * + * @return TRUE if encapsulation should be used, FALSE otherwise + */ + bool (*get_encap)(ipsec_sa_t *this); + + /** + * Set whether UDP encapsulation should be used for this SA + * + * @param encap TRUE if encapsulation should be used, FALSE otherwise + */ + void (*set_encap)(ipsec_sa_t *this, bool encap); + /** * Get the SPI for this SA * diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 12f5fc141d..76006a851c 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -502,7 +502,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, METHOD(ipsec_sa_mgr_t, add_sa, status_t, private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint32_t spi, - uint8_t protocol, uint32_t reqid, mark_t mark, uint32_t tfc, + uint8_t protocol, uint32_t reqid, mark_t mark, uint32_t tfc, lifetime_cfg_t *lifetime, uint16_t enc_alg, chunk_t enc_key, uint16_t int_alg, chunk_t int_key, ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi, bool initiator, bool encap, bool esn, bool inbound, @@ -518,6 +518,12 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, DBG2(DBG_ESP, " using integrity algorithm %N with key size %d", integrity_algorithm_names, int_alg, int_key.len * 8); + if (!encap) + { + DBG1(DBG_ESP, " IPsec SA: only UDP encapsulation is supported"); + return FAILED; + } + sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi, encap, esn, inbound); @@ -582,6 +588,7 @@ METHOD(ipsec_sa_mgr_t, update_sa, status_t, { entry->sa->set_source(entry->sa, new_src); entry->sa->set_destination(entry->sa, new_dst); + entry->sa->set_encap(entry->sa, new_encap); /* checkin the entry */ entry->locked = FALSE; entry->condvar->signal(entry->condvar);