From 0a673794d857a8410db99bda7dbed1c7cfd78925 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 21 Dec 2021 11:26:50 +0100
Subject: [PATCH] trap-manager: Add support to handle acquires with security
 labels

---
 src/libcharon/sa/trap_manager.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 7b6e2abdf6..e45c8ff3f5 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -120,6 +120,8 @@ typedef struct {
 	uint32_t reqid;
 	/** destination address (wildcard case) */
 	host_t *dst;
+	/** security label, if any */
+	sec_label_t *label;
 } acquire_t;
 
 /**
@@ -142,6 +144,7 @@ static void destroy_entry(entry_t *this)
 static void destroy_acquire(acquire_t *this)
 {
 	DESTROY_IF(this->dst);
+	DESTROY_IF(this->label);
 	free(this);
 }
 
@@ -149,9 +152,10 @@ CALLBACK(acquire_by_reqid, bool,
 	acquire_t *this, va_list args)
 {
 	uint32_t reqid;
+	sec_label_t *label;
 
-	VA_ARGS_VGET(args, reqid);
-	return this->reqid == reqid;
+	VA_ARGS_VGET(args, reqid, label);
+	return this->reqid == reqid && sec_labels_equal(this->label, label);
 }
 
 CALLBACK(acquire_by_dst, bool,
@@ -567,7 +571,7 @@ METHOD(trap_manager_t, acquire, void,
 	else
 	{
 		if (this->acquires->find_first(this->acquires, acquire_by_reqid,
-									  (void**)&acquire, reqid))
+									  (void**)&acquire, reqid, data->label))
 		{
 			ignore = TRUE;
 		}
@@ -575,6 +579,7 @@ METHOD(trap_manager_t, acquire, void,
 		{
 			INIT(acquire,
 				.reqid = reqid,
+				.label = data->label ? data->label->clone(data->label) : NULL,
 			);
 			this->acquires->insert_last(this->acquires, acquire);
 		}
@@ -632,6 +637,7 @@ METHOD(trap_manager_t, acquire, void,
 			.reqid = reqid,
 			.src = data->src,
 			.dst = data->dst,
+			.label = data->label,
 		};
 
 		if (this->ignore_acquire_ts || ike_sa->get_version(ike_sa) == IKEV1)
@@ -692,6 +698,11 @@ static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa,
 			{
 				continue;
 			}
+			else if (!sec_labels_equal(acquire->label,
+									   child_sa->get_label(child_sa)))
+			{
+				continue;
+			}
 		}
 		this->acquires->remove_at(this->acquires, enumerator);
 		destroy_acquire(acquire);
-- 
2.47.2