From: Tobias Brunner Date: Mon, 20 Dec 2021 15:16:00 +0000 (+0100) Subject: ike-sa: Accept optional security label when initiating CHILD_SAs X-Git-Tag: 5.9.6rc1~3^2~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3f3838d1f949497226af9258c28e325ec318fedb;p=thirdparty%2Fstrongswan.git ike-sa: Accept optional security label when initiating CHILD_SAs --- diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 9bd351d604..b7db069463 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2077,6 +2077,7 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new, { child_init_args_t args = { .reqid = child_sa->get_reqid(child_sa), + .label = child_sa->get_label(child_sa), }; child_cfg = child_sa->get_config(child_sa); DBG1(DBG_IKE, "restarting CHILD_SA %s", diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 8fc9a3cdd6..8e4549258f 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -380,6 +380,8 @@ struct child_init_args_t { traffic_selector_t *src; /** Optional destination of triggering packet */ traffic_selector_t *dst; + /** Optional security label of triggering packet */ + sec_label_t *label; }; /** diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index b359c67bb2..555fb86c72 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -2110,6 +2110,7 @@ METHOD(task_manager_t, queue_child, void, { task = child_create_create(this->ike_sa, cfg, FALSE, args->src, args->dst); task->use_reqid(task, args->reqid); + task->use_label(task, args->label); } else { diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index 13cbee3f5b..b570a36e03 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -366,6 +366,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) child_cfg = child_sa->get_config(child_sa); child_cfg->get_ref(child_cfg); args.reqid = child_sa->get_reqid(child_sa); + args.label = child_sa->get_label(child_sa); + if (args.label) + { + args.label = args.label->clone(args.label); + } action = child_sa->get_close_action(child_sa); this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi); @@ -385,6 +390,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) } } child_cfg->destroy(child_cfg); + DESTROY_IF(args.label); if (status != SUCCESS) { break; diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index 29ae6de676..37b05c9436 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -396,6 +396,7 @@ METHOD(task_t, process_i, status_t, { child_cfg_t *child_cfg; child_init_args_t args = {}; + status_t status; if (this->collision && this->collision->get_type(this->collision) == TASK_CHILD_DELETE) @@ -414,10 +415,17 @@ METHOD(task_t, process_i, status_t, child_cfg = this->child_sa->get_config(this->child_sa); child_cfg->get_ref(child_cfg); args.reqid = this->child_sa->get_reqid(this->child_sa); + args.label = this->child_sa->get_label(this->child_sa); + if (args.label) + { + args.label = args.label->clone(args.label); + } charon->bus->child_updown(charon->bus, this->child_sa, FALSE); this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi); - return this->ike_sa->initiate(this->ike_sa, - child_cfg->get_ref(child_cfg), &args); + status = this->ike_sa->initiate(this->ike_sa, + child_cfg->get_ref(child_cfg), &args); + DESTROY_IF(args.label); + return status; } if (this->child_create->task.process(&this->child_create->task,