git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Thu, 20 Mar 2025 13:52:32 +0000 (14:52 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Wed, 28 May 2025 08:01:19 +0000 (10:01 +0200)
commit	46c338a78fef5793f4846cd18a8fb538da471794
tree	6c9848ce527af73d275c4eeebc35865b737ecc70	tree
parent	c5b2a8eaa37544369079862d1f2419eea1610993	commit \| diff

kernel-interface: Change reqid if seq. nos. are supported and narrowing occurred

With the sequence numbers we don't have to maintain the reqid to delete
the temporary state.

One exception is with labels.  There we currently only install trap
policies with the generic label.  SAs created from those don't have
policies installed, so we have to reuse the reqid of the trap even if
narrowing occurs.

And as before, we reuse the reqid without checking traffic selectors if
sequence numbers are not supported.

Note that if a CHILD_SA is manually initiated (i.e. has no sequence
number assigned) right before an acquire is triggered, there are several
possible outcomes depending on whether narrowing occurs.  If there is no
narrowing, the same reqid is assigned and the kernel will remove the
temporary SA when the SA is installed (no seq => reqid match).
Afterwards, the queued duplicate CHILD_SA is destroyed and the acquire
state in the trap manager gets removed.  If there is narrowing, a new
reqid is allocated, so the installation of the SA will not remove the
temporary state.  However, due to the narrowing, the duplicate check
fails and when the duplicate is installed (with sequence number), the
temporary state is deleted (as is the state in the trap manager).

src/libcharon/kernel/kernel_interface.c		diff \| blob \| blame \| history
src/libcharon/kernel/kernel_interface.h		diff \| blob \| blame \| history
src/libcharon/sa/child_sa.c		diff \| blob \| blame \| history