From: Tobias Brunner Date: Tue, 18 Aug 2020 07:40:17 +0000 (+0200) Subject: child-sa: Cache and forward actual initiator flag for outbound SA X-Git-Tag: 5.9.7dr2~1^2~12 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=639af09b2e3624217d3f3294e5c53aff2351c34a;p=thirdparty%2Fstrongswan.git child-sa: Cache and forward actual initiator flag for outbound SA Kernel interfaces (e.g. TKM) might rely on this flag to be correct. --- diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 401bf07295..2c77ee2c6d 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -110,6 +110,11 @@ struct private_child_sa_t { */ chunk_t integ_r; + /** + * Whether the registered outbound SA was created as initiator + */ + bool initiator; + /** * Whether the outbound SA has only been registered yet during a rekeying */ @@ -1420,13 +1425,13 @@ static bool install_outbound_immediately(private_child_sa_t *this) METHOD(child_sa_t, register_outbound, status_t, private_child_sa_t *this, chunk_t encr, chunk_t integ, uint32_t spi, - uint16_t cpi, bool tfcv3) + uint16_t cpi, bool initiator, bool tfcv3) { status_t status; if (install_outbound_immediately(this)) { - status = install_internal(this, encr, integ, spi, cpi, FALSE, FALSE, + status = install_internal(this, encr, integ, spi, cpi, initiator, FALSE, tfcv3); } else @@ -1440,6 +1445,7 @@ METHOD(child_sa_t, register_outbound, status_t, this->other_cpi = cpi; this->encr_r = chunk_clone(encr); this->integ_r = chunk_clone(integ); + this->initiator = initiator; this->tfcv3 = tfcv3; status = SUCCESS; } @@ -1457,8 +1463,8 @@ METHOD(child_sa_t, install_outbound, status_t, if (!(this->outbound_state & CHILD_OUTBOUND_SA)) { status = install_internal(this, this->encr_r, this->integ_r, - this->other_spi, this->other_cpi, FALSE, - FALSE, this->tfcv3); + this->other_spi, this->other_cpi, + this->initiator, FALSE, this->tfcv3); chunk_clear(&this->encr_r); chunk_clear(&this->integ_r); } diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index 73488c1277..37f00277eb 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -442,11 +442,13 @@ struct child_sa_t { * @param integ integrity key (cloned) * @param spi SPI to use, allocated for inbound * @param cpi CPI to use, allocated for outbound + * @param initiator TRUE if initiator of exchange resulting in this SA * @param tfcv3 TRUE if peer supports ESPv3 TFC * @return SUCCESS or FAILED */ status_t (*register_outbound)(child_sa_t *this, chunk_t encr, chunk_t integ, - uint32_t spi, uint16_t cpi, bool tfcv3); + uint32_t spi, uint16_t cpi, bool initiator, + bool tfcv3); /** * Install the outbound policies and, if not already done, the outbound SA diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index d836ff029d..1c0d7cc778 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -715,13 +715,13 @@ static status_t select_and_install(private_child_create_t *this, { status_o = this->child_sa->register_outbound(this->child_sa, encr_i, integ_i, this->other_spi, this->other_cpi, - this->tfcv3); + this->initiator, this->tfcv3); } else { status_o = this->child_sa->register_outbound(this->child_sa, encr_r, integ_r, this->other_spi, this->other_cpi, - this->tfcv3); + this->initiator, this->tfcv3); } } else if (this->initiator)