From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 4 May 2023 12:32:49 +0000 (+0200)
Subject: ipsec-processor: Trigger acquire if no matching outbound SA is found
X-Git-Tag: 5.9.11rc1~9^2~2
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=9192ef16209a6f65fd348218e4565c40411e6f3a;p=thirdparty%2Fstrongswan.git

ipsec-processor: Trigger acquire if no matching outbound SA is found
---

diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index 80b25e01a6..11c587c93b 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2023 Tobias Brunner
  *
  * Copyright (C) secunet Security Networks AG
  *
@@ -194,6 +194,7 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
 	ip_packet_t *packet;
 	ipsec_sa_t *sa;
 	host_t *src, *dst;
+	bool acquire = FALSE;
 
 	packet = (ip_packet_t*)this->outbound_queue->dequeue(this->outbound_queue);
 
@@ -208,11 +209,22 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
 	}
 
 	sa = ipsec->sas->checkout_by_reqid(ipsec->sas, policy->get_reqid(policy),
-									   FALSE, NULL);
+									   FALSE, &acquire);
 	if (!sa)
-	{	/* TODO-IPSEC: send an acquire to upper layer */
-		DBG1(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, "
-			 "dropping packet", policy->get_reqid(policy));
+	{
+		if (acquire)
+		{
+			DBG1(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, "
+				 "dropping packet and triggering acquire",
+				 policy->get_reqid(policy));
+			ipsec->events->acquire(ipsec->events, policy->get_reqid(policy));
+		}
+		else
+		{
+			DBG2(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, "
+				 "dropping packet while acquire is pending",
+				 policy->get_reqid(policy));
+		}
 		packet->destroy(packet);
 		policy->destroy(policy);
 		return JOB_REQUEUE_DIRECT;