From 1b3af3e37d7ee00b1f43abd41127dd1126e0afd2 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 3 Feb 2022 17:10:12 +0100
Subject: [PATCH] kernel-interface: Add support to change the reqid in
 update_sa()

---
 src/libcharon/kernel/kernel_ipsec.h                         | 2 ++
 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 5 +++++
 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c     | 6 ++++++
 src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c         | 4 ++++
 4 files changed, 17 insertions(+)

diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 343cdd136f..748dd433f7 100644
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -130,6 +130,8 @@ struct kernel_ipsec_update_sa_t {
 	bool encap;
 	/** TRUE to enable UDP encapsulation */
 	bool new_encap;
+	/** New reqid, or 0 if unchanged */
+	uint32_t new_reqid;
 };
 
 /**
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index c469651277..a24e792052 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2329,6 +2329,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		kernel_ipsec_update_sa_t ipcomp = {
 			.new_src = data->new_src,
 			.new_dst = data->new_dst,
+			.new_reqid = data->new_reqid,
 		};
 		update_sa(this, &ipcomp_id, &ipcomp);
 	}
@@ -2417,6 +2418,10 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa = NLMSG_DATA(hdr);
 	memcpy(sa, NLMSG_DATA(out_hdr), sizeof(struct xfrm_usersa_info));
 	sa->family = data->new_dst->get_family(data->new_dst);
+	if (data->new_reqid)
+	{
+		sa->reqid = data->new_reqid;
+	}
 
 	if (!id->src->ip_equals(id->src, data->new_src))
 	{
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 3243d1e946..30688a427d 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1960,6 +1960,12 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	size_t len;
 	status_t status = FAILED;
 
+	if (data->new_reqid)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: reqid "
+			 "change is not supported", ntohl(id->spi));
+		return NOT_SUPPORTED;
+	}
 #ifndef SADB_X_EXT_NEW_ADDRESS_SRC
 	/* we can't update the SA if any of the ip addresses have changed.
 	 * that's because we can't use SADB_UPDATE and by deleting and readding the
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index b4673ee24e..3eb1785992 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -2280,6 +2280,10 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		key.dst = entry->osa.dst;
 		this->osas->remove(this->osas, &key);
 
+		if (data->new_reqid)
+		{
+			entry->reqid = data->new_reqid;
+		}
 		entry->local->destroy(entry->local);
 		entry->remote->destroy(entry->remote);
 		entry->local = data->new_dst->clone(data->new_dst);
-- 
2.47.2