child-sa: Cache and forward actual initiator flag for outbound SA

Kernel interfaces (e.g. TKM) might rely on this flag to be correct.
2020-08-18 09:40:17 +02:00 · 2020-08-18 09:40:17 +02:00 · 7910435983
parent 32db8aa2b4
commit 7910435983
3 changed files with 15 additions and 7 deletions
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@ -108,6 +108,11 @@ struct private_child_sa_t {
 	 */
 	chunk_t integ_r;

+	/**
+	 * Whether the registered outbound SA was created as initiator
+	 */
+	bool initiator;
+
 	/**
 	 * Whether the outbound SA has only been registered yet during a rekeying
 	 */
@ -1313,7 +1318,7 @@ METHOD(child_sa_t, install_policies, status_t,

 METHOD(child_sa_t, register_outbound, status_t,
 	private_child_sa_t *this, chunk_t encr, chunk_t integ, uint32_t spi,
-	uint16_t cpi, bool tfcv3)
+	uint16_t cpi, bool initiator, bool tfcv3)
 {
 	status_t status;

@ -1321,7 +1326,7 @@ METHOD(child_sa_t, register_outbound, status_t,
 	 * SA immediately as it will only be used once we update the policies */
 	if (charon->kernel->get_features(charon->kernel) & KERNEL_POLICY_SPI)
 	{
-		status = install_internal(this, encr, integ, spi, cpi, FALSE, FALSE,
+		status = install_internal(this, encr, integ, spi, cpi, initiator, FALSE,
 								  tfcv3);
 	}
 	else
@ -1335,6 +1340,7 @@ METHOD(child_sa_t, register_outbound, status_t,
 		this->other_cpi = cpi;
 		this->encr_r = chunk_clone(encr);
 		this->integ_r = chunk_clone(integ);
+		this->initiator = initiator;
 		this->tfcv3 = tfcv3;
 		status = SUCCESS;
 	}
@ -1352,8 +1358,8 @@ METHOD(child_sa_t, install_outbound, status_t,
 	if (!(this->outbound_state & CHILD_OUTBOUND_SA))
 	{
 		status = install_internal(this, this->encr_r, this->integ_r,
-								  this->other_spi, this->other_cpi, FALSE,
-								  FALSE, this->tfcv3);
+								  this->other_spi, this->other_cpi,
+								  this->initiator, FALSE, this->tfcv3);
 		chunk_clear(&this->encr_r);
 		chunk_clear(&this->integ_r);
 	}
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@ -433,11 +433,13 @@ struct child_sa_t {
 	 * @param integ		integrity key (cloned)
 	 * @param spi		SPI to use, allocated for inbound
 	 * @param cpi		CPI to use, allocated for outbound
+	 * @param initiator	TRUE if initiator of exchange resulting in this SA
 	 * @param tfcv3		TRUE if peer supports ESPv3 TFC
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*register_outbound)(child_sa_t *this, chunk_t encr, chunk_t integ,
-								  uint32_t spi, uint16_t cpi, bool tfcv3);
+								  uint32_t spi, uint16_t cpi, bool initiator,
+								  bool tfcv3);

 	/**
 	 * Install the outbound policies and, if not already done, the outbound SA
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@ -720,13 +720,13 @@ static status_t select_and_install(private_child_create_t *this, bool ike_auth)
 			{
 				status_o = this->child_sa->register_outbound(this->child_sa,
 							encr_i, integ_i, this->other_spi, this->other_cpi,
-							this->tfcv3);
+							this->initiator, this->tfcv3);
 			}
 			else
 			{
 				status_o = this->child_sa->register_outbound(this->child_sa,
 							encr_r, integ_r, this->other_spi, this->other_cpi,
-							this->tfcv3);
+							this->initiator, this->tfcv3);
 			}
 		}
 		else if (this->initiator)