ike-sa: Accept optional security label when initiating CHILD_SAs

2025-10-05 00:00:45 -04:00 · 2021-12-20 16:16:00 +01:00 · 2021-12-20 16:16:00 +01:00 · 3f3838d1f9
commit 3f3838d1f9
parent 92f54e55e9
5 changed files with 20 additions and 2 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -2077,6 +2077,7 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
 		{
 			child_init_args_t args = {
 				.reqid = child_sa->get_reqid(child_sa),
+				.label = child_sa->get_label(child_sa),
 			};
 			child_cfg = child_sa->get_config(child_sa);
 			DBG1(DBG_IKE, "restarting CHILD_SA %s",
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@ -380,6 +380,8 @@ struct child_init_args_t {
 	traffic_selector_t *src;
 	/** Optional destination of triggering packet */
 	traffic_selector_t *dst;
+	/** Optional security label of triggering packet */
+	sec_label_t *label;
 };

 /**
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@ -2110,6 +2110,7 @@ METHOD(task_manager_t, queue_child, void,
 	{
 		task = child_create_create(this->ike_sa, cfg, FALSE, args->src, args->dst);
 		task->use_reqid(task, args->reqid);
+		task->use_label(task, args->label);
 	}
 	else
 	{
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@ -366,6 +366,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 		child_cfg = child_sa->get_config(child_sa);
 		child_cfg->get_ref(child_cfg);
 		args.reqid = child_sa->get_reqid(child_sa);
+		args.label = child_sa->get_label(child_sa);
+		if (args.label)
+		{
+			args.label = args.label->clone(args.label);
+		}
 		action = child_sa->get_close_action(child_sa);

 		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
@ -385,6 +390,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 			}
 		}
 		child_cfg->destroy(child_cfg);
+		DESTROY_IF(args.label);
 		if (status != SUCCESS)
 		{
 			break;
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@ -396,6 +396,7 @@ METHOD(task_t, process_i, status_t,
 	{
 		child_cfg_t *child_cfg;
 		child_init_args_t args = {};
+		status_t status;

 		if (this->collision &&
 			this->collision->get_type(this->collision) == TASK_CHILD_DELETE)
@ -414,10 +415,17 @@ METHOD(task_t, process_i, status_t,
 		child_cfg = this->child_sa->get_config(this->child_sa);
 		child_cfg->get_ref(child_cfg);
 		args.reqid = this->child_sa->get_reqid(this->child_sa);
+		args.label = this->child_sa->get_label(this->child_sa);
+		if (args.label)
+		{
+			args.label = args.label->clone(args.label);
+		}
 		charon->bus->child_updown(charon->bus, this->child_sa, FALSE);
 		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
-		return this->ike_sa->initiate(this->ike_sa,
-									  child_cfg->get_ref(child_cfg), &args);
+		status = this->ike_sa->initiate(this->ike_sa,
+										child_cfg->get_ref(child_cfg), &args);
+		DESTROY_IF(args.label);
+		return status;
 	}

 	if (this->child_create->task.process(&this->child_create->task,