diff options
author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-28 18:21:38 +0000 |
---|---|---|
committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-28 18:21:38 +0000 |
commit | d15c6f407fde6dd1c1d7cf137d864cd8caa88550 (patch) | |
tree | de4bee82235de641f5d05dc96e589f0ec848f062 | |
parent | e17c4b38ffe75181b84737eb34b438b8f21908c0 (diff) |
improve behavior of drop_sa: always negotiating a new child sa; ok reyk
-rw-r--r-- | sbin/iked/ikev2.c | 72 |
1 files changed, 27 insertions, 45 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 551847d2c36..450f463dd80 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.46 2011/01/26 17:07:59 reyk Exp $ */ +/* $OpenBSD: ikev2.c,v 1.47 2011/01/28 18:21:37 mikeb Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -3760,11 +3760,9 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop) { struct ibuf *buf = NULL; struct iked_childsa *csa, key; - struct iked_proposal *prop; struct iked_sa *sa; struct ikev2_delete *del; u_int32_t spi32; - int nprop = 0; key.csa_spi = *drop; csa = RB_FIND(iked_activesas, &env->sc_activesas, &key); @@ -3777,59 +3775,43 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop) return; } - TAILQ_FOREACH(prop, &sa->sa_proposals, prop_entry) { - nprop++; - } - if ((buf = ibuf_static()) == NULL) goto done; if ((del = ibuf_advance(buf, sizeof(*del))) == NULL) goto done; - /* - * If that was the only Child SA pair and we initiated the - * exchange, drop SA altogether and reinitiate - */ - if (nprop == 2 && sa->sa_hdr.sh_initiator) { - del->del_protoid = IKEV2_SAPROTO_IKE; - del->del_spisize = 0; - del->del_nspi = 0; - - ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE, - IKEV2_EXCHANGE_INFORMATIONAL, 0); + if (csa->csa_allocated) + spi32 = htobe32(csa->csa_spi.spi); + else + spi32 = htobe32(csa->csa_peerspi); - log_debug("%s: reinitiate IKE SA", __func__); - sa_state(env, sa, IKEV2_STATE_CLOSED); + if (ikev2_childsa_delete(env, sa, csa->csa_saproto, + csa->csa_peerspi, NULL, 0)) + log_debug("%s: failed to delete CHILD SA %s", __func__, + print_spi(csa->csa_peerspi, drop->spi_size)); - sa_free(env, sa); - timer_register_initiator(env, ikev2_init_ike_sa); - } else { - if (csa->csa_allocated) - spi32 = htobe32(csa->csa_spi.spi); - else - spi32 = htobe32(csa->csa_peerspi); + /* Send PAYLOAD_DELETE */ - if (ikev2_childsa_delete(env, sa, csa->csa_saproto, - csa->csa_peerspi, NULL, 0)) - log_debug("%s: failed to delete CHILD SA %s", __func__, - print_spi(csa->csa_peerspi, drop->spi_size)); + if ((buf = ibuf_static()) == NULL) + return; + if ((del = ibuf_advance(buf, sizeof(*del))) == NULL) + goto done; + del->del_protoid = drop->spi_protoid; + del->del_spisize = 4; + del->del_nspi = htobe16(1); + if (ibuf_add(buf, &spi32, sizeof(spi32))) + goto done; - /* Send PAYLOAD_DELETE */ + if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE, + IKEV2_EXCHANGE_INFORMATIONAL, 0) == -1) + goto done; - if ((buf = ibuf_static()) == NULL) - return; - if ((del = ibuf_advance(buf, sizeof(*del))) == NULL) - goto done; - del->del_protoid = drop->spi_protoid; - del->del_spisize = 4; - del->del_nspi = htobe16(1); - if (ibuf_add(buf, &spi32, sizeof(spi32))) - goto done; + sa->sa_stateflags |= IKED_REQ_INF; - if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE, - IKEV2_EXCHANGE_INFORMATIONAL, 0) == 0) - sa->sa_stateflags |= IKED_REQ_INF; - } + /* Initiate Child SA creation */ + if (ikev2_send_create_child_sa(env, sa, NULL, drop->spi_protoid)) + log_warnx("%s: failed to initiate a CREATE_CHILD_SA exchange", + __func__); done: ibuf_release(buf); |