summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Belopuhov <mikeb@cvs.openbsd.org>2011-01-28 18:21:38 +0000
committerMike Belopuhov <mikeb@cvs.openbsd.org>2011-01-28 18:21:38 +0000
commitd15c6f407fde6dd1c1d7cf137d864cd8caa88550 (patch)
treede4bee82235de641f5d05dc96e589f0ec848f062
parente17c4b38ffe75181b84737eb34b438b8f21908c0 (diff)
improve behavior of drop_sa: always negotiating a new child sa; ok reyk
-rw-r--r--sbin/iked/ikev2.c72
1 files changed, 27 insertions, 45 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 551847d2c36..450f463dd80 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2.c,v 1.46 2011/01/26 17:07:59 reyk Exp $ */
+/* $OpenBSD: ikev2.c,v 1.47 2011/01/28 18:21:37 mikeb Exp $ */
/* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */
/*
@@ -3760,11 +3760,9 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop)
{
struct ibuf *buf = NULL;
struct iked_childsa *csa, key;
- struct iked_proposal *prop;
struct iked_sa *sa;
struct ikev2_delete *del;
u_int32_t spi32;
- int nprop = 0;
key.csa_spi = *drop;
csa = RB_FIND(iked_activesas, &env->sc_activesas, &key);
@@ -3777,59 +3775,43 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop)
return;
}
- TAILQ_FOREACH(prop, &sa->sa_proposals, prop_entry) {
- nprop++;
- }
-
if ((buf = ibuf_static()) == NULL)
goto done;
if ((del = ibuf_advance(buf, sizeof(*del))) == NULL)
goto done;
- /*
- * If that was the only Child SA pair and we initiated the
- * exchange, drop SA altogether and reinitiate
- */
- if (nprop == 2 && sa->sa_hdr.sh_initiator) {
- del->del_protoid = IKEV2_SAPROTO_IKE;
- del->del_spisize = 0;
- del->del_nspi = 0;
-
- ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
- IKEV2_EXCHANGE_INFORMATIONAL, 0);
+ if (csa->csa_allocated)
+ spi32 = htobe32(csa->csa_spi.spi);
+ else
+ spi32 = htobe32(csa->csa_peerspi);
- log_debug("%s: reinitiate IKE SA", __func__);
- sa_state(env, sa, IKEV2_STATE_CLOSED);
+ if (ikev2_childsa_delete(env, sa, csa->csa_saproto,
+ csa->csa_peerspi, NULL, 0))
+ log_debug("%s: failed to delete CHILD SA %s", __func__,
+ print_spi(csa->csa_peerspi, drop->spi_size));
- sa_free(env, sa);
- timer_register_initiator(env, ikev2_init_ike_sa);
- } else {
- if (csa->csa_allocated)
- spi32 = htobe32(csa->csa_spi.spi);
- else
- spi32 = htobe32(csa->csa_peerspi);
+ /* Send PAYLOAD_DELETE */
- if (ikev2_childsa_delete(env, sa, csa->csa_saproto,
- csa->csa_peerspi, NULL, 0))
- log_debug("%s: failed to delete CHILD SA %s", __func__,
- print_spi(csa->csa_peerspi, drop->spi_size));
+ if ((buf = ibuf_static()) == NULL)
+ return;
+ if ((del = ibuf_advance(buf, sizeof(*del))) == NULL)
+ goto done;
+ del->del_protoid = drop->spi_protoid;
+ del->del_spisize = 4;
+ del->del_nspi = htobe16(1);
+ if (ibuf_add(buf, &spi32, sizeof(spi32)))
+ goto done;
- /* Send PAYLOAD_DELETE */
+ if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
+ IKEV2_EXCHANGE_INFORMATIONAL, 0) == -1)
+ goto done;
- if ((buf = ibuf_static()) == NULL)
- return;
- if ((del = ibuf_advance(buf, sizeof(*del))) == NULL)
- goto done;
- del->del_protoid = drop->spi_protoid;
- del->del_spisize = 4;
- del->del_nspi = htobe16(1);
- if (ibuf_add(buf, &spi32, sizeof(spi32)))
- goto done;
+ sa->sa_stateflags |= IKED_REQ_INF;
- if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
- IKEV2_EXCHANGE_INFORMATIONAL, 0) == 0)
- sa->sa_stateflags |= IKED_REQ_INF;
- }
+ /* Initiate Child SA creation */
+ if (ikev2_send_create_child_sa(env, sa, NULL, drop->spi_protoid))
+ log_warnx("%s: failed to initiate a CREATE_CHILD_SA exchange",
+ __func__);
done:
ibuf_release(buf);