summaryrefslogtreecommitdiff
path: root/sbin/iked
diff options
context:
space:
mode:
authorMike Belopuhov <mikeb@cvs.openbsd.org>2011-01-26 16:35:18 +0000
committerMike Belopuhov <mikeb@cvs.openbsd.org>2011-01-26 16:35:18 +0000
commit8209b1916479af05e249e45f22b0525e2ee12cc2 (patch)
tree473bb061c05eed48595bbfa6775bb6fb32a8e4af /sbin/iked
parent42739d2be98a0b5e7e445b8161285c2f089d01b1 (diff)
enable child sas and do sa and flow transfer after succeeding with
all the preparation steps. don't forget to change {flow,csa}_ikesa pointers when transefing to a different ike sa. ok reyk
Diffstat (limited to 'sbin/iked')
-rw-r--r--sbin/iked/ikev2.c51
1 files changed, 25 insertions, 26 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 0b3154a1b5a..0068b7ee3e2 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2.c,v 1.43 2011/01/25 10:58:41 mikeb Exp $ */
+/* $OpenBSD: ikev2.c,v 1.44 2011/01/26 16:35:17 mikeb Exp $ */
/* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */
/*
@@ -2275,22 +2275,6 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg)
sa_state(env, nsa, IKEV2_STATE_AUTH_SUCCESS);
- /* Transfer all Child SAs and flows from the old IKE SA */
- for (flow = TAILQ_FIRST(&sa->sa_flows); flow != NULL;
- flow = nextflow) {
- nextflow = TAILQ_NEXT(flow, flow_entry);
- TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry);
- TAILQ_INSERT_TAIL(&nsa->sa_flows, flow,
- flow_entry);
- }
- for (csa = TAILQ_FIRST(&sa->sa_childsas); csa != NULL;
- csa = nextcsa) {
- nextcsa = TAILQ_NEXT(csa, csa_entry);
- TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry);
- TAILQ_INSERT_TAIL(&nsa->sa_childsas, csa,
- csa_entry);
- }
-
nonce = nsa->sa_rnonce;
} else {
/* Child SA creating/rekeying */
@@ -2363,11 +2347,6 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg)
log_debug("%s: failed to get CHILD SAs", __func__);
return (-1);
}
-
- if (ikev2_childsa_enable(env, sa)) {
- log_debug("%s: failed to enable CHILD SAs", __func__);
- goto done;
- }
}
if ((e = ibuf_static()) == NULL)
@@ -2417,14 +2396,34 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg)
if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1)
goto done;
- ret = ikev2_msg_send_encrypt(env, sa, &e,
- IKEV2_EXCHANGE_CREATE_CHILD_SA, IKEV2_PAYLOAD_SA, 1);
+ if ((ret = ikev2_msg_send_encrypt(env, sa, &e,
+ IKEV2_EXCHANGE_CREATE_CHILD_SA, IKEV2_PAYLOAD_SA, 1)) == -1)
+ goto done;
+
+ if (protoid == IKEV2_SAPROTO_IKE) {
+ /* Transfer all Child SAs and flows from the old IKE SA */
+ for (flow = TAILQ_FIRST(&sa->sa_flows); flow != NULL;
+ flow = nextflow) {
+ nextflow = TAILQ_NEXT(flow, flow_entry);
+ TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry);
+ TAILQ_INSERT_TAIL(&nsa->sa_flows, flow,
+ flow_entry);
+ flow->flow_ikesa = nsa;
+ }
+ for (csa = TAILQ_FIRST(&sa->sa_childsas); csa != NULL;
+ csa = nextcsa) {
+ nextcsa = TAILQ_NEXT(csa, csa_entry);
+ TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry);
+ TAILQ_INSERT_TAIL(&nsa->sa_childsas, csa,
+ csa_entry);
+ csa->csa_ikesa = nsa;
+ }
- if (ret == 0 && protoid == IKEV2_SAPROTO_IKE) {
log_debug("%s: activating new IKE SA", __func__);
sa_state(env, sa, IKEV2_STATE_CLOSED);
sa_state(env, nsa, IKEV2_STATE_ESTABLISHED);
- }
+ } else
+ ret = ikev2_childsa_enable(env, sa);
done:
if (ret) {