Rework pfkey handling a bit. The old remove then add way of inserting md5sig

hit a race frequently where a session ended up with no key/SPI in the kernel.
Since there is no way to do atomic updates of SADB_X_SATYPE_TCPSIGNATURE
the code is adding a new one then removing the old one.
Also make sure keys are correctly cleared when peers are deconfigured.
May not be perfect but a lot better than what was there before.
Tested by and OK sthen@

1 files changed, 2 insertions, 4 deletions

diff --git a/usr.sbin/bgpd/bgpd.c b/usr.sbin/bgpd/bgpd.c
index be8bec14fc4..f252a83781f 100644
--- a/usr.sbin/bgpd/bgpd.c
+++ b/usr.sbin/bgpd/bgpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bgpd.c,v 1.218 2019/05/27 09:14:32 claudio Exp $ */
+/*	$OpenBSD: bgpd.c,v 1.219 2019/05/29 08:48:00 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -799,11 +799,9 @@ dispatch_imsg(struct imsgbuf *ibuf, int idx, struct bgpd_config *conf)
 				log_warnx("pfkey reload: no such peer: id=%u",
 				    imsg.hdr.peerid);
 			else {
-				pfkey_remove(p);
-				if (pfkey_establish(p) == -1) {
+				if (pfkey_establish(p) == -1)
 					log_peer_warnx(&p->conf,
 					    "pfkey setup failed");
-				}
 			}
 			break;
 		case IMSG_CTL_RELOAD: