charon-tkm: Select other ESA if any is present upon deletion

In the case that multiple ESAs exist (e.g. rekey collision) for a
security policy, make sure to select one of the remaining ESAs.

diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index 30c8e102265f95ce38c782446b96b401e2f55e2f..e94a3b5c28d1cf645665cf3a643cd8197bf8e5d0 100644 (file)
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -217,11 +217,22 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
        private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
-       esa_id_type esa_id;
+       esa_id_type esa_id, other_esa_id;
 
        esa_id = tkm->sad->get_esa_id(tkm->sad, src, dst, spi, protocol);
        if (esa_id)
        {
+               other_esa_id = tkm->sad->get_other_esa_id(tkm->sad, esa_id);
+               if (other_esa_id)
+               {
+                       DBG1(DBG_KNL, "selecting child SA (esa: %llu)", other_esa_id);
+                       if (ike_esa_select(other_esa_id) != TKM_OK)
+                       {
+                               DBG1(DBG_KNL, "error selecting other child SA (esa: %llu)",
+                                               other_esa_id);
+                       }
+               }
+
                DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
                         ntohl(spi));
                if (ike_esa_reset(esa_id) != TKM_OK)