ikev2: Send deletes also for rekeyed SAs

This way we can use the IKE_REKEYED state for both redundant and old SAs
to suppress ike_updown().

In the ike-delete task we don't suppress events in state IKE_REKEYING as
that's the case when we delete an SA the peer is currently rekeying with
multiple key exchanges.

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index e7ada463b1c35cab9818270f3845278d7f55c38b..0d554204d25438a3861b4721ca48eac4dd471394 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1883,6 +1883,7 @@ METHOD(ike_sa_t, delete_, status_t,
        {
                case IKE_ESTABLISHED:
                case IKE_REKEYING:
+               case IKE_REKEYED:
                        if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
                                !(this->version == IKEV1 && this->state == IKE_REKEYING))
                        {       /* IKE_SA hard lifetime hit, ignored for reauthenticated

diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c
index 00235c53d5c8712553bae027177e9b47b2919244..aa9c017345dfefa1f021dc699a53bed61463b340 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c
@@ -65,9 +65,8 @@ METHOD(task_t, build_i, status_t,
        delete_payload = delete_payload_create(PLV2_DELETE, PROTO_IKE);
        message->add_payload(message, (payload_t*)delete_payload);
 
-       if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
-               this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED)
-       {
+       if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED)
+       {       /* suppress events when deleting old or redundant SAs */
                this->rekeyed = TRUE;
        }
        this->ike_sa->set_state(this->ike_sa, IKE_DELETING);

diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index aac908ee6bf4827b297696fb378004f582355551..85c47efc09ccbf209b7a14e2290cab479c09791b 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -376,9 +376,7 @@ METHOD(task_t, process_i, status_t,
                        this->new_sa->set_my_host(this->new_sa, host->clone(host));
                        host = this->ike_sa->get_other_host(this->ike_sa);
                        this->new_sa->set_other_host(this->new_sa, host->clone(host));
-                       /* IKE_SAs in state IKE_REKEYED are silently deleted, so we use
-                        * IKE_REKEYING */
-                       this->new_sa->set_state(this->new_sa, IKE_REKEYING);
+                       this->new_sa->set_state(this->new_sa, IKE_REKEYED);
                        if (this->new_sa->delete(this->new_sa, FALSE) == DESTROY_ME)
                        {
                                this->new_sa->destroy(this->new_sa);