From: Tobias Brunner Date: Wed, 17 Jun 2020 14:04:10 +0000 (+0200) Subject: ikev2: Send deletes also for rekeyed SAs X-Git-Tag: 5.9.7dr2~1^2~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d6ed71a5522d77479f6c75140b137d54a17a6cb;p=thirdparty%2Fstrongswan.git ikev2: Send deletes also for rekeyed SAs This way we can use the IKE_REKEYED state for both redundant and old SAs to suppress ike_updown(). In the ike-delete task we don't suppress events in state IKE_REKEYING as that's the case when we delete an SA the peer is currently rekeying with multiple key exchanges. --- diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index e7ada463b1..0d554204d2 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1883,6 +1883,7 @@ METHOD(ike_sa_t, delete_, status_t, { case IKE_ESTABLISHED: case IKE_REKEYING: + case IKE_REKEYED: if (time_monotonic(NULL) >= this->stats[STAT_DELETE] && !(this->version == IKEV1 && this->state == IKE_REKEYING)) { /* IKE_SA hard lifetime hit, ignored for reauthenticated diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c index 00235c53d5..aa9c017345 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_delete.c +++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c @@ -65,9 +65,8 @@ METHOD(task_t, build_i, status_t, delete_payload = delete_payload_create(PLV2_DELETE, PROTO_IKE); message->add_payload(message, (payload_t*)delete_payload); - if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING || - this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED) - { + if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED) + { /* suppress events when deleting old or redundant SAs */ this->rekeyed = TRUE; } this->ike_sa->set_state(this->ike_sa, IKE_DELETING); diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index aac908ee6b..85c47efc09 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -376,9 +376,7 @@ METHOD(task_t, process_i, status_t, this->new_sa->set_my_host(this->new_sa, host->clone(host)); host = this->ike_sa->get_other_host(this->ike_sa); this->new_sa->set_other_host(this->new_sa, host->clone(host)); - /* IKE_SAs in state IKE_REKEYED are silently deleted, so we use - * IKE_REKEYING */ - this->new_sa->set_state(this->new_sa, IKE_REKEYING); + this->new_sa->set_state(this->new_sa, IKE_REKEYED); if (this->new_sa->delete(this->new_sa, FALSE) == DESTROY_ME) { this->new_sa->destroy(this->new_sa);