vici: Don't use a default rand_time larger than half of rekey/reauth_time
authorMartin Willi <martin@revosec.ch>
Tue, 3 Feb 2015 10:56:15 +0000 (11:56 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 3 Mar 2015 12:49:14 +0000 (13:49 +0100)
src/libcharon/plugins/vici/vici_config.c

index 3ecb10f..6491610 100644 (file)
@@ -1831,9 +1831,17 @@ CALLBACK(config_sn, bool,
        }
        if (peer.rand_time == LFT_UNDEFINED)
        {
-               /* default rand_time to over_time if not given */
-               peer.rand_time = min(peer.over_time,
-                                                        max(peer.rekey_time, peer.reauth_time) / 2);
+               /* default rand_time to over_time if not given, but don't make it
+                * longer than half of rekey/rauth time */
+               if (peer.rekey_time && peer.reauth_time)
+               {
+                       peer.rand_time = min(peer.rekey_time, peer.reauth_time);
+               }
+               else
+               {
+                       peer.rand_time = max(peer.rekey_time, peer.reauth_time);
+               }
+               peer.rand_time = min(peer.over_time, peer.rand_time / 2);
        }
 
        log_peer_data(&peer);