mem-pool: add option for reusing online leases, and disable it by default
authorMartin Willi <martin@revosec.ch>
Wed, 24 Jul 2013 14:20:46 +0000 (16:20 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 29 Jul 2013 06:56:09 +0000 (08:56 +0200)
Mainly for reauthentication with third party implementations, we allowed to
reuse an online lease, but only for the same peer identity and when it
explicitly requested the same address.

This has always been problematic, because it changes the reqid of the CHILD_SA
with the same traffic selectors, breaking the old tunnel. As we now reject
such policy overwrites, this usually lets the installation of the new policies
fail. We therefore disable reassignment of online leases by default.

src/libhydra/attributes/mem_pool.c

index 9b9bc93..77567ce 100644 (file)
@@ -16,6 +16,8 @@
 
 #include "mem_pool.h"
 
+#include <library.h>
+#include <hydra.h>
 #include <utils/debug.h>
 #include <collections/hashtable.h>
 #include <collections/array.h>
@@ -63,6 +65,11 @@ struct private_mem_pool_t {
         * lock to safely access the pool
         */
        mutex_t *mutex;
+
+       /**
+        * Do we reassign online leases to the same identity, if requested?
+        */
+       bool reassign_online;
 };
 
 /**
@@ -258,7 +265,10 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
                DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
                return offset;
        }
-
+       if (!this->reassign_online)
+       {
+               return 0;
+       }
        /* check for a valid online lease to reassign */
        enumerator = array_create_enumerator(entry->online);
        while (enumerator->enumerate(enumerator, &current))
@@ -562,6 +572,8 @@ static private_mem_pool_t *create_generic(char *name)
                .leases = hashtable_create((hashtable_hash_t)id_hash,
                                                                   (hashtable_equals_t)id_equals, 16),
                .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+               .reassign_online = lib->settings->get_bool(lib->settings,
+                                                       "%s.mem-pool.reassign_online", FALSE, hydra->daemon),
        );
 
        return this;