ikev1: Send DELETE for rekeyed IKE_SAs
authorTobias Brunner <tobias@strongswan.org>
Mon, 22 Aug 2016 10:26:05 +0000 (12:26 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 4 Oct 2016 08:14:43 +0000 (10:14 +0200)
If we silently delete the IKE_SA the other peer might still use it even
if only to send DPDs.  If we don't answer to DPDs that might result in the
deletion of the new IKE_SA too.

src/libcharon/sa/ike_sa.c

index ceeafcb..7b87918 100644 (file)
@@ -1781,16 +1781,12 @@ METHOD(ike_sa_t, delete_, status_t,
 {
        switch (this->state)
        {
-               case IKE_REKEYING:
-                       if (this->version == IKEV1)
-                       {       /* SA has been reauthenticated, delete */
-                               charon->bus->ike_updown(charon->bus, &this->public, FALSE);
-                               break;
-                       }
-                       /* FALL */
                case IKE_ESTABLISHED:
-                       if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
-                       {       /* IKE_SA hard lifetime hit */
+               case IKE_REKEYING:
+                       if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
+                               !(this->version == IKEV1 && this->state == IKE_REKEYING))
+                       {       /* IKE_SA hard lifetime hit, ignored for reauthenticated
+                                * IKEv1 SAs */
                                charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
                        }
                        this->task_manager->queue_ike_delete(this->task_manager);