summaryrefslogtreecommitdiff
path: root/src/libcharon/processing/jobs/adopt_children_job.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/processing/jobs/adopt_children_job.c')
-rw-r--r--src/libcharon/processing/jobs/adopt_children_job.c58
1 files changed, 45 insertions, 13 deletions
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index fb480eee2..c8a9c17de 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2012 Martin Willi
* Copyright (C) 2012 revosec AG
*
@@ -54,10 +57,10 @@ METHOD(job_t, execute, job_requeue_t,
private_adopt_children_job_t *this)
{
identification_t *my_id, *other_id, *xauth;
- host_t *me, *other;
+ host_t *me, *other, *vip;
peer_cfg_t *cfg;
- linked_list_t *children;
- enumerator_t *enumerator, *childenum;
+ linked_list_t *children, *vips;
+ enumerator_t *enumerator, *subenum;
ike_sa_id_t *id;
ike_sa_t *ike_sa;
child_sa_t *child_sa;
@@ -81,7 +84,8 @@ METHOD(job_t, execute, job_requeue_t,
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- /* find old SA to adopt children from */
+ /* find old SA to adopt children and virtual IPs from */
+ vips = linked_list_create();
children = linked_list_create();
enumerator = charon->ike_sa_manager->create_id_enumerator(
charon->ike_sa_manager, my_id, xauth,
@@ -102,18 +106,29 @@ METHOD(job_t, execute, job_requeue_t,
other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&
cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
{
- childenum = ike_sa->create_child_sa_enumerator(ike_sa);
- while (childenum->enumerate(childenum, &child_sa))
+ subenum = ike_sa->create_child_sa_enumerator(ike_sa);
+ while (subenum->enumerate(subenum, &child_sa))
{
- ike_sa->remove_child_sa(ike_sa, childenum);
+ ike_sa->remove_child_sa(ike_sa, subenum);
children->insert_last(children, child_sa);
}
- childenum->destroy(childenum);
- if (children->get_count(children))
+ subenum->destroy(subenum);
+
+ subenum = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+ while (subenum->enumerate(subenum, &vip))
+ {
+ vips->insert_last(vips, vip->clone(vip));
+ }
+ subenum->destroy(subenum);
+ /* this does not release the addresses, which is good, but
+ * it does trigger an assign_vips(FALSE) event, so we also
+ * trigger one below */
+ ike_sa->clear_virtual_ips(ike_sa, FALSE);
+ if (children->get_count(children) || vips->get_count(vips))
{
DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
- "adopting %d children",
- children->get_count(children));
+ "adopting %d children and %d virtual IPs",
+ children->get_count(children), vips->get_count(vips));
}
ike_sa->set_state(ike_sa, IKE_DELETING);
charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
@@ -125,7 +140,7 @@ METHOD(job_t, execute, job_requeue_t,
charon->ike_sa_manager->checkin(
charon->ike_sa_manager, ike_sa);
}
- if (children->get_count(children))
+ if (children->get_count(children) || vips->get_count(vips))
{
break;
}
@@ -140,7 +155,7 @@ METHOD(job_t, execute, job_requeue_t,
xauth->destroy(xauth);
cfg->destroy(cfg);
- if (children->get_count(children))
+ if (children->get_count(children) || vips->get_count(vips))
{
/* adopt children by new SA */
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
@@ -152,10 +167,27 @@ METHOD(job_t, execute, job_requeue_t,
{
ike_sa->add_child_sa(ike_sa, child_sa);
}
+ if (vips->get_count(vips))
+ {
+ while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
+ {
+ ike_sa->add_virtual_ip(ike_sa, FALSE, vip);
+ vip->destroy(vip);
+ }
+ charon->bus->assign_vips(charon->bus, ike_sa, TRUE);
+ }
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
}
}
children->destroy_offset(children, offsetof(child_sa_t, destroy));
+ /* FIXME: If we still have addresses here it means we weren't able to
+ * find the new SA anymore (while not very likely during a proper
+ * reauthentication, this theoretically could happen because the SA is
+ * not locked while we search for the old one). So the addresses here
+ * should be released properly to avoid leaking these leases. This is
+ * currently not possible, though, due to the changed interface of
+ * release_address(), which now takes a complete IKE_SA object. */
+ vips->destroy_offset(vips, offsetof(host_t, destroy));
if (array_count(this->tasks))
{