aboutsummaryrefslogtreecommitdiffstats
path: root/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
blob: 666355757f70a19f970b92dd1564131956eb6fde (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
From e0189de4c7b8df5cb61c7b0e771dcc5534e9cc06 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Jul 2015 11:53:58 +0200
Subject: [PATCH] ike: Adhere to IKE_SA limit when checking out by config

This prevents new SAs from getting created if we hit the global IKE_SA
limit (we still allow checkout_new(), which is used for rekeying).
---
 src/libcharon/sa/ike_sa_manager.c | 63 ++++++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 30 deletions(-)

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 51b7f2c..20b6e50 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1346,44 +1346,47 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 
 	DBG2(DBG_MGR, "checkout IKE_SA by config");
 
-	if (!this->reuse_ikesa)
-	{	/* IKE_SA reuse disable by config */
-		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
-		charon->bus->set_sa(charon->bus, ike_sa);
-		return ike_sa;
-	}
-
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
+	if (this->reuse_ikesa)
 	{
-		if (!wait_for_entry(this, entry, segment))
+		enumerator = create_table_enumerator(this);
+		while (enumerator->enumerate(enumerator, &entry, &segment))
 		{
-			continue;
-		}
-		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
-		{	/* skip IKE_SAs which are not usable */
-			continue;
-		}
-
-		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
-		if (current_peer && current_peer->equals(current_peer, peer_cfg))
-		{
-			current_ike = current_peer->get_ike_cfg(current_peer);
-			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
+			if (!wait_for_entry(this, entry, segment))
 			{
-				entry->checked_out = TRUE;
-				ike_sa = entry->ike_sa;
-				DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
-						ike_sa->get_unique_id(ike_sa),
-						current_peer->get_name(current_peer));
-				break;
+				continue;
+			}
+			if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
+			{	/* skip IKE_SAs which are not usable */
+				continue;
+			}
+			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+			if (current_peer && current_peer->equals(current_peer, peer_cfg))
+			{
+				current_ike = current_peer->get_ike_cfg(current_peer);
+				if (current_ike->equals(current_ike,
+										peer_cfg->get_ike_cfg(peer_cfg)))
+				{
+					entry->checked_out = TRUE;
+					ike_sa = entry->ike_sa;
+					DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
+							ike_sa->get_unique_id(ike_sa),
+							current_peer->get_name(current_peer));
+					break;
+				}
 			}
 		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
 
 	if (!ike_sa)
-	{	/* no IKE_SA using such a config, hand out a new */
+	{	/* no IKE_SA using such a config, or reuse disabled, hand out a new */
+		if (this->ikesa_limit &&
+			this->public.get_count(&this->public) >= this->ikesa_limit)
+		{
+			DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)",
+				 this->ikesa_limit);
+			return NULL;
+		}
 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
-- 
2.4.6