Add an option to delete any established IKE_SA if RADIUS server is not responding

1 files changed, 47 insertions, 1 deletions

diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 75d7f8b96..c32f52183 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -24,9 +24,10 @@
 #include <radius_client.h>
 #include <radius_config.h>
 
-#include <daemon.h>
 #include <hydra.h>
 #include <threading/rwlock.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 /**
  * Default RADIUS server port for authentication
@@ -320,3 +321,48 @@ radius_client_t *eap_radius_create_client()
 	}
 	return NULL;
 }
+
+/**
+ * Job to delete all active IKE_SAs
+ */
+static job_requeue_t delete_all_async(void *data)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+	}
+	enumerator->destroy(enumerator);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * See header.
+ */
+void eap_radius_handle_timeout(ike_sa_id_t *id)
+{
+	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+
+	if (lib->settings->get_bool(lib->settings,
+								"%s.plugins.eap-radius.close_all_on_timeout",
+								FALSE, charon->name))
+	{
+		DBG1(DBG_CFG, "deleting all IKE_SAs after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio(
+						(callback_job_cb_t)delete_all_async, NULL, NULL,
+						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else if (id)
+	{
+		DBG1(DBG_CFG, "deleting IKE_SA after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(id, TRUE));
+	}
+}