6 files changed, 238 insertions, 12 deletions
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
new file mode 100644
index 000000000..93da960f8
--- /dev/null
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "adopt_children_job.h"
+
+#include <daemon.h>
+#include <hydra.h>
+
+typedef struct private_adopt_children_job_t private_adopt_children_job_t;
+
+/**
+ * Private data of an adopt_children_job_t object.
+ */
+struct private_adopt_children_job_t {
+
+	/**
+	 * Public adopt_children_job_t interface.
+	 */
+	adopt_children_job_t public;
+
+	/**
+	 * IKE_SA id to adopt children from
+	 */
+	ike_sa_id_t *id;
+};
+
+METHOD(job_t, destroy, void,
+	private_adopt_children_job_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+METHOD(job_t, execute, void,
+	private_adopt_children_job_t *this)
+{
+	identification_t *my_id, *other_id, *xauth;
+	host_t *me, *other;
+	peer_cfg_t *cfg;
+	linked_list_t *children;
+	enumerator_t *enumerator, *childenum;
+	ike_sa_id_t *id;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id);
+	if (ike_sa)
+	{
+		/* get what we need from new SA */
+		me = ike_sa->get_my_host(ike_sa);
+		me = me->clone(me);
+		other = ike_sa->get_other_host(ike_sa);
+		other = other->clone(other);
+		my_id = ike_sa->get_my_id(ike_sa);
+		my_id = my_id->clone(my_id);
+		other_id = ike_sa->get_other_id(ike_sa);
+		other_id = other_id->clone(other_id);
+		xauth = ike_sa->get_other_eap_id(ike_sa);
+		xauth = xauth->clone(xauth);
+		cfg = ike_sa->get_peer_cfg(ike_sa);
+		cfg->get_ref(cfg);
+
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
+		/* find old SA to adopt children from */
+		children = linked_list_create();
+		enumerator = charon->ike_sa_manager->create_id_enumerator(
+									charon->ike_sa_manager, my_id, other_id,
+									other->get_family(other));
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (id->equals(id, this->id))
+			{	/* not from self */
+				continue;
+			}
+			ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+			if (ike_sa)
+			{
+				if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
+					 ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
+					me->equals(me, ike_sa->get_my_host(ike_sa)) &&
+					other->equals(other, ike_sa->get_other_host(ike_sa)) &&
+					xauth->equals(xauth, ike_sa->get_other_eap_id(ike_sa)) &&
+					cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
+				{
+					childenum = ike_sa->create_child_sa_enumerator(ike_sa);
+					while (childenum->enumerate(childenum, &child_sa))
+					{
+						ike_sa->remove_child_sa(ike_sa, childenum);
+						children->insert_last(children, child_sa);
+					}
+					childenum->destroy(childenum);
+					DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
+						 "adopting %d children", children->get_count(children));
+					ike_sa->set_state(ike_sa, IKE_DELETING);
+					charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
+					charon->ike_sa_manager->checkin_and_destroy(
+											charon->ike_sa_manager, ike_sa);
+				}
+				else
+				{
+					charon->ike_sa_manager->checkin(
+											charon->ike_sa_manager, ike_sa);
+				}
+				if (children->get_count(children))
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		me->destroy(me);
+		other->destroy(other);
+		my_id->destroy(my_id);
+		other_id->destroy(other_id);
+		xauth->destroy(xauth);
+		cfg->destroy(cfg);
+
+		if (children->get_count(children))
+		{
+			/* adopt children by new SA */
+			ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+													  this->id);
+			if (ike_sa)
+			{
+				while (children->remove_last(children,
+											 (void**)&child_sa) == SUCCESS)
+				{
+					ike_sa->add_child_sa(ike_sa, child_sa);
+				}
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+		}
+		children->destroy_offset(children, offsetof(child_sa_t, destroy));
+	}
+	destroy(this);
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_adopt_children_job_t *this)
+{
+	return JOB_PRIO_HIGH;
+}
+
+/**
+ * See header
+ */
+adopt_children_job_t *adopt_children_job_create(ike_sa_id_t *id)
+{
+	private_adopt_children_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.id = id->clone(id),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/adopt_children_job.h b/src/libcharon/processing/jobs/adopt_children_job.h
new file mode 100644
index 000000000..073504abd
--- /dev/null
+++ b/src/libcharon/processing/jobs/adopt_children_job.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup adopt_children_job adopt_children_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef ADOPT_CHILDREN_JOB_H_
+#define ADOPT_CHILDREN_JOB_H_
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+typedef struct adopt_children_job_t adopt_children_job_t;
+
+/**
+ * Job adopting children after IKEv1 reauthentication from old SA.
+ */
+struct adopt_children_job_t {
+
+	/**
+	 * Implements job_t.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Create a adopt_children_job instance.
+ *
+ * @param id		ike_sa_id_t of old ISAKMP SA to adopt children from
+ * @return			job
+ */
+adopt_children_job_t *adopt_children_job_create(ike_sa_id_t *id);
+
+#endif /** ADOPT_CHILDREN_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c
index bd8bb9562..ac1dfd663 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.c
@@ -44,6 +44,11 @@ struct private_delete_child_sa_job_t {
 	 * inbound SPI of the CHILD_SA
 	 */
 	u_int32_t spi;
+
+	/**
+	 * Delete for an expired CHILD_SA
+	 */
+	bool expired;
 };
 
 METHOD(job_t, destroy, void,
@@ -66,7 +71,7 @@ METHOD(job_t, execute, void,
 	}
 	else
 	{
-		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
+		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi, this->expired);
 
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
@@ -83,8 +88,7 @@ METHOD(job_t, get_priority, job_priority_t,
  * Described in header
  */
 delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-												  protocol_id_t protocol,
-												  u_int32_t spi)
+							protocol_id_t protocol, u_int32_t spi, bool expired)
 {
 	private_delete_child_sa_job_t *this;
 
@@ -99,6 +103,7 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
 		.reqid = reqid,
 		.protocol = protocol,
 		.spi = spi,
+		.expired = expired,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index fc0e2b518..be6d578bc 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -50,10 +50,10 @@ struct delete_child_sa_job_t {
  * @param reqid		reqid of the CHILD_SA, as used in kernel
  * @param protocol	protocol of the CHILD_SA
  * @param spi		security parameter index of the CHILD_SA
+ * @param expired	TRUE if CHILD_SA already expired
  * @return			delete_child_sa_job_t object
  */
 delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-												  protocol_id_t protocol,
-												  u_int32_t spi);
+							protocol_id_t protocol, u_int32_t spi, bool expired);
 
 #endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 251b9ab03..55fc0093a 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -108,7 +108,7 @@ METHOD(job_t, execute, void,
 			{
 				DBG1(DBG_JOB, "deleting CHILD_SA after %d seconds "
 					 "of inactivity", this->timeout);
-				status = ike_sa->delete_child_sa(ike_sa, proto, delete);
+				status = ike_sa->delete_child_sa(ike_sa, proto, delete, FALSE);
 			}
 		}
 		if (status == DESTROY_ME)
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
index b65181ef8..294ac154a 100644
--- a/src/libcharon/processing/jobs/start_action_job.c
+++ b/src/libcharon/processing/jobs/start_action_job.c
@@ -46,14 +46,9 @@ METHOD(job_t, execute, void,
 	char *name;
 
 	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-													NULL, NULL, NULL, NULL);
+											NULL, NULL, NULL, NULL, IKE_ANY);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
 	{
-		if (peer_cfg->get_ike_version(peer_cfg) != 2)
-		{
-			continue;
-		}
-
 		children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 		while (children->enumerate(children, &child_cfg))
 		{