From 5fd9e5fd009995ce0b6fed738efc00d90a0d1f89 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 17 Jul 2014 15:22:29 +0200 Subject: android: Terminate IKE_SA if initial IKE_SA_INIT fails Since VpnStateService.disconnect() is now not called until the error dialog is dismissed the daemon would continue to try connecting. So while the error dialog is shown the connection might actually be successfully established in the background, which is not intended. This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of the second connection attempt (due to keyingtries=0). --- .../jni/libandroidbridge/backend/android_service.c | 24 +++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'src/frontends/android/jni/libandroidbridge/backend/android_service.c') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index fb8f93311..5a85d3026 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -407,6 +407,17 @@ static void close_tun_device(private_android_service_t *this) close(tunfd); } +/** + * Terminate the IKE_SA with the given unique ID + */ +CALLBACK(terminate, job_requeue_t, + u_int32_t *id) +{ + charon->controller->terminate_ike(charon->controller, *id, + controller_cb_empty, NULL, 0); + return JOB_REQUEUE_NONE; +} + METHOD(listener_t, child_updown, bool, private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) @@ -476,9 +487,20 @@ METHOD(listener_t, alert, bool, case ALERT_PEER_INIT_UNREACHABLE: this->lock->read_lock(this->lock); if (this->tunfd < 0) - { /* only handle this if we are not reestablishing the SA */ + { + u_int32_t *id = malloc_thing(u_int32_t); + + /* always fail if we are not able to initiate the IKE_SA + * initially */ charonservice->update_status(charonservice, CHARONSERVICE_UNREACHABLE_ERROR); + /* terminate the IKE_SA so no further keying tries are + * attempted */ + *id = ike_sa->get_unique_id(ike_sa); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)terminate, id, free, + (callback_job_cancel_t)return_false, JOB_PRIO_HIGH)); } this->lock->unlock(this->lock); break; -- cgit v1.2.3