SAs are valid (but dying) when they reached soft lifetime,

even if they have never been used. Approved by: gnn(mentor) MFC after: 2 weeks
svn path=/head/; revision=189406
2009-03-05 16:22:32 +00:00 · 2009-03-05 16:22:32 +00:00 · e985f4e07c · 2020-12-20 02:59:44 +00:00
commit e985f4e07c
parent c3beab6ac5
1 changed files with 7 additions and 14 deletions
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@ -4154,22 +4154,15 @@ key_flush_sad(time_t now)
 			/* check SOFT lifetime */
 			if (sav->lft_s->addtime != 0 &&
 			    now - sav->created > sav->lft_s->addtime) {
-				/*
-				 * check SA to be used whether or not.
-				 * when SA hasn't been used, delete it.
+				key_sa_chgstate(sav, SADB_SASTATE_DYING);
+				/* Actually, only send expire message if SA has been used, as it
+				 * was done before, but should we always send such message, and let IKE
+				 * daemon decide if it should be renegociated or not ?
+				 * XXX expire message will actually NOT be sent if SA is only used
+				 * after soft lifetime has been reached, see below (DYING state)
 				 */
-				if (sav->lft_c->usetime == 0) {
-					key_sa_chgstate(sav, SADB_SASTATE_DEAD);
-					KEY_FREESAV(&sav);
-				} else {
-					key_sa_chgstate(sav, SADB_SASTATE_DYING);
-					/*
-					 * XXX If we keep to send expire
-					 * message in the status of
-					 * DYING. Do remove below code.
-					 */
+				if (sav->lft_c->usetime != 0)
 					key_expire(sav);
-				}
 			}
 			/* check SOFT lifetime by bytes */
 			/*