Index: head/sys/netipsec/key.c =================================================================== --- head/sys/netipsec/key.c (revision 283059) +++ head/sys/netipsec/key.c (working copy) @@ -537,7 +537,7 @@ static int key_acquire2(struct socket *, struct mb const struct sadb_msghdr *); static int key_register(struct socket *, struct mbuf *, const struct sadb_msghdr *); -static int key_expire(struct secasvar *); +static int key_expire(struct secasvar *, int); static int key_flush(struct socket *, struct mbuf *, const struct sadb_msghdr *); static int key_dump(struct socket *, struct mbuf *, @@ -4243,8 +4243,24 @@ key_flush_sad(time_t now) continue; } + /* check HARD lifetime */ + if ((sav->lft_h->addtime != 0 && + now - sav->created > sav->lft_h->addtime) || + (sav->lft_h->bytes != 0 && + sav->lft_h->bytes < sav->lft_c->bytes)) { + /* + * RFC 2367: + * HARD lifetimes MUST take precedence over + * SOFT lifetimes, meaning if the HARD and + * SOFT lifetimes are the same, the HARD + * lifetime will appear on the EXPIRE message. + */ + key_sa_chgstate(sav, SADB_SASTATE_DEAD); + key_expire(sav, 1); + KEY_FREESAV(&sav); + } /* check SOFT lifetime */ - if (sav->lft_s->addtime != 0 && + else if (sav->lft_s->addtime != 0 && now - sav->created > sav->lft_s->addtime) { key_sa_chgstate(sav, SADB_SASTATE_DYING); /* @@ -4259,7 +4275,7 @@ key_flush_sad(time_t now) * (DYING state) */ if (sav->lft_c->usetime != 0) - key_expire(sav); + key_expire(sav, 0); } /* check SOFT lifetime by bytes */ /* @@ -4276,7 +4292,7 @@ key_flush_sad(time_t now) * message in the status of * DYING. Do remove below code. */ - key_expire(sav); + key_expire(sav, 0); } } @@ -4295,6 +4311,7 @@ key_flush_sad(time_t now) if (sav->lft_h->addtime != 0 && now - sav->created > sav->lft_h->addtime) { + key_expire(sav, 1); key_sa_chgstate(sav, SADB_SASTATE_DEAD); KEY_FREESAV(&sav); } @@ -4311,12 +4328,13 @@ key_flush_sad(time_t now) * If there is no SA then sending * expire message. */ - key_expire(sav); + key_expire(sav, 0); } #endif /* check HARD lifetime by bytes */ else if (sav->lft_h->bytes != 0 && sav->lft_h->bytes < sav->lft_c->bytes) { + key_expire(sav, 1); key_sa_chgstate(sav, SADB_SASTATE_DEAD); KEY_FREESAV(&sav); } @@ -6721,7 +6739,7 @@ key_freereg(struct socket *so) * others : error number */ static int -key_expire(struct secasvar *sav) +key_expire(struct secasvar *sav, int hard) { int satype; struct mbuf *result = NULL, *m; @@ -6779,11 +6797,19 @@ static int lt->sadb_lifetime_usetime = sav->lft_c->usetime; lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); - lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; - lt->sadb_lifetime_allocations = sav->lft_s->allocations; - lt->sadb_lifetime_bytes = sav->lft_s->bytes; - lt->sadb_lifetime_addtime = sav->lft_s->addtime; - lt->sadb_lifetime_usetime = sav->lft_s->usetime; + if (hard) { + lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; + lt->sadb_lifetime_allocations = sav->lft_h->allocations; + lt->sadb_lifetime_bytes = sav->lft_h->bytes; + lt->sadb_lifetime_addtime = sav->lft_h->addtime; + lt->sadb_lifetime_usetime = sav->lft_h->usetime; + } else { + lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; + lt->sadb_lifetime_allocations = sav->lft_s->allocations; + lt->sadb_lifetime_bytes = sav->lft_s->bytes; + lt->sadb_lifetime_addtime = sav->lft_s->addtime; + lt->sadb_lifetime_usetime = sav->lft_s->usetime; + } m_cat(result, m); /* set sadb_address for source */