]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e5bf9b2)
ike-init: Ignore COOKIE payloads during rekeying
authorTobias Brunner <tobias@strongswan.org>
Thu, 9 Apr 2020 16:42:22 +0000 (18:42 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 29 Jun 2022 08:28:50 +0000 (10:28 +0200)
This ensures that process_i() only returns NEED_MORE due to multiple
key exchanges or an INVALID_KE_PAYLOAD notify.

src/libcharon/sa/ikev2/tasks/ike_init.c patch | blob | blame | history

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 98185f576e797418510cc44ee378435570f72d44..cae68559fca8f7feb336f31701f6eb0875adde57 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -1008,6 +1008,12 @@ METHOD(task_t, process_i, status_t,
                                        break;
                                case COOKIE:
                                {
+                                       if (this->old_sa)
+                                       {
+                                               DBG1(DBG_IKE, "received COOKIE notify during rekeying"
+                                                    ", ignored");
+                                               break;
+                                       }
                                        chunk_free(&this->cookie);
                                        this->cookie = chunk_clone(notify->get_notification_data(notify));
                                        this->ike_sa->reset(this->ike_sa, FALSE);
Unnamed repository; edit this file 'description' to name the repository.