child-sa: Only query/update/delete inbound SA if it was actually installed

We usually can't do any of these things with temporary SAs created while
allocating an SPI.

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index d51f530dbfa16354d0f25dbe1546c451654d6ae8..c776c274dc3c0dc8828c003f97f76dc0c0238d56 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -113,6 +113,11 @@ struct private_child_sa_t {
         */
        child_sa_outbound_state_t outbound_state;
 
+       /**
+        * Whether the inbound SA has been installed
+        */
+       bool inbound_installed;
+
        /**
         * Whether the peer supports TFCv3
         */
@@ -541,7 +546,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 
        if (inbound)
        {
-               if (this->my_spi)
+               if (this->my_spi && this->inbound_installed)
                {
                        kernel_ipsec_sa_id_t id = {
                                .src = this->other_addr,
@@ -807,6 +812,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
                this->my_cpi = cpi;
                dst_ts = my_ts;
                src_ts = other_ts;
+               this->inbound_installed = TRUE;
        }
        else
        {
@@ -1469,7 +1475,7 @@ static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other,
                                                   bool encap)
 {
        /* update our (initiator) SA */
-       if (this->my_spi)
+       if (this->my_spi && this->inbound_installed)
        {
                kernel_ipsec_sa_id_t id = {
                        .src = this->other_addr,
@@ -1701,7 +1707,7 @@ METHOD(child_sa_t, destroy, void,
        }
 
        /* delete SAs in the kernel, if they are set up */
-       if (this->my_spi)
+       if (this->my_spi && this->inbound_installed)
        {
                kernel_ipsec_sa_id_t id = {
                        .src = this->other_addr,