From: Martin Willi <martin@revosec.ch>
Date: Wed, 4 Mar 2015 10:16:00 +0000 (+0100)
Subject: ikev2: Don't adopt any CHILD_SA during make-before-break reauthentication
X-Git-Tag: 5.3.0dr1~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a31fe5580e2e78b63eab16377dd81101b53316a;p=thirdparty%2Fstrongswan.git

ikev2: Don't adopt any CHILD_SA during make-before-break reauthentication

While the comment is rather clear that we should not adopt live CHILD_SAs
during reauthentication in IKEv2, the code does nonetheless. Add an additional
version check to fix reauthentication if the reauth responder has a replace
uniqueids policy.

Fixes #871.
---

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 6d0a59800c..d0cbd47ef8 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1755,7 +1755,8 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
 	if (host->equals(host, duplicate->get_other_host(duplicate)))
 	{
 		/* looks like a reauthentication attempt */
-		if (!new->has_condition(new, COND_INIT_CONTACT_SEEN))
+		if (!new->has_condition(new, COND_INIT_CONTACT_SEEN) &&
+			new->get_version(new) == IKEV1)
 		{
 			/* IKEv1 implicitly takes over children, IKEv2 recreates them
 			 * explicitly. */