From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 16 May 2019 08:19:15 +0000 (+0200)
Subject: ikev1: Do a rekey check before installing CHILD_SAs as responder
X-Git-Tag: 5.8.1dr1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71141cc8c9b4c3336b06774b814a56945b5938a9;p=thirdparty%2Fstrongswan.git

ikev1: Do a rekey check before installing CHILD_SAs as responder

If CHILD_SAs are created while waiting for the third QM message we'd not
notice the redundancy and updown events would be triggered unevenly.
This is consistent with the behavior on the initiator, which already does
this check right before installation. Moving the existing check is not
possible due to the narrow hook and moving the installation changes which
peer installs the SAs first and could have other side-effects (e.g. in
error or conflict cases).  Still, this might result in CHILD_SA state
discrepancies between the two peers.

Fixes #3060.
---

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 3309a5ddc1..128f027c86 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1218,6 +1218,21 @@ METHOD(task_t, process_r, status_t,
 				}
 				return SUCCESS;
 			}
+			if (!this->rekey)
+			{
+				/* do another check in case SAs were created since we handled
+				 * the QM request, this is consistent with the rekey check
+				 * before installation on the initiator */
+				check_for_rekeyed_child(this, TRUE);
+				if (this->rekey)
+				{
+					this->child_sa->destroy(this->child_sa);
+					this->child_sa = child_sa_create(
+									this->ike_sa->get_my_host(this->ike_sa),
+									this->ike_sa->get_other_host(this->ike_sa),
+									this->config, &this->child);
+				}
+			}
 			if (!install(this))
 			{
 				ike_sa_t *ike_sa = this->ike_sa;