From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 11 Jun 2020 12:33:22 +0000 (+0200)
Subject: ike-rekey: Don't actively rekey already rekeyed SAs
X-Git-Tag: 5.9.7dr2~1^2~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87a86e9c98e403c4c64d747a35e7c5ded4ff4333;p=thirdparty%2Fstrongswan.git

ike-rekey: Don't actively rekey already rekeyed SAs

If the peer successfully rekeyed the SA it gets marked as IKE_REKEYED
and it remains until the peer deletes it (or a timeout).  There is no
point in rekeying such SAs again.

IKE_REKEYING will be relevant if we have multi-KE rekeyings and are
waiting for followup key exchanges for a passive rekeying.
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index 2e9732a9e4..cca211fed5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -169,6 +169,14 @@ METHOD(task_t, build_i, status_t,
 	/* create new SA only on first try */
 	if (!this->new_sa)
 	{
+		if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
+			this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED)
+		{
+			/* ignore SAs that have or are currently being rekeyed passively */
+			message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+			return SUCCESS;
+		}
+
 		version = this->ike_sa->get_version(this->ike_sa);
 		this->new_sa = charon->ike_sa_manager->create_new(
 										charon->ike_sa_manager, version, TRUE);