From: Tobias Brunner Date: Wed, 20 Apr 2016 11:56:55 +0000 (+0200) Subject: ikev1: Don't use rekeyed CHILD_SAs for rekey detection X-Git-Tag: 5.4.1dr2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf3bed1cc4be24b9a74dff391723afec90182647;p=thirdparty%2Fstrongswan.git ikev1: Don't use rekeyed CHILD_SAs for rekey detection An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING state. And we actually want to change the currently installed CHILD_SA to that state and later CHILD_REKEYED and properly call e.g. child_rekey() and not do this again with an old CHILD_SA. Instead let's only check installed or currently rekeying CHILD_SAs (in case of a rekey collision). It's also uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted and recreated a CHILD_SA after a rekeying. But in that case we don't want to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus). --- diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index e9fef74a7a..da41a3f8c9 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1007,7 +1007,6 @@ static void check_for_rekeyed_child(private_quick_mode_t *this) { case CHILD_INSTALLED: case CHILD_REKEYING: - case CHILD_REKEYED: policies = child_sa->create_policy_enumerator(child_sa); if (policies->enumerate(policies, &local, &remote) && local->equals(local, this->tsr) && @@ -1026,9 +1025,10 @@ static void check_for_rekeyed_child(private_quick_mode_t *this) child_sa->get_unique_id(child_sa)); } policies->destroy(policies); - break; - default: - break; + break; + case CHILD_REKEYED: + default: + break; } } }