From: Martin Willi Date: Wed, 2 Jun 2010 09:43:39 +0000 (+0200) Subject: Disable close action for a redundant CHILD_SA resulting from a rekey collision X-Git-Tag: 4.4.1~195 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2f57e6da0e83a3e64e36dd2559b2579b9b1e32a2;p=thirdparty%2Fstrongswan.git Disable close action for a redundant CHILD_SA resulting from a rekey collision If a rekey collision is detected, the winning peer of the nonce compare will delete the redundant CHILD_SA. The other peer should not enforce the close action on this CHILD, as it would reestablish the redundat CHILD_SA. Thanks to Thomas Egerer from secunet for pointing this out and the initial patchset. --- diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index 533141907b..fb3452efd1 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -234,9 +234,14 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) if (memcmp(this_nonce.ptr, other_nonce.ptr, min(this_nonce.len, other_nonce.len)) < 0) { + child_sa_t *child_sa; + DBG1(DBG_IKE, "CHILD_SA rekey collision won, " "deleting rekeyed child"); to_delete = this->child_sa; + /* disable close action for the redundand child */ + child_sa = other->child_create->get_child(other->child_create); + child_sa->set_close_action(child_sa, ACTION_NONE); } else {