From 71141cc8c9b4c3336b06774b814a56945b5938a9 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 16 May 2019 10:19:15 +0200 Subject: [PATCH] ikev1: Do a rekey check before installing CHILD_SAs as responder If CHILD_SAs are created while waiting for the third QM message we'd not notice the redundancy and updown events would be triggered unevenly. This is consistent with the behavior on the initiator, which already does this check right before installation. Moving the existing check is not possible due to the narrow hook and moving the installation changes which peer installs the SAs first and could have other side-effects (e.g. in error or conflict cases). Still, this might result in CHILD_SA state discrepancies between the two peers. Fixes #3060. --- src/libcharon/sa/ikev1/tasks/quick_mode.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 3309a5ddc1..128f027c86 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1218,6 +1218,21 @@ METHOD(task_t, process_r, status_t, } return SUCCESS; } + if (!this->rekey) + { + /* do another check in case SAs were created since we handled + * the QM request, this is consistent with the rekey check + * before installation on the initiator */ + check_for_rekeyed_child(this, TRUE); + if (this->rekey) + { + this->child_sa->destroy(this->child_sa); + this->child_sa = child_sa_create( + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), + this->config, &this->child); + } + } if (!install(this)) { ike_sa_t *ike_sa = this->ike_sa; -- 2.47.2