ikev2: Delay installation of outbound SAs during rekeying on the responder
authorTobias Brunner <tobias@strongswan.org>
Wed, 1 Mar 2017 17:02:38 +0000 (18:02 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 23 May 2017 16:46:06 +0000 (18:46 +0200)
commitdc3710e987b49c96ee2e81c1979fb2a6133bd30d
treefcb2d8e9f4f5933b17299047deb08ec513fe0447
parentf84757f2e6f253ed2ed6045fe53cce470acc3101
ikev2: Delay installation of outbound SAs during rekeying on the responder

The responder has all the information needed to install both SAs before
the initiator does.  So if the responder immediately installs the outbound
SA it might send packets using the new SA which the initiator is not yet
able to process.  This can be avoided by delaying the installation of the
outbound SA until the replaced SA is deleted.
src/libcharon/sa/ikev2/tasks/child_create.c
src/libcharon/sa/ikev2/tasks/child_delete.c
src/libcharon/sa/ikev2/tasks/child_rekey.c
src/libcharon/tests/suites/test_child_rekey.c