ikev2: Don't adopt any CHILD_SA during make-before-break reauthentication
authorMartin Willi <martin@revosec.ch>
Wed, 4 Mar 2015 10:16:00 +0000 (11:16 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 4 Mar 2015 10:18:42 +0000 (11:18 +0100)
While the comment is rather clear that we should not adopt live CHILD_SAs
during reauthentication in IKEv2, the code does nonetheless. Add an additional
version check to fix reauthentication if the reauth responder has a replace
uniqueids policy.

Fixes #871.

src/libcharon/sa/ike_sa_manager.c

index 6d0a598..d0cbd47 100644 (file)
@@ -1755,7 +1755,8 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
        if (host->equals(host, duplicate->get_other_host(duplicate)))
        {
                /* looks like a reauthentication attempt */
-               if (!new->has_condition(new, COND_INIT_CONTACT_SEEN))
+               if (!new->has_condition(new, COND_INIT_CONTACT_SEEN) &&
+                       new->get_version(new) == IKEV1)
                {
                        /* IKEv1 implicitly takes over children, IKEv2 recreates them
                         * explicitly. */