ike-init: Ignore notifies related to redirects during rekeying
authorTobias Brunner <tobias@strongswan.org>
Thu, 30 Apr 2015 10:57:19 +0000 (12:57 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 4 Mar 2016 15:03:00 +0000 (16:03 +0100)
Also don't query redirect providers in this case.

src/libcharon/sa/ikev2/tasks/ike_init.c

index b5a58df..572c997 100644 (file)
@@ -437,8 +437,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                                                /* fall-through */
                                        }
                                        case REDIRECT_SUPPORTED:
-                                               this->ike_sa->enable_extension(this->ike_sa,
-                                                                                                          EXT_IKE_REDIRECTION);
+                                               if (!this->old_sa)
+                                               {
+                                                       this->ike_sa->enable_extension(this->ike_sa,
+                                                                                                                  EXT_IKE_REDIRECTION);
+                                               }
                                                break;
                                        default:
                                                /* other notifies are handled elsewhere */
@@ -612,7 +615,8 @@ METHOD(task_t, build_r, status_t,
        this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
        /* check if we'd have to redirect the client */
-       if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
+       if (!this->old_sa &&
+               this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
                charon->redirect->redirect_on_init(charon->redirect, this->ike_sa,
                                                                                   &gateway))
        {
@@ -750,6 +754,12 @@ METHOD(task_t, process_i, status_t,
                                        chunk_t data, nonce = chunk_empty;
                                        status_t status = FAILED;
 
+                                       if (this->old_sa)
+                                       {
+                                               DBG1(DBG_IKE, "received REDIRECT notify during rekeying"
+                                                    ", ignored");
+                                               break;
+                                       }
                                        data = notify->get_notification_data(notify);
                                        gateway = redirect_data_parse(data, &nonce);
                                        enumerator->destroy(enumerator);