ikev1: Don't use rekeyed CHILD_SAs for rekey detection
authorTobias Brunner <tobias@strongswan.org>
Wed, 20 Apr 2016 11:56:55 +0000 (13:56 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 May 2016 13:31:31 +0000 (15:31 +0200)
An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING
state.  And we actually want to change the currently installed CHILD_SA to
that state and later CHILD_REKEYED and properly call e.g. child_rekey() and
not do this again with an old CHILD_SA.  Instead let's only check installed
or currently rekeying CHILD_SAs (in case of a rekey collision).  It's also
uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state
CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted
and recreated a CHILD_SA after a rekeying.  But in that case we don't want
to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).

src/libcharon/sa/ikev1/tasks/quick_mode.c

index e9fef74..da41a3f 100644 (file)
@@ -1007,7 +1007,6 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
                        {
                                case CHILD_INSTALLED:
                                case CHILD_REKEYING:
-                               case CHILD_REKEYED:
                                        policies = child_sa->create_policy_enumerator(child_sa);
                                        if (policies->enumerate(policies, &local, &remote) &&
                                                local->equals(local, this->tsr) &&
@@ -1026,9 +1025,10 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
                                                         child_sa->get_unique_id(child_sa));
                                        }
                                        policies->destroy(policies);
-                               break;
-                       default:
-                               break;
+                                       break;
+                               case CHILD_REKEYED:
+                               default:
+                                       break;
                        }
                }
        }