diff options
author | Tobias Brunner <tobias@strongswan.org> | 2016-06-02 17:23:35 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2016-06-17 18:48:08 +0200 |
commit | 6d8041d46b75a1f2b023a00f2eac5228263c9f17 (patch) | |
tree | dba6d8965f7af7a07d64ade16288da8fb9f5ddda | |
parent | b4f24ac0f65c24844369491d5b0c0d4546a51720 (diff) | |
download | strongswan-6d8041d46b75a1f2b023a00f2eac5228263c9f17.tar.bz2 strongswan-6d8041d46b75a1f2b023a00f2eac5228263c9f17.tar.xz |
child-rekey: Ignore failed colliding CHILD_SA rekeyings
If a passive rekeying fails due to an INVALID_KE_PAYLOAD we don't want
to consider this task later when resolving collisions. This previously
might have caused the wrong SA to get deleted/installed based on the nonces
in the unsuccessful exchange.
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/child_rekey.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index 5873a84af..95e4a3dae 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -455,9 +455,18 @@ METHOD(child_rekey_t, collide, void, if (other->get_type(other) == TASK_CHILD_REKEY) { private_child_rekey_t *rekey = (private_child_rekey_t*)other; + child_sa_t *other_child; + if (rekey->child_sa != this->child_sa) + { /* not the same child => no collision */ + other->destroy(other); + return; + } + /* ignore passive tasks that did not successfully create a CHILD_SA */ + other_child = rekey->child_create->get_child(rekey->child_create); + if (!other_child || + other_child->get_state(other_child) != CHILD_INSTALLED) { - /* not the same child => no collision */ other->destroy(other); return; } |