diff options
author | Tobias Brunner <tobias@strongswan.org> | 2017-09-26 11:31:15 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-11-02 09:48:56 +0100 |
commit | 26bda4e904dd6e8f6a8f1b518b18c1957ce14864 (patch) | |
tree | 995c07db939e1a2645cd675e92e67fcdb01b5421 | |
parent | b2266280efc81c84984de167ac2b212851eda608 (diff) | |
download | strongswan-26bda4e904dd6e8f6a8f1b518b18c1957ce14864.tar.bz2 strongswan-26bda4e904dd6e8f6a8f1b518b18c1957ce14864.tar.xz |
ikev2: Abort make-before-break reauth if we don't find children to recreate
We do something similar in reestablish() for break-before-make reauth.
If we don't abort we'd be sending an IKE_AUTH without any TS payloads.
References #2430.
-rw-r--r-- | src/libcharon/sa/ikev2/task_manager_v2.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index c2ddbc588..4cad18ee7 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -1780,9 +1780,11 @@ static void trigger_mbb_reauth(private_task_manager_t *this) enumerator_t *enumerator; child_sa_t *child_sa; child_cfg_t *cfg; + peer_cfg_t *peer; ike_sa_t *new; host_t *host; queued_task_t *queued; + bool children = FALSE; new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, this->ike_sa->get_version(this->ike_sa), TRUE); @@ -1791,7 +1793,8 @@ static void trigger_mbb_reauth(private_task_manager_t *this) return; } - new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa)); + peer = this->ike_sa->get_peer_cfg(this->ike_sa); + new->set_peer_cfg(new, peer); host = this->ike_sa->get_other_host(this->ike_sa); new->set_other_host(new, host->clone(host)); host = this->ike_sa->get_my_host(this->ike_sa); @@ -1809,6 +1812,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this) cfg = child_sa->get_config(child_sa); new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg), FALSE, NULL, NULL)->task); + children = TRUE; } enumerator->destroy(enumerator); @@ -1821,10 +1825,24 @@ static void trigger_mbb_reauth(private_task_manager_t *this) new->queue_task(new, queued->task); array_remove_at(this->queued_tasks, enumerator); free(queued); + children = TRUE; } } enumerator->destroy(enumerator); + if (!children +#ifdef ME + /* allow reauth of mediation connections without CHILD_SAs */ + && !peer->is_mediation(peer) +#endif /* ME */ + ) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); + DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA " + "to recreate"); + return; + } + /* suspend online revocation checking until the SA is established */ new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE); |