diff options
| author | Martin Willi <martin@revosec.ch> | 2010-06-02 11:43:39 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-06-02 11:48:52 +0200 |
| commit | 2f57e6da0e83a3e64e36dd2559b2579b9b1e32a2 (patch) | |
| tree | e2eb44294b5a862e828ab523cfff1753be1d33e8 /src | |
| parent | fe02d99b9602c81a804892a67fde2890ef1f6aa6 (diff) | |
| download | strongswan-2f57e6da0e83a3e64e36dd2559b2579b9b1e32a2.tar.bz2 strongswan-2f57e6da0e83a3e64e36dd2559b2579b9b1e32a2.tar.xz | |
Disable close action for a redundant CHILD_SA resulting from a rekey collision
If a rekey collision is detected, the winning peer of the nonce compare
will delete the redundant CHILD_SA. The other peer should not enforce the
close action on this CHILD, as it would reestablish the redundat CHILD_SA.
Thanks to Thomas Egerer from secunet for pointing this out and the initial
patchset.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/sa/tasks/child_rekey.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index 533141907..fb3452efd 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -234,9 +234,14 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) if (memcmp(this_nonce.ptr, other_nonce.ptr, min(this_nonce.len, other_nonce.len)) < 0) { + child_sa_t *child_sa; + DBG1(DBG_IKE, "CHILD_SA rekey collision won, " "deleting rekeyed child"); to_delete = this->child_sa; + /* disable close action for the redundand child */ + child_sa = other->child_create->get_child(other->child_create); + child_sa->set_close_action(child_sa, ACTION_NONE); } else { |