diff options
author | Tobias Brunner <tobias@strongswan.org> | 2015-07-31 16:51:35 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2015-08-17 11:59:15 +0200 |
commit | 3665adef19fb5ac3fa44c4f697a5dcb1e1660f55 (patch) | |
tree | 9ca3f17d3885ac1cdad0a4d7512709a7c877e935 /src | |
parent | 017dbb1c5e12ed2e7457116273d60dc4d9eb29d6 (diff) | |
download | strongswan-3665adef19fb5ac3fa44c4f697a5dcb1e1660f55.tar.bz2 strongswan-3665adef19fb5ac3fa44c4f697a5dcb1e1660f55.tar.xz |
child-sa: Fix refcounting of allocated reqids
During a rekeying we want to reuse the current reqid, but if the new SA
does not allocate it via kernel-interface the state there will disappear
when the old SA is destroyed after the rekeying. When the IKE_SA is
later reauthenticated with make-before-break reauthentication the new
CHILD_SAs there will get new reqids as no existing state is found in the
kernel-interface, breaking policy installation in the kernel.
Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
Diffstat (limited to 'src')
-rw-r--r-- | src/libcharon/sa/child_sa.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 94cf07c33..73f2ec9d3 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2011 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -106,6 +106,11 @@ struct private_child_sa_t { */ bool reqid_allocated; + /** + * Is the reqid statically configured + */ + bool static_reqid; + /* * Unique CHILD_SA identifier */ @@ -698,7 +703,7 @@ METHOD(child_sa_t, install, status_t, this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, &esn, NULL); - if (!this->reqid_allocated && !this->reqid) + if (!this->reqid_allocated && !this->static_reqid) { status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, my_ts, other_ts, this->mark_in, this->mark_out, @@ -826,7 +831,7 @@ METHOD(child_sa_t, add_policies, status_t, traffic_selector_t *my_ts, *other_ts; status_t status = SUCCESS; - if (!this->reqid_allocated && !this->reqid) + if (!this->reqid_allocated && !this->static_reqid) { /* trap policy, get or confirm reqid */ status = hydra->kernel_interface->alloc_reqid( @@ -1305,6 +1310,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->reqid = charon->traps->find_reqid(charon->traps, config); } } + else + { + this->static_reqid = TRUE; + } /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ if (config->get_mode(config) == MODE_TRANSPORT && |