aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2015-07-31 16:51:35 +0200
committerTobias Brunner <tobias@strongswan.org>2015-08-17 11:59:15 +0200
commit3665adef19fb5ac3fa44c4f697a5dcb1e1660f55 (patch)
tree9ca3f17d3885ac1cdad0a4d7512709a7c877e935 /src
parent017dbb1c5e12ed2e7457116273d60dc4d9eb29d6 (diff)
downloadstrongswan-3665adef19fb5ac3fa44c4f697a5dcb1e1660f55.tar.bz2
strongswan-3665adef19fb5ac3fa44c4f697a5dcb1e1660f55.tar.xz
child-sa: Fix refcounting of allocated reqids
During a rekeying we want to reuse the current reqid, but if the new SA does not allocate it via kernel-interface the state there will disappear when the old SA is destroyed after the rekeying. When the IKE_SA is later reauthenticated with make-before-break reauthentication the new CHILD_SAs there will get new reqids as no existing state is found in the kernel-interface, breaking policy installation in the kernel. Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/sa/child_sa.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 94cf07c33..73f2ec9d3 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
@@ -106,6 +106,11 @@ struct private_child_sa_t {
*/
bool reqid_allocated;
+ /**
+ * Is the reqid statically configured
+ */
+ bool static_reqid;
+
/*
* Unique CHILD_SA identifier
*/
@@ -698,7 +703,7 @@ METHOD(child_sa_t, install, status_t,
this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
&esn, NULL);
- if (!this->reqid_allocated && !this->reqid)
+ if (!this->reqid_allocated && !this->static_reqid)
{
status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
my_ts, other_ts, this->mark_in, this->mark_out,
@@ -826,7 +831,7 @@ METHOD(child_sa_t, add_policies, status_t,
traffic_selector_t *my_ts, *other_ts;
status_t status = SUCCESS;
- if (!this->reqid_allocated && !this->reqid)
+ if (!this->reqid_allocated && !this->static_reqid)
{
/* trap policy, get or confirm reqid */
status = hydra->kernel_interface->alloc_reqid(
@@ -1305,6 +1310,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->reqid = charon->traps->find_reqid(charon->traps, config);
}
}
+ else
+ {
+ this->static_reqid = TRUE;
+ }
/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
if (config->get_mode(config) == MODE_TRANSPORT &&