ikev1: Don't use rekeyed CHILD_SAs for rekey detection

An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING
state.  And we actually want to change the currently installed CHILD_SA to
that state and later CHILD_REKEYED and properly call e.g. child_rekey() and
not do this again with an old CHILD_SA.  Instead let's only check installed
or currently rekeying CHILD_SAs (in case of a rekey collision).  It's also
uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state
CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted
and recreated a CHILD_SA after a rekeying.  But in that case we don't want
to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).

1 files changed, 4 insertions, 4 deletions

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index e9fef74a7..da41a3f8c 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1007,7 +1007,6 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 			{
 				case CHILD_INSTALLED:
 				case CHILD_REKEYING:
-				case CHILD_REKEYED:
 					policies = child_sa->create_policy_enumerator(child_sa);
 					if (policies->enumerate(policies, &local, &remote) &&
 						local->equals(local, this->tsr) &&
@@ -1026,9 +1025,10 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 							 child_sa->get_unique_id(child_sa));
 					}
 					policies->destroy(policies);
-				break;
-			default:
-				break;
+					break;
+				case CHILD_REKEYED:
+				default:
+					break;
 			}
 		}
 	}