ikev1: Don't use rekeyed CHILD_SAs for rekey detection
An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING state. And we actually want to change the currently installed CHILD_SA to that state and later CHILD_REKEYED and properly call e.g. child_rekey() and not do this again with an old CHILD_SA. Instead let's only check installed or currently rekeying CHILD_SAs (in case of a rekey collision). It's also uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted and recreated a CHILD_SA after a rekeying. But in that case we don't want to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).
This commit is contained in:
parent
a01eb5e4da
commit
bf3bed1cc4
|
@ -1007,7 +1007,6 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
|
||||||
{
|
{
|
||||||
case CHILD_INSTALLED:
|
case CHILD_INSTALLED:
|
||||||
case CHILD_REKEYING:
|
case CHILD_REKEYING:
|
||||||
case CHILD_REKEYED:
|
|
||||||
policies = child_sa->create_policy_enumerator(child_sa);
|
policies = child_sa->create_policy_enumerator(child_sa);
|
||||||
if (policies->enumerate(policies, &local, &remote) &&
|
if (policies->enumerate(policies, &local, &remote) &&
|
||||||
local->equals(local, this->tsr) &&
|
local->equals(local, this->tsr) &&
|
||||||
|
@ -1026,9 +1025,10 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
|
||||||
child_sa->get_unique_id(child_sa));
|
child_sa->get_unique_id(child_sa));
|
||||||
}
|
}
|
||||||
policies->destroy(policies);
|
policies->destroy(policies);
|
||||||
break;
|
break;
|
||||||
default:
|
case CHILD_REKEYED:
|
||||||
break;
|
default:
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue