ikev1: Accept reauthentication attempts with a keep unique policy from same host
When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
This commit is contained in:
parent
9c19d7ca31
commit
d2e4dd75b7
|
@ -1765,6 +1765,15 @@ static void adopt_children(ike_sa_t *old, ike_sa_t *new)
|
|||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the replaced IKE_SA might get reauthenticated from host
|
||||
*/
|
||||
static bool is_ikev1_reauth(ike_sa_t *duplicate, host_t *host)
|
||||
{
|
||||
return duplicate->get_version(duplicate) == IKEV1 &&
|
||||
host->equals(host, duplicate->get_other_host(duplicate));
|
||||
}
|
||||
|
||||
/**
|
||||
* Delete an existing IKE_SA due to a unique replace policy
|
||||
*/
|
||||
|
@ -1774,8 +1783,7 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
|
|||
{
|
||||
charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
|
||||
|
||||
if (duplicate->get_version(duplicate) == IKEV1 &&
|
||||
host->equals(host, duplicate->get_other_host(duplicate)))
|
||||
if (is_ikev1_reauth(duplicate, host))
|
||||
{
|
||||
/* looks like a reauthentication attempt */
|
||||
adopt_children(duplicate, new);
|
||||
|
@ -1846,10 +1854,13 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
|
|||
other, other_host);
|
||||
break;
|
||||
case UNIQUE_KEEP:
|
||||
cancel = TRUE;
|
||||
/* we keep the first IKE_SA and delete all
|
||||
* other duplicates that might exist */
|
||||
policy = UNIQUE_REPLACE;
|
||||
if (!is_ikev1_reauth(duplicate, other_host))
|
||||
{
|
||||
cancel = TRUE;
|
||||
/* we keep the first IKE_SA and delete all
|
||||
* other duplicates that might exist */
|
||||
policy = UNIQUE_REPLACE;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue