sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity

ikev2: Abort make-before-break reauth if we don't find children to recreate

Browse Source 
We do something similar in reestablish() for break-before-make reauth.
If we don't abort we'd be sending an IKE_AUTH without any TS payloads.

References #2430.
This commit is contained in:
Tobias Brunner 2017-09-26 11:31:15 +02:00
parent b2266280ef
commit 26bda4e904
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/libcharon/sa/ikev2/task_manager_v2.c
View File

@ -1780,9 +1780,11 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
enumerator_t *enumerator; enumerator_t *enumerator;
child_sa_t *child_sa; child_sa_t *child_sa;
child_cfg_t *cfg; child_cfg_t *cfg;
peer_cfg_t *peer;
ike_sa_t *new; ike_sa_t *new;
host_t *host; host_t *host;
queued_task_t *queued; queued_task_t *queued;
bool children = FALSE;
new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
this->ike_sa->get_version(this->ike_sa), TRUE); this->ike_sa->get_version(this->ike_sa), TRUE);
@ -1791,7 +1793,8 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
return; return;
} }
new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa)); peer = this->ike_sa->get_peer_cfg(this->ike_sa);
new->set_peer_cfg(new, peer);
host = this->ike_sa->get_other_host(this->ike_sa); host = this->ike_sa->get_other_host(this->ike_sa);
new->set_other_host(new, host->clone(host)); new->set_other_host(new, host->clone(host));
host = this->ike_sa->get_my_host(this->ike_sa); host = this->ike_sa->get_my_host(this->ike_sa);
@ -1809,6 +1812,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
cfg = child_sa->get_config(child_sa); cfg = child_sa->get_config(child_sa);
new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg), new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
FALSE, NULL, NULL)->task); FALSE, NULL, NULL)->task);
children = TRUE;
} }
enumerator->destroy(enumerator); enumerator->destroy(enumerator);
@ -1821,10 +1825,24 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
new->queue_task(new, queued->task); new->queue_task(new, queued->task);
array_remove_at(this->queued_tasks, enumerator); array_remove_at(this->queued_tasks, enumerator);
free(queued); free(queued);
children = TRUE;
} }
} }
enumerator->destroy(enumerator); enumerator->destroy(enumerator);
if (!children
#ifdef ME
/* allow reauth of mediation connections without CHILD_SAs */
&& !peer->is_mediation(peer)
#endif /* ME */
)
{
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
"to recreate");
return;
}
/* suspend online revocation checking until the SA is established */ /* suspend online revocation checking until the SA is established */
new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE); new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);