sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

ike-rekey: Don't actively rekey already rekeyed SAs

Browse Source 
If the peer successfully rekeyed the SA it gets marked as IKE_REKEYED
and it remains until the peer deletes it (or a timeout).  There is no
point in rekeying such SAs again.

IKE_REKEYING will be relevant if we have multi-KE rekeyings and are
waiting for followup key exchanges for a passive rekeying.
This commit is contained in:
Tobias Brunner 2020-06-11 14:33:22 +02:00 committed by Andreas Steffen
parent c8a5ae2def
commit 6de79119f8
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libcharon/sa/ikev2/tasks/ike_rekey.c
View File

@ -168,6 +168,14 @@ METHOD(task_t, build_i, status_t,
/* create new SA only on first try */ /* create new SA only on first try */
if (!this->new_sa) if (!this->new_sa)
{ {
if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED)
{
/* ignore SAs that have or are currently being rekeyed passively */
message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
return SUCCESS;
}
version = this->ike_sa->get_version(this->ike_sa); version = this->ike_sa->get_version(this->ike_sa);
this->new_sa = charon->ike_sa_manager->create_new( this->new_sa = charon->ike_sa_manager->create_new(
charon->ike_sa_manager, version, TRUE); charon->ike_sa_manager, version, TRUE);