[strongSwan-dev] [PATCH 2/2] Ignore delete action in case of rekeying collision

Thomas Egerer thomas.egerer at secunet.com
Tue Jun 1 09:54:45 CEST 2010 

---
 src/libcharon/sa/tasks/child_delete.c |    4 +++-
 src/libcharon/sa/tasks/child_rekey.c  |    3 +++
 2 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c
index d7c6b05..3a5d1f3 100644
--- a/src/libcharon/sa/tasks/child_delete.c
+++ b/src/libcharon/sa/tasks/child_delete.c
@@ -192,6 +192,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 	protocol_id_t protocol;
 	u_int32_t spi;
 	status_t status = SUCCESS;
+	bool ignore_delete_action;

 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
@@ -205,8 +206,9 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 		protocol = child_sa->get_protocol(child_sa);
 		child_cfg = child_sa->get_config(child_sa);
 		child_cfg->get_ref(child_cfg);
+		ignore_delete_action = child_sa->get_ignore_delete_action(child_sa);
 		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
-		if (this->check_delete_action)
+		if (this->check_delete_action && !ignore_delete_action)
 		{	/* enforce child_cfg policy if deleted passively */
 			switch (child_cfg->get_close_action(child_cfg))
 			{
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
index 5331419..07d3ba6 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -234,9 +234,12 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 		if (memcmp(this_nonce.ptr, other_nonce.ptr,
 				   min(this_nonce.len, other_nonce.len)) < 0)
 		{
+			child_sa_t *child = other->child_create->get_child(other->child_create);
 			DBG1(DBG_IKE, "CHILD_SA rekey collision won, "
 				 "deleting rekeyed child");
 			to_delete = this->child_sa;
+			/* ignore delete action for child deleted by peer */
+			child->set_ignore_delete_action(child, TRUE);
 		}
 		else
 		{
-- 
1.7.0.2

More information about the Dev mailing list