[strongSwan-dev] [PATCH 1/2] Enforce IKE_SA uniqueness policy as initiator too

[Jan Blunck]

In cases that both peers of tunnel try to initiate the connection
simultaneously one of the peers ends up with having two IKE_SA in state
IKE_ESTABLISHED. Therefore lets call check_uniqueness() before we switch
state like it is already the case as a responder in build_r.
---
 src/libcharon/sa/ikev2/tasks/ike_auth.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index e554ca3..a7ec37c 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -1140,6 +1140,14 @@ METHOD(task_t, process_i, status_t,
 	{
 		goto peer_auth_failed;
 	}
+	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+						     this->ike_sa, FALSE))
+	{
+		DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+		charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
+		send_auth_failed_informational(this, message);
+		return FAILED;
+	}
 	if (!charon->bus->authorize(charon->bus, TRUE))
 	{
 		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
-- 
2.5.5