diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-03-20 18:11:40 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-03-20 18:11:40 +0000 |
| commit | cfa23e3e60831b14eba03e0f6604cdc8648373ac (patch) | |
| tree | 5599dbafba13d4a96d0b1b1f90ca5e47b3ac663c /sbin | |
| parent | a64073b40b8c5fef172b455a6f59f4701f2ace6b (diff) | |
Unset 'sa->sa_simult' when the exchange fails with CHILD_SA_NOT_FOUND.
Normally iked remembers whether there was a simultaneous rekeying
attempt from both peers ant then resolves it according to RFC 7296 and
unsets 'sa_simult' once both are done.
It is possible that only one of the peers saw that the other tried
to rekey at the same time, resulting in a CHILD_SA_NOT_FOUND error
message from the other.
The peer receiving this error must delete 'sa_simult', otherwise it
will try to resolve the conflict during the next rekey exchange and
delete the valid new Child SA.
ok patrick@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/iked/ikev2.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index b335af5a2f3..81d21f78529 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.197 2020/03/18 22:12:43 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.198 2020/03/20 18:11:39 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -2526,8 +2526,11 @@ ikev2_handle_notifies(struct iked *env, struct iked_message *msg) if ((sa = msg->msg_sa) == NULL) return (-1); - if (msg->msg_flags & IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND) + if (msg->msg_flags & IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND) { sa->sa_stateflags &= ~IKED_REQ_CHILDSA; + ibuf_release(sa->sa_simult); + sa->sa_simult = NULL; + } if ((msg->msg_flags & IKED_MSG_FLAGS_FRAGMENTATION) && env->sc_frag) { log_debug("%s: fragmentation enabled", __func__); |