CVSROOT: /cvs
Module name: src
Changes by: to...@cvs.openbsd.org 2020/03/20 12:11:39
Modified files:
sbin/iked : ikev2.c
Log message:
Unset 'sa->sa_simult' when the exchange fails with CHILD_SA_NOT_FOUND.
Normally iked remembers whether there was a simultaneous rekeying
attempt from both peers ant then resolves it according to RFC 7296 and
unsets 'sa_simult' once both are done.
It is possible that only one of the peers saw that the other tried
to rekey at the same time, resulting in a CHILD_SA_NOT_FOUND error
message from the other.
The peer receiving this error must delete 'sa_simult', otherwise it
will try to resolve the conflict during the next rekey exchange and
delete the valid new Child SA.
ok patrick@
