ike-rekey: Register new IKE_SA before calling inherit_post()
authorTobias Brunner <tobias@strongswan.org>
Fri, 15 Jan 2021 15:25:54 +0000 (16:25 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 14:49:08 +0000 (15:49 +0100)
If rekeying and reauthetication coincided, the reauth job could get
scheduled to run immediately i.e. before checkin() was called.  So the
new IKE_SA would not get reauthenticated, however, the further delayed
delete job would later find the new IKE_SA and delete it.

src/libcharon/sa/ikev2/tasks/ike_rekey.c

index 83af67b..c12876b 100644 (file)
@@ -126,16 +126,18 @@ static void establish_new(private_ike_rekey_t *this)
                         this->ike_sa->get_other_host(this->ike_sa),
                         this->ike_sa->get_other_id(this->ike_sa));
 
+               /* register the new IKE_SA before calling inherit_post() as that may
+                * schedule jobs, as may listeners for ike_rekey() */
+               charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+                                                                                        this->new_sa);
                this->new_sa->inherit_post(this->new_sa, this->ike_sa);
                charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
                job = check_queued_tasks(this->new_sa);
-               /* don't queue job before checkin(), as the IKE_SA is not yet
-                * registered at the manager */
-               charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
                if (job)
                {
                        lib->processor->queue_job(lib->processor, job);
                }
+               charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
                this->new_sa = NULL;
                charon->bus->set_sa(charon->bus, this->ike_sa);