From 1c5cef1b895d7ea9c15327b5eb4605897faf67a6 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 15 Jan 2021 16:25:54 +0100 Subject: [PATCH] ike-rekey: Register new IKE_SA before calling inherit_post() If rekeying and reauthetication coincided, the reauth job could get scheduled to run immediately i.e. before checkin() was called. So the new IKE_SA would not get reauthenticated, however, the further delayed delete job would later find the new IKE_SA and delete it. --- src/libcharon/sa/ikev2/tasks/ike_rekey.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index 83af67b..c12876b 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -126,16 +126,18 @@ static void establish_new(private_ike_rekey_t *this) this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); + /* register the new IKE_SA before calling inherit_post() as that may + * schedule jobs, as may listeners for ike_rekey() */ + charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, + this->new_sa); this->new_sa->inherit_post(this->new_sa, this->ike_sa); charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa); job = check_queued_tasks(this->new_sa); - /* don't queue job before checkin(), as the IKE_SA is not yet - * registered at the manager */ - charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa); if (job) { lib->processor->queue_job(lib->processor, job); } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa); this->new_sa = NULL; charon->bus->set_sa(charon->bus, this->ike_sa); -- 2.7.4