ike-sa-manager: Don't update entries for init messages after unlocking segment

If the retransmit of an initial message is processed concurrently with the
original message it might not have been handled as intended as the
thread processing the retransmit might not have seen the correct value
of entry->processing set by the thread handling the original request.

For IKEv1, i.e. without proper message IDs, there might still be races e.g.
when receiving a retransmit of the initial IKE message while processing the
initiator's second request.

Fixes #1269.

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 4625df5b84bb0ab140b41d73df69c00857fd9d41..3d150090999396bf0c263c4bb85398eb5e2ef368 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1288,14 +1288,13 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
                                                entry = entry_create();
                                                entry->ike_sa = ike_sa;
                                                entry->ike_sa_id = id;
+                                               entry->processing = get_message_id_or_hash(message);
+                                               entry->init_hash = hash;
 
                                                segment = put_entry(this, entry);
                                                entry->checked_out = TRUE;
                                                unlock_single_segment(this, segment);
 
-                                               entry->processing = get_message_id_or_hash(message);
-                                               entry->init_hash = hash;
-
                                                DBG2(DBG_MGR, "created IKE_SA %s[%u]",
                                                         ike_sa->get_name(ike_sa),
                                                         ike_sa->get_unique_id(ike_sa));