From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 25 Feb 2025 13:49:38 +0000 (+0100)
Subject: ikev2: Trigger ike_reestablish_pre|post events for make-before-break reauth
X-Git-Tag: 6.0.1rc1~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=069a81e69adca0563b8b76e9f95b8696ce46f4d4;p=thirdparty%2Fstrongswan.git

ikev2: Trigger ike_reestablish_pre|post events for make-before-break reauth

Listeners can't track those IKE_SAs otherwise.  For break-before-make
reauthentications, these events are already triggered because that is
implemented by calling reestablish() on the old IKE_SA.
---

diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 42297e2f4c..59963ca320 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -182,6 +182,9 @@ struct listener_t {
 	 * peer_cfg (and the old hosts), but before resolving the hosts anew.
 	 * It is not invoked on the responder.
 	 *
+	 * If this is called during a reauthentication, COND_REAUTHENTICATING is
+	 * set on the old IKE_SA and the hosts are not resolved anew.
+	 *
 	 * @param old		IKE_SA getting reestablished (is destroyed)
 	 * @param new		new IKE_SA replacing old (gets established)
 	 * @return			TRUE to stay registered, FALSE to unregister
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index a348916a5e..86f9f8b49b 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -2172,6 +2172,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 	new->set_other_host(new, host->clone(host));
 	host = this->ike_sa->get_my_host(this->ike_sa);
 	new->set_my_host(new, host->clone(host));
+	charon->bus->ike_reestablish_pre(charon->bus, this->ike_sa, new);
 	enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
 	while (enumerator->enumerate(enumerator, &host))
 	{
@@ -2234,6 +2235,8 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 #endif /* ME */
 		)
 	{
+		charon->bus->ike_reestablish_post(charon->bus, this->ike_sa, new,
+										  FALSE);
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
 		DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
 			 "to recreate");
@@ -2248,10 +2251,14 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 		new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
 		new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
 										this->ike_sa->get_id(this->ike_sa)));
+		charon->bus->ike_reestablish_post(charon->bus, this->ike_sa, new,
+										  TRUE);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
 	}
 	else
 	{
+		charon->bus->ike_reestablish_post(charon->bus, this->ike_sa, new,
+										  FALSE);
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
 		DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
 	}