ike-delete: Don't call reestablish() when reauthenticating

If we initiated a make-before-break reauthentication and the peer
concurrently deletes the IKE_SA (e.g. because it uses break-before-make
reauthentication), we would create a duplicate IKE_SA (the condition forces
a recreation of all existing CHILD_SAs because reestablish() is also called
to complete a break-before-make reauthentication).

diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c
index d93bf602778cfdccbd547e20892fc1a3436aec21..5f25ddc1a4d5b8e8a8a13e9b566a7ca262e3da40 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c
@@ -156,7 +156,14 @@ METHOD(task_t, process_r, status_t,
                        /* fall-through */
                case IKE_ESTABLISHED:
                        this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
-                       this->ike_sa->reestablish(this->ike_sa);
+                       /* if we are reauthenticating, we don't need to call this: for MBB
+                        * reauths, we are concurrently trying to establish a new SA and
+                        * would create a duplicate, and for BBM reauths, we are already in
+                        * state IKE_DELETING here and call reestablish() in build_r() */
+                       if (!this->ike_sa->has_condition(this->ike_sa, COND_REAUTHENTICATING))
+                       {
+                               this->ike_sa->reestablish(this->ike_sa);
+                       }
                        return NEED_MORE;
                case IKE_REKEYED:
                        this->rekeyed = TRUE;