From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 29 Jun 2021 13:25:48 +0000 (+0200)
Subject: ike: Don't rekey IKE_SA while reauthenticating
X-Git-Tag: 5.9.4dr2~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36161febd3bc7a7b2152aca19d01fdc37c8a6ea6;p=thirdparty%2Fstrongswan.git

ike: Don't rekey IKE_SA while reauthenticating

If we are using make-before-break reauthentication, this could lead to
duplicates as the new IKE_SA wouldn't be able to delete the previous
one if it was replaced by a rekeying.
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 407917637c..2ce5987773 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1928,7 +1928,8 @@ METHOD(ike_sa_t, delete_, status_t,
 METHOD(ike_sa_t, rekey, status_t,
 	private_ike_sa_t *this)
 {
-	if (this->state == IKE_PASSIVE)
+	if (this->state == IKE_PASSIVE ||
+		has_condition(this, COND_REAUTHENTICATING))
 	{
 		return INVALID_STATE;
 	}