From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 16 Jun 2021 11:54:18 +0000 (+0200)
Subject: ike-delete: Don't call reestablish() when reauthenticating
X-Git-Tag: 5.9.4dr2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48fbe1d2d5ab452258de6f073f2b100d1a0eedb3;p=thirdparty%2Fstrongswan.git

ike-delete: Don't call reestablish() when reauthenticating

If we initiated a make-before-break reauthentication and the peer
concurrently deletes the IKE_SA (e.g. because it uses break-before-make
reauthentication), we would create a duplicate IKE_SA (the condition forces
a recreation of all existing CHILD_SAs because reestablish() is also called
to complete a break-before-make reauthentication).
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c
index d93bf60277..5f25ddc1a4 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c
@@ -156,7 +156,14 @@ METHOD(task_t, process_r, status_t,
 			/* fall-through */
 		case IKE_ESTABLISHED:
 			this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
-			this->ike_sa->reestablish(this->ike_sa);
+			/* if we are reauthenticating, we don't need to call this: for MBB
+			 * reauths, we are concurrently trying to establish a new SA and
+			 * would create a duplicate, and for BBM reauths, we are already in
+			 * state IKE_DELETING here and call reestablish() in build_r() */
+			if (!this->ike_sa->has_condition(this->ike_sa, COND_REAUTHENTICATING))
+			{
+				this->ike_sa->reestablish(this->ike_sa);
+			}
 			return NEED_MORE;
 		case IKE_REKEYED:
 			this->rekeyed = TRUE;