From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 29 Jun 2021 13:50:43 +0000 (+0200)
Subject: ike-rekey: Respond with TEMPORARY_FAILURE while reauthenticating
X-Git-Tag: 5.9.4dr2~12
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=0d373e25e06bd0f29ef2d0a83cc4bf96695999fa;p=thirdparty%2Fstrongswan.git

ike-rekey: Respond with TEMPORARY_FAILURE while reauthenticating

This could lead to duplicates as the new IKE_SA can't delete the old one
once reauthentication is complete if it was replaced by a rekeying.
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index c12876bfe4..a74e2f7cd7 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -231,6 +231,12 @@ METHOD(task_t, process_r, status_t,
 		this->failed_temporarily = TRUE;
 		return NEED_MORE;
 	}
+	if (this->ike_sa->has_condition(this->ike_sa, COND_REAUTHENTICATING))
+	{
+		DBG1(DBG_IKE, "peer initiated rekeying, but we are reauthenticating");
+		this->failed_temporarily = TRUE;
+		return NEED_MORE;
+	}
 	if (have_half_open_children(this))
 	{
 		DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");