ike-sa-manager: Avoid initiating CHILD_SAs on IKE_SAs with queued DELETE

The IKE_SA might be busy with a different task while a request to terminate it is getting queued, we don't want to use such an IKE_SA to initiate new CHILD_SAs as these tasks will get lost once the IKE_SA is terminated.
2025-10-04 00:00:14 -04:00 · 2024-07-04 14:43:37 +02:00 · 2024-07-04 14:43:37 +02:00 · da00a04f60
commit da00a04f60
parent 07ce6b44c5
3 changed files with 22 additions and 12 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2020 Tobias Brunner
+ * Copyright (C) 2006-2024 Tobias Brunner
 * Copyright (C) 2006 Daniel Roethlisberger
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
@ -2012,12 +2012,13 @@ static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
 				this->version == IKEV1 ? TASK_QUICK_MODE : TASK_CHILD_CREATE);
 }

-/**
- * Check if any tasks to delete the IKE_SA are queued in the given queue.
+/*
+ * Described in header
 */
-static bool is_delete_queued(private_ike_sa_t *this, task_queue_t queue)
+bool ike_sa_is_delete_queued(ike_sa_t *ike_sa)
 {
-	return is_task_queued(this, queue,
+	private_ike_sa_t *this = (private_ike_sa_t*)ike_sa;
+	return is_task_queued(this, TASK_QUEUE_QUEUED,
 				this->version == IKEV1 ? TASK_ISAKMP_DELETE : TASK_IKE_DELETE);
 }

@ -2101,7 +2102,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 	bool restart = FALSE;
 	status_t status = FAILED;

-	if (is_delete_queued(this, TASK_QUEUE_QUEUED))
+	if (ike_sa_is_delete_queued((ike_sa_t*)this))
 	{	/* don't reestablish IKE_SAs that have explicitly been deleted in the
 		 * mean time */
 		return FAILED;
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2020 Tobias Brunner
+ * Copyright (C) 2006-2024 Tobias Brunner
 * Copyright (C) 2006 Daniel Roethlisberger
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
@ -1275,6 +1275,14 @@ ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 */
 bool ike_sa_can_reauthenticate(ike_sa_t *this);

+/**
+ * Check if a task to delete this IKE_SA is queued.
+ *
+ * @param this			IKE_SA to check
+ * @return				TRUE if a task is queued
+ */
+bool ike_sa_is_delete_queued(ike_sa_t *this);
+
 /**
 * Get hosts, virtual or physical, for deriving dynamic traffic selectors.
 *
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2022 Tobias Brunner
+ * Copyright (C) 2008-2024 Tobias Brunner
 * Copyright (C) 2005-2011 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 *
@ -1562,7 +1562,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 			continue;
 		}
 		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
-			entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
+			entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED ||
+			ike_sa_is_delete_queued(entry->ike_sa))
 		{	/* skip IKE_SAs which are not usable, wake other waiting threads */
 			entry->condvar->signal(entry->condvar);
 			continue;