ike: Fix untracking IKE_SA_INITs with non-zero MIDs and SPIs as half-open SAs

We track all IKE_SA_INIT requests as half-open IKE_SAs but didn't correctly untrack them if their message ID or responder SPI was non-zero. References strongswan/strongswan#1775 Fixes: b866ee88bf54 ("ike: Track unprocessed initial IKE messages like half-open IKE_SAs")
2025-10-03 00:00:24 -04:00 · 2023-07-05 10:41:11 +02:00 · 2023-07-05 10:41:11 +02:00 · 0b47357091
commit 0b47357091
parent 849c2c9707
1 changed files with 21 additions and 20 deletions
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@ -1326,29 +1326,31 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		 be64toh(id->get_initiator_spi(id)),
 		 be64toh(id->get_responder_spi(id)));

-	if (id->get_responder_spi(id) == 0 &&
-		message->get_message_id(message) == 0)
+	if (message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
+		untrack_half_open = TRUE;
+
+		if (message->get_message_id(message) == 0 &&
+			id->get_responder_spi(id) == 0)
 		{
-			if (message->get_exchange_type(message) == IKE_SA_INIT &&
-				message->get_request(message))
-			{
-				ike_version = IKEV2;
-				is_init = TRUE;
-			}
+			ike_version = IKEV2;
+			is_init = TRUE;
 		}
-		else
+	}
+	else if ((message->get_exchange_type(message) == ID_PROT ||
+			  message->get_exchange_type(message) == AGGRESSIVE) &&
+			 id->get_responder_spi(id) == 0)
+	{
+		untrack_half_open = TRUE;
+
+		if (message->get_message_id(message) == 0)
 		{
-			if (message->get_exchange_type(message) == ID_PROT ||
-				message->get_exchange_type(message) == AGGRESSIVE)
-			{
-				ike_version = IKEV1;
-				is_init = TRUE;
-				if (id->is_initiator(id))
-				{	/* not set in IKEv1, switch back before applying to new SA */
-					id->switch_initiator(id);
-				}
+			ike_version = IKEV1;
+			is_init = TRUE;
+			if (id->is_initiator(id))
+			{	/* not set in IKEv1, switch back before applying to new SA */
+				id->switch_initiator(id);
 			}
 		}
 	}
@ -1359,7 +1361,6 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		uint64_t our_spi;
 		chunk_t hash;

-		untrack_half_open = TRUE;
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 		if (!hasher || !get_init_hash(hasher, message, &hash))
 		{