ike: Fix untracking IKE_SA_INITs with non-zero MIDs and SPIs as half-open SAs

We track all IKE_SA_INIT requests as half-open IKE_SAs but didn't correctly untrack them if their message ID or responder SPI was non-zero. References strongswan/strongswan#1775 Fixes: b866ee88bf54 ("ike: Track unprocessed initial IKE messages like half-open IKE_SAs")
2025-10-04 00:00:14 -04:00 · 2023-07-05 10:41:11 +02:00 · 2023-07-05 10:41:11 +02:00 · 0b47357091
commit 0b47357091
parent 849c2c9707
1 changed files with 21 additions and 20 deletions
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@ -1326,29 +1326,31 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		 be64toh(id->get_initiator_spi(id)),
 		 be64toh(id->get_responder_spi(id)));
-	if (id->get_responder_spi(id) == 0 &&
+	if (message->get_request(message) &&
-		message->get_message_id(message) == 0)
+		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
+		untrack_half_open = TRUE;
 		if (message->get_message_id(message) == 0 &&
 			id->get_responder_spi(id) == 0)
 		{
-			if (message->get_exchange_type(message) == IKE_SA_INIT &&
+			ike_version = IKEV2;
-				message->get_request(message))
+			is_init = TRUE;
 			{
 				ike_version = IKEV2;
 				is_init = TRUE;
 			}
 		}
-		else
+	}
 	else if ((message->get_exchange_type(message) == ID_PROT ||
 			  message->get_exchange_type(message) == AGGRESSIVE) &&
 			 id->get_responder_spi(id) == 0)
 	{
 		untrack_half_open = TRUE;
 		if (message->get_message_id(message) == 0)
 		{
-			if (message->get_exchange_type(message) == ID_PROT ||
+			ike_version = IKEV1;
-				message->get_exchange_type(message) == AGGRESSIVE)
+			is_init = TRUE;
-			{
+			if (id->is_initiator(id))
-				ike_version = IKEV1;
+			{	/* not set in IKEv1, switch back before applying to new SA */
-				is_init = TRUE;
+				id->switch_initiator(id);
 				if (id->is_initiator(id))
 				{	/* not set in IKEv1, switch back before applying to new SA */
 					id->switch_initiator(id);
 				}
 			}
 		}
 	}
@ -1359,7 +1361,6 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		uint64_t our_spi;
 		chunk_t hash;
 		untrack_half_open = TRUE;
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 		if (!hasher || !get_init_hash(hasher, message, &hash))
 		{