Move initial message dropping to task manager

When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
2025-10-08 00:02:03 -04:00 · 2013-02-25 11:42:50 +01:00 · 2013-02-25 11:42:50 +01:00 · cdf75a39e3
commit cdf75a39e3
parent 9eaed7a5bb
3 changed files with 27 additions and 19 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -1250,24 +1250,6 @@ METHOD(ike_sa_t, process_message, status_t,
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
-	switch (message->get_exchange_type(message))
-	{
-		case ID_PROT:
-		case AGGRESSIVE:
-		case IKE_SA_INIT:
-		case IKE_AUTH:
-			if (this->state != IKE_CREATED &&
-				this->state != IKE_CONNECTING &&
-				message->get_first_payload_type(message) != FRAGMENT_V1)
-			{
-				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
-					 exchange_type_names, message->get_exchange_type(message));
-				return FAILED;
-			}
-			break;
-		default:
-			break;
-	}
 	if (message->get_major_version(message) != this->version)
 	{
 		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@ -1471,6 +1471,21 @@ METHOD(task_manager_t, process_message, status_t,
 			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
 			return SUCCESS;
 		}
+
+		/* reject Main/Agressive Modes once established */
+		if (msg->get_exchange_type(msg) == ID_PROT ||
+			msg->get_exchange_type(msg) == AGGRESSIVE)
+		{
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+				this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
+				msg->get_first_payload_type(msg) != FRAGMENT_V1)
+			{
+				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+					 exchange_type_names, msg->get_exchange_type(msg));
+				return FAILED;
+			}
+		}
+
 		if (msg->get_exchange_type(msg) == TRANSACTION &&
 			this->active_tasks->get_count(this->active_tasks))
 		{	/* main mode not yet complete, queue XAuth/Mode config tasks */
@ -2030,4 +2045,3 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)

 	return &this->public;
 }
-
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@ -1123,6 +1123,18 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->responding.mid)
 		{
+			/* reject initial messages once established */
+			if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
+				msg->get_exchange_type(msg) == IKE_AUTH)
+			{
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+					this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+						 exchange_type_names, msg->get_exchange_type(msg));
+					return FAILED;
+				}
+			}
 			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
 				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
 				msg->get_exchange_type(msg) != IKE_SA_INIT)