ike: Fix untracking IKE_SA_INITs with non-zero MIDs and SPIs as half-open SAs

[thirdparty/strongswan.git] / src / libcharon / sa / ike_sa_manager.c

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index fc31c2a7cf4bbd7193435cac5210539678a1da8d..7763ae844ebb56d398e40f97264acff0477de348 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1326,29 +1326,31 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
                 be64toh(id->get_initiator_spi(id)),
                 be64toh(id->get_responder_spi(id)));
 
-       if (id->get_responder_spi(id) == 0 &&
-               message->get_message_id(message) == 0)
+       if (message->get_request(message) &&
+               message->get_exchange_type(message) == IKE_SA_INIT)
        {
-               if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
+               untrack_half_open = TRUE;
+
+               if (message->get_message_id(message) == 0 &&
+                       id->get_responder_spi(id) == 0)
                {
-                       if (message->get_exchange_type(message) == IKE_SA_INIT &&
-                               message->get_request(message))
-                       {
-                               ike_version = IKEV2;
-                               is_init = TRUE;
-                       }
+                       ike_version = IKEV2;
+                       is_init = TRUE;
                }
-               else
+       }
+       else if ((message->get_exchange_type(message) == ID_PROT ||
+                         message->get_exchange_type(message) == AGGRESSIVE) &&
+                        id->get_responder_spi(id) == 0)
+       {
+               untrack_half_open = TRUE;
+
+               if (message->get_message_id(message) == 0)
                {
-                       if (message->get_exchange_type(message) == ID_PROT ||
-                               message->get_exchange_type(message) == AGGRESSIVE)
-                       {
-                               ike_version = IKEV1;
-                               is_init = TRUE;
-                               if (id->is_initiator(id))
-                               {       /* not set in IKEv1, switch back before applying to new SA */
-                                       id->switch_initiator(id);
-                               }
+                       ike_version = IKEV1;
+                       is_init = TRUE;
+                       if (id->is_initiator(id))
+                       {       /* not set in IKEv1, switch back before applying to new SA */
+                               id->switch_initiator(id);
                        }
                }
        }
@@ -1359,7 +1361,6 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
                uint64_t our_spi;
                chunk_t hash;
 
-               untrack_half_open = TRUE;
                hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
                if (!hasher || !get_init_hash(hasher, message, &hash))
                {