From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 5 Jul 2023 08:41:11 +0000 (+0200)
Subject: ike: Fix untracking IKE_SA_INITs with non-zero MIDs and SPIs as half-open SAs
X-Git-Tag: android-2.4.2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b4735709189f9f3b20f64bce4f38211527fff5b;p=thirdparty%2Fstrongswan.git

ike: Fix untracking IKE_SA_INITs with non-zero MIDs and SPIs as half-open SAs

We track all IKE_SA_INIT requests as half-open IKE_SAs but didn't
correctly untrack them if their message ID or responder SPI was non-zero.

References strongswan/strongswan#1775

Fixes: b866ee88bf54 ("ike: Track unprocessed initial IKE messages like half-open IKE_SAs")
---

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index fc31c2a7cf..7763ae844e 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1326,29 +1326,31 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		 be64toh(id->get_initiator_spi(id)),
 		 be64toh(id->get_responder_spi(id)));
 
-	if (id->get_responder_spi(id) == 0 &&
-		message->get_message_id(message) == 0)
+	if (message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
+		untrack_half_open = TRUE;
+
+		if (message->get_message_id(message) == 0 &&
+			id->get_responder_spi(id) == 0)
 		{
-			if (message->get_exchange_type(message) == IKE_SA_INIT &&
-				message->get_request(message))
-			{
-				ike_version = IKEV2;
-				is_init = TRUE;
-			}
+			ike_version = IKEV2;
+			is_init = TRUE;
 		}
-		else
+	}
+	else if ((message->get_exchange_type(message) == ID_PROT ||
+			  message->get_exchange_type(message) == AGGRESSIVE) &&
+			 id->get_responder_spi(id) == 0)
+	{
+		untrack_half_open = TRUE;
+
+		if (message->get_message_id(message) == 0)
 		{
-			if (message->get_exchange_type(message) == ID_PROT ||
-				message->get_exchange_type(message) == AGGRESSIVE)
-			{
-				ike_version = IKEV1;
-				is_init = TRUE;
-				if (id->is_initiator(id))
-				{	/* not set in IKEv1, switch back before applying to new SA */
-					id->switch_initiator(id);
-				}
+			ike_version = IKEV1;
+			is_init = TRUE;
+			if (id->is_initiator(id))
+			{	/* not set in IKEv1, switch back before applying to new SA */
+				id->switch_initiator(id);
 			}
 		}
 	}
@@ -1359,7 +1361,6 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		uint64_t our_spi;
 		chunk_t hash;
 
-		untrack_half_open = TRUE;
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 		if (!hasher || !get_init_hash(hasher, message, &hash))
 		{