Do not update hosts based on retransmitted messages.

2 files changed, 23 insertions, 15 deletions

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a5dd19952..998095f5f 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1239,15 +1239,12 @@ METHOD(ike_sa_t, process_message, status_t,
 	}
 	else
 	{
-		host_t *me, *other;
-
-		me = message->get_destination(message);
-		other = message->get_source(message);
-
 		/* if this IKE_SA is virgin, we check for a config */
 		if (this->ike_cfg == NULL)
 		{
 			job_t *job;
+			host_t *me = message->get_destination(message),
+				   *other = message->get_source(message);
 			this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
 														  me, other);
 			if (this->ike_cfg == NULL)
@@ -1264,16 +1261,8 @@ METHOD(ike_sa_t, process_message, status_t,
 										 HALF_OPEN_IKE_SA_TIMEOUT);
 		}
 		this->stats[STAT_INBOUND] = time_monotonic(NULL);
-		/* check if message is trustworthy, and update host information */
-		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
-			message->get_exchange_type(message) != IKE_SA_INIT)
-		{
-			if (!supports_extension(this, EXT_MOBIKE))
-			{	/* with MOBIKE, we do no implicit updates */
-				update_hosts(this, me, other);
-			}
-		}
-		status = this->task_manager->process_message(this->task_manager, message);
+		status = this->task_manager->process_message(this->task_manager,
+													 message);
 		if (message->get_exchange_type(message) == IKE_AUTH &&
 			this->state == IKE_ESTABLISHED &&
 			lib->settings->get_bool(lib->settings,
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index a7258848f..18703ce36 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -883,11 +883,21 @@ METHOD(task_manager_t, process_message, status_t,
 	private_task_manager_t *this, message_t *msg)
 {
 	u_int32_t mid = msg->get_message_id(msg);
+	host_t *me = msg->get_destination(msg), *other = msg->get_source(msg);
 
 	if (msg->get_request(msg))
 	{
 		if (mid == this->responding.mid)
 		{
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other);
+				}
+			}
 			charon->bus->message(charon->bus, msg, TRUE);
 			if (process_request(this, msg) != SUCCESS)
 			{
@@ -920,6 +930,15 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->initiating.mid)
 		{
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other);
+				}
+			}
 			charon->bus->message(charon->bus, msg, TRUE);
 			if (process_response(this, msg) != SUCCESS)
 			{