git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Fri, 4 Jun 2021 16:11:46 +0000 (18:11 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 14 Apr 2022 13:28:07 +0000 (15:28 +0200)
commit	b866ee88bf548e7409682c63097cae5a6c88469e
tree	6d28c8ce3ce9957f016332fdffb452cff1d0424a	tree
parent	d8104b7c69a1c0e47762ee795150aa41c5e4b07c	commit \| diff

ike: Track unprocessed initial IKE messages like half-open IKE_SAs

This should make the DoS limits (cookie_threshold[_ip] and block_threshold)
more accurate so that it won't be possible to create lots of jobs from
spoofed IP addresses before half-open IKE_SAs are actually created from
these jobs to enforce those limits.

Note that retransmits are tracked as half-open SAs until they are
processed/dismissed as the check only happens in checkout_by_message().

Increasing the count in process_message_job_create() avoids issues with
missing calls to track_init() before calling checkout_by_message() (e.g.
when processing fragmented IKEv1 messages, which are reinjected via a
process message job).

conf/options/charon.opt		diff \| blob \| blame \| history
src/libcharon/processing/jobs/process_message_job.c		diff \| blob \| blame \| history
src/libcharon/sa/ike_sa_manager.c		diff \| blob \| blame \| history
src/libcharon/sa/ike_sa_manager.h		diff \| blob \| blame \| history