ikev2: Ignore IKEV2_MESSAGE_ID_SYNC notifies if extension is disabled

If this is the first message by the peer, i.e. we expect MID 0, the
message is not pre-processed in the task manager so we ignore it in the
task.

We also make sure to ignore such messages if the extension is disabled
and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise
consider the message with MID 0 as a retransmit).

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 778349c08bd0c890d7c9a00d36c8a306d31c3772..e4a16faf0bd57bc77ade715e1cadf691140749be 100644 (file)
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1398,20 +1398,18 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 }
 
 /**
- * Check if a message with message ID 0 might be used to synchronize the
- * message IDs.
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs.
  */
-static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
+static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
+                                                               bool strict)
 {
        enumerator_t *enumerator;
        notify_payload_t *notify;
        payload_t *payload;
        bool found = FALSE, other = FALSE;
 
-       if (msg->get_exchange_type(msg) == INFORMATIONAL &&
-               this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
-               this->ike_sa->supports_extension(this->ike_sa,
-                                                                                 EXT_IKE_MESSAGE_ID_SYNC))
+       if (msg->get_exchange_type(msg) == INFORMATIONAL)
        {
                enumerator = msg->create_payload_enumerator(msg);
                while (enumerator->enumerate(enumerator, &payload))
@@ -1429,14 +1427,35 @@ static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
                                                break;
                                }
                        }
-                       other = TRUE;
-                       break;
+                       if (strict)
+                       {
+                               other = TRUE;
+                               break;
+                       }
                }
                enumerator->destroy(enumerator);
        }
        return found && !other;
 }
 
+/**
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs and we are prepared to process it.
+ *
+ * Note: This is not called if the responder never sent a message before (i.e.
+ * we expect MID 0).
+ */
+static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
+{
+       if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
+               this->ike_sa->supports_extension(this->ike_sa,
+                                                                                EXT_IKE_MESSAGE_ID_SYNC))
+       {
+               return looks_like_mid_sync(this, msg, TRUE);
+       }
+       return FALSE;
+}
+
 METHOD(task_manager_t, process_message, status_t,
        private_task_manager_t *this, message_t *msg)
 {
@@ -1525,7 +1544,8 @@ METHOD(task_manager_t, process_message, status_t,
                        }
                }
                else if ((mid == this->responding.mid - 1) &&
-                                array_count(this->responding.packets))
+                                array_count(this->responding.packets) &&
+                                !(mid == 0 && looks_like_mid_sync(this, msg, FALSE)))
                {
                        status = handle_fragment(this, &this->responding.defrag, msg);
                        if (status != SUCCESS)

diff --git a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
index d7de113036f744424c937c4ad2022a028a2299a7..24cf276f46b7fb55539830fa8619333d4876c50e 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
@@ -112,6 +112,13 @@ METHOD(task_t, pre_process, status_t,
                 * unexpected message ID */
                return SUCCESS;
        }
+       if (!this->ike_sa->supports_extension(this->ike_sa,
+                                                                                 EXT_IKE_MESSAGE_ID_SYNC))
+       {
+               DBG1(DBG_ENC, "unexpected %N notify, ignored", notify_type_names,
+                        IKEV2_MESSAGE_ID_SYNC);
+               return FAILED;
+       }
        notify = message->get_notify(message, IKEV2_MESSAGE_ID_SYNC);
 
        reader = bio_reader_create(notify->get_notification_data(notify));