]>
Commit | Line | Data |
---|---|---|
8d289021 MT |
1 | commit 650a3ad5151958b99a95836fb8b84b8aa18da1be |
2 | Author: Tobias Brunner <tobias@strongswan.org> | |
3 | Date: Wed Feb 25 08:09:11 2015 +0100 | |
4 | ||
5 | ike-sa-manager: Make sure the message ID of initial messages is 0 | |
6 | ||
7 | It is mandated by the RFCs and it is expected by the task managers. | |
8 | ||
9 | Initial messages with invalid MID will be treated like regular messages, | |
10 | so no IKE_SA will be created for them. Instead, if the responder SPI is 0 | |
11 | no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI. | |
12 | If an SPI is set and we do find an SA, then we either ignore the message | |
13 | because the MID is unexpected, or because we don't allow initial messages | |
14 | on established connections. | |
15 | ||
16 | There is one exception, though, if an attacker can slip in an IKE_SA_INIT | |
17 | with both SPIs set before the client's IKE_AUTH is handled by the server, | |
18 | it does get processed (see next commit). | |
19 | ||
20 | References #816. | |
21 | ||
22 | diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c | |
23 | index d0cbd47..5e2b925 100644 | |
24 | --- a/src/libcharon/sa/ike_sa_manager.c | |
25 | +++ b/src/libcharon/sa/ike_sa_manager.c | |
26 | @@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, | |
27 | ||
28 | DBG2(DBG_MGR, "checkout IKE_SA by message"); | |
29 | ||
30 | - if (id->get_responder_spi(id) == 0) | |
31 | + if (id->get_responder_spi(id) == 0 && | |
32 | + message->get_message_id(message) == 0) | |
33 | { | |
34 | if (message->get_major_version(message) == IKEV2_MAJOR_VERSION) | |
35 | { |