[ipfire-2.x.git] / src / patches / strongswan-5.2.2-issue-816-dd0ebb.patch

commit dd0ebb54837298c869389d36a0b42eefdb893dd6
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Wed Feb 25 08:30:33 2015 +0100

    ikev2: Only accept initial messages in specific states
    
    The previous code allowed an attacker to slip in an IKE_SA_INIT with
    both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
    
    References #816.

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index be84e71..540d4dc 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->responding.mid)
 		{
-			/* reject initial messages once established */
-			if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
-				msg->get_exchange_type(msg) == IKE_AUTH)
+			/* reject initial messages if not received in specific states */
+			if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
+				 this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
+				(msg->get_exchange_type(msg) == IKE_AUTH &&
+				 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
 			{
-				if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
-					this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
-				{
-					DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
-						 exchange_type_names, msg->get_exchange_type(msg));
-					return FAILED;
-				}
+				DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
+					 exchange_type_names, msg->get_exchange_type(msg),
+					 ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
+				return FAILED;
 			}
 			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
 			{	/* with MOBIKE, we do no implicit updates */
Commit	Line	Data
8d289021 MT	1	commit dd0ebb54837298c869389d36a0b42eefdb893dd6
	2	Author: Tobias Brunner <tobias@strongswan.org>
	3	Date: Wed Feb 25 08:30:33 2015 +0100
	4
	5	ikev2: Only accept initial messages in specific states
	6
	7	The previous code allowed an attacker to slip in an IKE_SA_INIT with
	8	both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
	9
	10	References #816.
	11
	12	diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
	13	index be84e71..540d4dc 100644
	14	--- a/src/libcharon/sa/ikev2/task_manager_v2.c
	15	+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
	16	@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
	17	{
	18	if (mid == this->responding.mid)
	19	{
	20	- /* reject initial messages once established */
	21	- if (msg->get_exchange_type(msg) == IKE_SA_INIT \|\|
	22	- msg->get_exchange_type(msg) == IKE_AUTH)
	23	+ /* reject initial messages if not received in specific states */
	24	+ if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
	25	+ this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) \|\|
	26	+ (msg->get_exchange_type(msg) == IKE_AUTH &&
	27	+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
	28	{
	29	- if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
	30	- this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
	31	- {
	32	- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
	33	- exchange_type_names, msg->get_exchange_type(msg));
	34	- return FAILED;
	35	- }
	36	+ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
	37	+ exchange_type_names, msg->get_exchange_type(msg),
	38	+ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
	39	+ return FAILED;
	40	}
	41	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
	42	{ /* with MOBIKE, we do no implicit updates */