src/patches/strongswan-5.2.2-issue-816-650a3ad.patch

   1 commit 650a3ad5151958b99a95836fb8b84b8aa18da1be
   2 Author: Tobias Brunner <tobias@strongswan.org>
   3 Date:   Wed Feb 25 08:09:11 2015 +0100
   4
   5     ike-sa-manager: Make sure the message ID of initial messages is 0
   6
   7     It is mandated by the RFCs and it is expected by the task managers.
   8
   9     Initial messages with invalid MID will be treated like regular messages,
  10     so no IKE_SA will be created for them.  Instead, if the responder SPI is 0
  11     no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
  12     If an SPI is set and we do find an SA, then we either ignore the message
  13     because the MID is unexpected, or because we don't allow initial messages
  14     on established connections.
  15
  16     There is one exception, though, if an attacker can slip in an IKE_SA_INIT
  17     with both SPIs set before the client's IKE_AUTH is handled by the server,
  18     it does get processed (see next commit).
  19
  20     References #816.
  21
  22 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
  23 index d0cbd47..5e2b925 100644
  24 --- a/src/libcharon/sa/ike_sa_manager.c
  25 +++ b/src/libcharon/sa/ike_sa_manager.c
  26 @@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
  27
  28         DBG2(DBG_MGR, "checkout IKE_SA by message");
  29
  30 -       if (id->get_responder_spi(id) == 0)
  31 +       if (id->get_responder_spi(id) == 0 &&
  32 +               message->get_message_id(message) == 0)
  33         {
  34                 if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
  35                 {