1 commit dd0ebb54837298c869389d36a0b42eefdb893dd6
2 Author: Tobias Brunner <tobias@strongswan.org>
3 Date: Wed Feb 25 08:30:33 2015 +0100
5 ikev2: Only accept initial messages in specific states
7 The previous code allowed an attacker to slip in an IKE_SA_INIT with
8 both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
12 diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
13 index be84e71..540d4dc 100644
14 --- a/src/libcharon/sa/ikev2/task_manager_v2.c
15 +++ b/src/libcharon/sa/ikev2/task_manager_v2.c
16 @@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
18 if (mid == this->responding.mid)
20 - /* reject initial messages once established */
21 - if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
22 - msg->get_exchange_type(msg) == IKE_AUTH)
23 + /* reject initial messages if not received in specific states */
24 + if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
25 + this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
26 + (msg->get_exchange_type(msg) == IKE_AUTH &&
27 + this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
29 - if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
30 - this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
32 - DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
33 - exchange_type_names, msg->get_exchange_type(msg));
36 + DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
37 + exchange_type_names, msg->get_exchange_type(msg),
38 + ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
41 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
42 { /* with MOBIKE, we do no implicit updates */
projects / ipfire-2.x.git / blob