]>
Commit | Line | Data |
---|---|---|
8d289021 MT |
1 | commit dd0ebb54837298c869389d36a0b42eefdb893dd6 |
2 | Author: Tobias Brunner <tobias@strongswan.org> | |
3 | Date: Wed Feb 25 08:30:33 2015 +0100 | |
4 | ||
5 | ikev2: Only accept initial messages in specific states | |
6 | ||
7 | The previous code allowed an attacker to slip in an IKE_SA_INIT with | |
8 | both SPIs and MID 1 set when an IKE_AUTH would be expected instead. | |
9 | ||
10 | References #816. | |
11 | ||
12 | diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c | |
13 | index be84e71..540d4dc 100644 | |
14 | --- a/src/libcharon/sa/ikev2/task_manager_v2.c | |
15 | +++ b/src/libcharon/sa/ikev2/task_manager_v2.c | |
16 | @@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t, | |
17 | { | |
18 | if (mid == this->responding.mid) | |
19 | { | |
20 | - /* reject initial messages once established */ | |
21 | - if (msg->get_exchange_type(msg) == IKE_SA_INIT || | |
22 | - msg->get_exchange_type(msg) == IKE_AUTH) | |
23 | + /* reject initial messages if not received in specific states */ | |
24 | + if ((msg->get_exchange_type(msg) == IKE_SA_INIT && | |
25 | + this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) || | |
26 | + (msg->get_exchange_type(msg) == IKE_AUTH && | |
27 | + this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)) | |
28 | { | |
29 | - if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED && | |
30 | - this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) | |
31 | - { | |
32 | - DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", | |
33 | - exchange_type_names, msg->get_exchange_type(msg)); | |
34 | - return FAILED; | |
35 | - } | |
36 | + DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", | |
37 | + exchange_type_names, msg->get_exchange_type(msg), | |
38 | + ike_sa_state_names, this->ike_sa->get_state(this->ike_sa)); | |
39 | + return FAILED; | |
40 | } | |
41 | if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) | |
42 | { /* with MOBIKE, we do no implicit updates */ |