@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
- cd $(DIR_APP) && patch -Np1 --ignore-whitespace \
- -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-eb25190.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch
cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh
ipfiremake libevent2
ipfiremake portmap
ipfiremake nfs
- ipfiremake nmap
+ #ipfiremake nmap
ipfiremake ncftp
ipfiremake etherwake
ipfiremake bwm-ng
--- /dev/null
+commit 650a3ad5151958b99a95836fb8b84b8aa18da1be
+Author: Tobias Brunner <tobias@strongswan.org>
+Date: Wed Feb 25 08:09:11 2015 +0100
+
+ ike-sa-manager: Make sure the message ID of initial messages is 0
+
+ It is mandated by the RFCs and it is expected by the task managers.
+
+ Initial messages with invalid MID will be treated like regular messages,
+ so no IKE_SA will be created for them. Instead, if the responder SPI is 0
+ no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
+ If an SPI is set and we do find an SA, then we either ignore the message
+ because the MID is unexpected, or because we don't allow initial messages
+ on established connections.
+
+ There is one exception, though, if an attacker can slip in an IKE_SA_INIT
+ with both SPIs set before the client's IKE_AUTH is handled by the server,
+ it does get processed (see next commit).
+
+ References #816.
+
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index d0cbd47..5e2b925 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
++++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
+
+ DBG2(DBG_MGR, "checkout IKE_SA by message");
+
+- if (id->get_responder_spi(id) == 0)
++ if (id->get_responder_spi(id) == 0 &&
++ message->get_message_id(message) == 0)
+ {
+ if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
+ {
--- /dev/null
+commit dd0ebb54837298c869389d36a0b42eefdb893dd6
+Author: Tobias Brunner <tobias@strongswan.org>
+Date: Wed Feb 25 08:30:33 2015 +0100
+
+ ikev2: Only accept initial messages in specific states
+
+ The previous code allowed an attacker to slip in an IKE_SA_INIT with
+ both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
+
+ References #816.
+
+diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
+index be84e71..540d4dc 100644
+--- a/src/libcharon/sa/ikev2/task_manager_v2.c
++++ b/src/libcharon/sa/ikev2/task_manager_v2.c
+@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
+ {
+ if (mid == this->responding.mid)
+ {
+- /* reject initial messages once established */
+- if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
+- msg->get_exchange_type(msg) == IKE_AUTH)
++ /* reject initial messages if not received in specific states */
++ if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
++ this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
++ (msg->get_exchange_type(msg) == IKE_AUTH &&
++ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
+ {
+- if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+- this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+- {
+- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+- exchange_type_names, msg->get_exchange_type(msg));
+- return FAILED;
+- }
++ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
++ exchange_type_names, msg->get_exchange_type(msg),
++ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
++ return FAILED;
+ }
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+ { /* with MOBIKE, we do no implicit updates */
--- /dev/null
+commit eb251906298b529fa53b8a99746a9a7a9f318dd5
+Author: Tobias Brunner <tobias@strongswan.org>
+Date: Wed Feb 25 08:18:58 2015 +0100
+
+ ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
+
+ This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
+ does not have message ID 0") because it allowed to close any IKE_SA by
+ sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
+ of that SA.
+
+ The next commit will prevent SAs from getting created for IKE_SA_INIT messages
+ with invalid MID.
+
+ Fixes #816.
+
+diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
+index 48266aa..be84e71 100644
+--- a/src/libcharon/sa/ikev2/task_manager_v2.c
++++ b/src/libcharon/sa/ikev2/task_manager_v2.c
+@@ -1355,10 +1355,6 @@ METHOD(task_manager_t, process_message, status_t,
+ {
+ DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+ mid, this->responding.mid);
+- if (msg->get_exchange_type(msg) == IKE_SA_INIT)
+- { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
+- return DESTROY_ME;
+- }
+ }
+ }
+ else
+++ /dev/null
-diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/t
-index e9a677a655e4..69118abe78df 100644
---- a/src/libcharon/sa/ikev2/task_manager_v2.c
-+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
-@@ -1339,7 +1339,7 @@ METHOD(task_manager_t, process_message, status_t,
- {
- DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
- mid, this->responding.mid);
-- if (msg->get_exchange_type(msg) == IKE_SA_INIT)
-+ if (mid != 0 && msg->get_exchange_type(msg) == IKE_SA_INIT)
- { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
- return DESTROY_ME;
- }
projects / people / pmueller / ipfire-2.x.git / commitdiff
