ikev2: Drop IKE_SA_INIT messages that don't have the initiator flag set

While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.

We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since
17ec1c74de).

diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 6902c48478b0aa8cdd1c73d443508dd1720dfa2e..076233260f819cda6aeac1e8bc1c978a4e7d5254 100644 (file)
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -542,7 +542,9 @@ static job_requeue_t receive_packets(private_receiver_t *this)
        if (message->get_request(message) &&
                message->get_exchange_type(message) == IKE_SA_INIT)
        {
-               if (this->initiator_only || drop_ike_sa_init(this, message))
+               id = message->get_ike_sa_id(message);
+               if (this->initiator_only || !id->is_initiator(id) ||
+                       drop_ike_sa_init(this, message))
                {
                        message->destroy(message);
                        return JOB_REQUEUE_DIRECT;