{ /* do not handle messages in passive state */
return FAILED;
}
- switch (message->get_exchange_type(message))
- {
- case ID_PROT:
- case AGGRESSIVE:
- case IKE_SA_INIT:
- case IKE_AUTH:
- if (this->state != IKE_CREATED &&
- this->state != IKE_CONNECTING &&
- message->get_first_payload_type(message) != FRAGMENT_V1)
- {
- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
- exchange_type_names, message->get_exchange_type(message));
- return FAILED;
- }
- break;
- default:
- break;
- }
if (message->get_major_version(message) != this->version)
{
DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
return SUCCESS;
}
+
+ /* reject Main/Agressive Modes once established */
+ if (msg->get_exchange_type(msg) == ID_PROT ||
+ msg->get_exchange_type(msg) == AGGRESSIVE)
+ {
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
+ msg->get_first_payload_type(msg) != FRAGMENT_V1)
+ {
+ DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+ exchange_type_names, msg->get_exchange_type(msg));
+ return FAILED;
+ }
+ }
+
if (msg->get_exchange_type(msg) == TRANSACTION &&
this->active_tasks->get_count(this->active_tasks))
{ /* main mode not yet complete, queue XAuth/Mode config tasks */
return &this->public;
}
-
{
if (mid == this->responding.mid)
{
+ /* reject initial messages once established */
+ if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
+ msg->get_exchange_type(msg) == IKE_AUTH)
+ {
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+ {
+ DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+ exchange_type_names, msg->get_exchange_type(msg));
+ return FAILED;
+ }
+ }
if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
msg->get_exchange_type(msg) != IKE_SA_INIT)
projects / thirdparty / strongswan.git / commitdiff
