net-misc/strongswan/files/strongswan-5.0.2-reject-create-child-sa-exchange.patch - mirrors/cros/chromiumos/overlays/chromiumos-overlay - Git at Google

 From a8b94cc1f7b4f6472fd97251a4476586050a66fc Mon Sep 17 00:00:00 2001
 From: Martin Willi <martin@revosec.ch>
 Date: Thu, 20 Feb 2014 16:08:43 +0100
 Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished
  IKE_SAs

 Prevents a responder peer to trick us into established state by starting
 IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.
 ---
  src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++
  1 file changed, 9 insertions(+)

 diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
 index ac3be90..a5252ab 100644
 --- a/src/libcharon/sa/ikev2/task_manager_v2.c
 +++ b/src/libcharon/sa/ikev2/task_manager_v2.c
 @@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this,
  			case CREATE_CHILD_SA:
  			{	/* FIXME: we should prevent this on mediation connections */
  				bool notify_found = FALSE, ts_found = FALSE;
 +
 +				if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
 +					this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
 +				{
 +					DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
 +						 "unestablished IKE_SA, rejected");
 +					return FAILED;
 +				}
 +
  				enumerator = message->create_payload_enumerator(message);
  				while (enumerator->enumerate(enumerator, &payload))
  				{
 --
 1.9.1.423.g4596e3a
	From a8b94cc1f7b4f6472fd97251a4476586050a66fc Mon Sep 17 00:00:00 2001
	From: Martin Willi <martin@revosec.ch>
	Date: Thu, 20 Feb 2014 16:08:43 +0100
	Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished
	IKE_SAs

	Prevents a responder peer to trick us into established state by starting
	IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.
	---
	src/libcharon/sa/ikev2/task_manager_v2.c \| 9 +++++++++
	1 file changed, 9 insertions(+)

	diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
	index ac3be90..a5252ab 100644
	--- a/src/libcharon/sa/ikev2/task_manager_v2.c
	+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
	@@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this,
	case CREATE_CHILD_SA:
	{ /* FIXME: we should prevent this on mediation connections */
	bool notify_found = FALSE, ts_found = FALSE;
	+
	+ if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED \|\|
	+ this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
	+ {
	+ DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
	+ "unestablished IKE_SA, rejected");
	+ return FAILED;
	+ }
	+
	enumerator = message->create_payload_enumerator(message);
	while (enumerator->enumerate(enumerator, &payload))
	{
	--
	1.9.1.423.g4596e3a