| From a8b94cc1f7b4f6472fd97251a4476586050a66fc Mon Sep 17 00:00:00 2001 |
| From: Martin Willi <martin@revosec.ch> |
| Date: Thu, 20 Feb 2014 16:08:43 +0100 |
| Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished |
| IKE_SAs |
| |
| Prevents a responder peer to trick us into established state by starting |
| IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. |
| --- |
| src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++ |
| 1 file changed, 9 insertions(+) |
| |
| diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c |
| index ac3be90..a5252ab 100644 |
| --- a/src/libcharon/sa/ikev2/task_manager_v2.c |
| +++ b/src/libcharon/sa/ikev2/task_manager_v2.c |
| @@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this, |
| case CREATE_CHILD_SA: |
| { /* FIXME: we should prevent this on mediation connections */ |
| bool notify_found = FALSE, ts_found = FALSE; |
| + |
| + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || |
| + this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) |
| + { |
| + DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " |
| + "unestablished IKE_SA, rejected"); |
| + return FAILED; |
| + } |
| + |
| enumerator = message->create_payload_enumerator(message); |
| while (enumerator->enumerate(enumerator, &payload)) |
| { |
| -- |
| 1.9.1.423.g4596e3a |
| |