mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 02:55:55 +02:00
strongswan: Update to 5.3.0
Enable support for CCM and CTR
This commit is contained in:
Michael Tremer
@@ -1,35 +0,0 @@
|
||||
commit 650a3ad5151958b99a95836fb8b84b8aa18da1be
|
||||
Author: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Wed Feb 25 08:09:11 2015 +0100
|
||||
|
||||
ike-sa-manager: Make sure the message ID of initial messages is 0
|
||||
|
||||
It is mandated by the RFCs and it is expected by the task managers.
|
||||
|
||||
Initial messages with invalid MID will be treated like regular messages,
|
||||
so no IKE_SA will be created for them. Instead, if the responder SPI is 0
|
||||
no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
|
||||
If an SPI is set and we do find an SA, then we either ignore the message
|
||||
because the MID is unexpected, or because we don't allow initial messages
|
||||
on established connections.
|
||||
|
||||
There is one exception, though, if an attacker can slip in an IKE_SA_INIT
|
||||
with both SPIs set before the client's IKE_AUTH is handled by the server,
|
||||
it does get processed (see next commit).
|
||||
|
||||
References #816.
|
||||
|
||||
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
|
||||
index d0cbd47..5e2b925 100644
|
||||
--- a/src/libcharon/sa/ike_sa_manager.c
|
||||
+++ b/src/libcharon/sa/ike_sa_manager.c
|
||||
@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
|
||||
|
||||
DBG2(DBG_MGR, "checkout IKE_SA by message");
|
||||
|
||||
- if (id->get_responder_spi(id) == 0)
|
||||
+ if (id->get_responder_spi(id) == 0 &&
|
||||
+ message->get_message_id(message) == 0)
|
||||
{
|
||||
if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
|
||||
{
|
||||
@@ -1,42 +0,0 @@
|
||||
commit dd0ebb54837298c869389d36a0b42eefdb893dd6
|
||||
Author: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Wed Feb 25 08:30:33 2015 +0100
|
||||
|
||||
ikev2: Only accept initial messages in specific states
|
||||
|
||||
The previous code allowed an attacker to slip in an IKE_SA_INIT with
|
||||
both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
|
||||
|
||||
References #816.
|
||||
|
||||
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
index be84e71..540d4dc 100644
|
||||
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
|
||||
{
|
||||
if (mid == this->responding.mid)
|
||||
{
|
||||
- /* reject initial messages once established */
|
||||
- if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
|
||||
- msg->get_exchange_type(msg) == IKE_AUTH)
|
||||
+ /* reject initial messages if not received in specific states */
|
||||
+ if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
|
||||
+ this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
|
||||
+ (msg->get_exchange_type(msg) == IKE_AUTH &&
|
||||
+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
|
||||
{
|
||||
- if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
|
||||
- this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
|
||||
- {
|
||||
- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
|
||||
- exchange_type_names, msg->get_exchange_type(msg));
|
||||
- return FAILED;
|
||||
- }
|
||||
+ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
|
||||
+ exchange_type_names, msg->get_exchange_type(msg),
|
||||
+ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
|
||||
+ return FAILED;
|
||||
}
|
||||
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
|
||||
{ /* with MOBIKE, we do no implicit updates */
|
||||
@@ -1,31 +0,0 @@
|
||||
commit eb251906298b529fa53b8a99746a9a7a9f318dd5
|
||||
Author: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Wed Feb 25 08:18:58 2015 +0100
|
||||
|
||||
ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
|
||||
|
||||
This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
|
||||
does not have message ID 0") because it allowed to close any IKE_SA by
|
||||
sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
|
||||
of that SA.
|
||||
|
||||
The next commit will prevent SAs from getting created for IKE_SA_INIT messages
|
||||
with invalid MID.
|
||||
|
||||
Fixes #816.
|
||||
|
||||
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
index 48266aa..be84e71 100644
|
||||
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
@@ -1355,10 +1355,6 @@ METHOD(task_manager_t, process_message, status_t,
|
||||
{
|
||||
DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
|
||||
mid, this->responding.mid);
|
||||
- if (msg->get_exchange_type(msg) == IKE_SA_INIT)
|
||||
- { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
|
||||
- return DESTROY_ME;
|
||||
- }
|
||||
}
|
||||
}
|
||||
else
|
||||
@@ -1,50 +0,0 @@
|
||||
From cd2c30a56ec9bdab8b3923851509f27a4fd6f537 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Tue, 10 Feb 2015 19:03:44 +0100
|
||||
Subject: [PATCH] ikev1: Set protocol ID and SPIs in INITIAL-CONTACT
|
||||
notification payloads
|
||||
|
||||
The payload we sent before is not compliant with RFC 2407 and thus some
|
||||
peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error).
|
||||
|
||||
#819
|
||||
---
|
||||
src/libcharon/sa/ikev1/tasks/main_mode.c | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
|
||||
index 5065e70..3ea4a2a 100644
|
||||
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
|
||||
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
|
||||
@@ -213,6 +213,10 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
|
||||
{
|
||||
identification_t *idr;
|
||||
host_t *host;
|
||||
+ notify_payload_t *notify;
|
||||
+ ike_sa_id_t *ike_sa_id;
|
||||
+ u_int64_t spi_i, spi_r;
|
||||
+ chunk_t spi;
|
||||
|
||||
idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
|
||||
if (idr && !idr->contains_wildcards(idr))
|
||||
@@ -224,8 +228,15 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
|
||||
if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
|
||||
idi, idr, host->get_family(host)))
|
||||
{
|
||||
- message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1,
|
||||
- chunk_empty);
|
||||
+ notify = notify_payload_create_from_protocol_and_type(
|
||||
+ PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1);
|
||||
+ ike_sa_id = this->ike_sa->get_id(this->ike_sa);
|
||||
+ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
|
||||
+ spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
|
||||
+ spi = chunk_cata("cc", chunk_from_thing(spi_i),
|
||||
+ chunk_from_thing(spi_r));
|
||||
+ notify->set_spi_data(notify, spi);
|
||||
+ message->add_payload(message, (payload_t*)notify);
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
Reference in New Issue
Block a user