Reject initial exchange messages early once IKE_SA is established

author: Martin Willi <martin@revosec.ch> 2012-08-02 12:50:31 +0200
committer: Martin Willi <martin@revosec.ch> 2012-08-02 13:04:54 +0200
commit: 394b9f6b659285ca304c432d480c95bdea552b32 (patch)
tree: bcd14393a6e8755b08d3c997927caea29c842787 /src/libcharon/sa/ike_sa.c
parent: 804d702b0a970d1a16ef9c8aa09c4e64265d75ed (diff)
download: strongswan-394b9f6b659285ca304c432d480c95bdea552b32.tar.bz2
strongswan-394b9f6b659285ca304c432d480c95bdea552b32.tar.xz
1 files changed, 18 insertions, 0 deletions
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a13a7a3b6..7f5acccc0 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1205,6 +1205,24 @@ METHOD(ike_sa_t, process_message, status_t,
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		case AGGRESSIVE:
+		case TRANSACTION:
+		case IKE_SA_INIT:
+		case IKE_AUTH:
+			if (this->state != IKE_CREATED &&
+				this->state != IKE_CONNECTING)
+			{
+				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+					 exchange_type_names, message->get_exchange_type(message));
+				return FAILED;
+			}
+			break;
+		default:
+			break;
+	}
 	if (message->get_major_version(message) != this->version)
 	{
 		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
author	Martin Willi <martin@revosec.ch>	2012-08-02 12:50:31 +0200
committer	Martin Willi <martin@revosec.ch>	2012-08-02 13:04:54 +0200
commit	394b9f6b659285ca304c432d480c95bdea552b32 (patch)
tree	bcd14393a6e8755b08d3c997927caea29c842787 /src/libcharon/sa/ike_sa.c
parent	804d702b0a970d1a16ef9c8aa09c4e64265d75ed (diff)
download	strongswan-394b9f6b659285ca304c432d480c95bdea552b32.tar.bz2 strongswan-394b9f6b659285ca304c432d480c95bdea552b32.tar.xz