ikev2: Ignore IKEV2_MESSAGE_ID_SYNC notifies if extension is disabled

If this is the first message by the peer, i.e. we expect MID 0, the
message is not pre-processed in the task manager so we ignore it in the
task.

We also make sure to ignore such messages if the extension is disabled
and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise
consider the message with MID 0 as a retransmit).

2 files changed, 37 insertions, 10 deletions

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 778349c08..e4a16faf0 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1398,20 +1398,18 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 }
 
 /**
- * Check if a message with message ID 0 might be used to synchronize the
- * message IDs.
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs.
  */
-static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
+static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
+								bool strict)
 {
 	enumerator_t *enumerator;
 	notify_payload_t *notify;
 	payload_t *payload;
 	bool found = FALSE, other = FALSE;
 
-	if (msg->get_exchange_type(msg) == INFORMATIONAL &&
-		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
-		this->ike_sa->supports_extension(this->ike_sa,
-										  EXT_IKE_MESSAGE_ID_SYNC))
+	if (msg->get_exchange_type(msg) == INFORMATIONAL)
 	{
 		enumerator = msg->create_payload_enumerator(msg);
 		while (enumerator->enumerate(enumerator, &payload))
@@ -1429,14 +1427,35 @@ static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
 						break;
 				}
 			}
-			other = TRUE;
-			break;
+			if (strict)
+			{
+				other = TRUE;
+				break;
+			}
 		}
 		enumerator->destroy(enumerator);
 	}
 	return found && !other;
 }
 
+/**
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs and we are prepared to process it.
+ *
+ * Note: This is not called if the responder never sent a message before (i.e.
+ * we expect MID 0).
+ */
+static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
+{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
+		this->ike_sa->supports_extension(this->ike_sa,
+										 EXT_IKE_MESSAGE_ID_SYNC))
+	{
+		return looks_like_mid_sync(this, msg, TRUE);
+	}
+	return FALSE;
+}
+
 METHOD(task_manager_t, process_message, status_t,
 	private_task_manager_t *this, message_t *msg)
 {
@@ -1525,7 +1544,8 @@ METHOD(task_manager_t, process_message, status_t,
 			}
 		}
 		else if ((mid == this->responding.mid - 1) &&
-				 array_count(this->responding.packets))
+				 array_count(this->responding.packets) &&
+				 !(mid == 0 && looks_like_mid_sync(this, msg, FALSE)))
 		{
 			status = handle_fragment(this, &this->responding.defrag, msg);
 			if (status != SUCCESS)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
index d7de11303..24cf276f4 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
@@ -112,6 +112,13 @@ METHOD(task_t, pre_process, status_t,
 		 * unexpected message ID */
 		return SUCCESS;
 	}
+	if (!this->ike_sa->supports_extension(this->ike_sa,
+										  EXT_IKE_MESSAGE_ID_SYNC))
+	{
+		DBG1(DBG_ENC, "unexpected %N notify, ignored", notify_type_names,
+			 IKEV2_MESSAGE_ID_SYNC);
+		return FAILED;
+	}
 	notify = message->get_notify(message, IKEV2_MESSAGE_ID_SYNC);
 
 	reader = bio_reader_create(notify->get_notification_data(notify));