ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs
authorMartin Willi <martin@revosec.ch>
Thu, 20 Feb 2014 15:08:43 +0000 (16:08 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 14 Apr 2014 11:29:49 +0000 (13:29 +0200)
Prevents a responder peer to trick us into established state by starting
IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.

Fixes CVE-2014-2338.

src/libcharon/sa/ikev2/task_manager_v2.c

index ac3be90..a5252ab 100644 (file)
@@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this,
                        case CREATE_CHILD_SA:
                        {       /* FIXME: we should prevent this on mediation connections */
                                bool notify_found = FALSE, ts_found = FALSE;
                        case CREATE_CHILD_SA:
                        {       /* FIXME: we should prevent this on mediation connections */
                                bool notify_found = FALSE, ts_found = FALSE;
+
+                               if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+                                       this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
+                               {
+                                       DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
+                                                "unestablished IKE_SA, rejected");
+                                       return FAILED;
+                               }
+
                                enumerator = message->create_payload_enumerator(message);
                                while (enumerator->enumerate(enumerator, &payload))
                                {
                                enumerator = message->create_payload_enumerator(message);
                                while (enumerator->enumerate(enumerator, &payload))
                                {