Skip to content
Permalink
Browse files

IKEv1: packet retransmit fixes for Main/Aggr/Xauth modes

- Do not schedule retransmits for inI1outR1 packets (prevent DDOS)
- Do schedule retransmits for XAUTH packets
  • Loading branch information...
letoams committed Mar 27, 2016
1 parent d321373 commit 152d6d95632d8b9477c170f1de99bcd86d7fb1d6
Showing with 4 additions and 4 deletions.
  1. +4 −4 programs/pluto/ikev1.c
@@ -245,7 +245,7 @@ static const struct state_microcode v1_state_microcode_table[] = {
{ STATE_MAIN_R0, STATE_MAIN_R1,
SMF_ALL_AUTH | SMF_REPLY,
P(SA), P(VID) | P(CR), PT(NONE),
EVENT_v1_RETRANSMIT, main_inI1_outR1 },
EVENT_NULL, main_inI1_outR1 },

/* STATE_MAIN_I1: R1 --> I2
* HDR, SA --> auth dependent
@@ -394,7 +394,7 @@ static const struct state_microcode v1_state_microcode_table[] = {
{ STATE_AGGR_R0, STATE_AGGR_R1,
SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY,
P(SA) | P(KE) | P(NONCE) | P(ID), P(VID) | P(NATD_RFC), PT(NONE),
EVENT_v1_RETRANSMIT, aggr_inI1_outR1 },
EVENT_NULL, aggr_inI1_outR1 },

/* STATE_AGGR_I1:
* SMF_PSK_AUTH: HDR, SA, KE, Nr, IDir, HASH_R
@@ -571,12 +571,12 @@ static const struct state_microcode v1_state_microcode_table[] = {
{ STATE_XAUTH_I0, STATE_XAUTH_I1,
SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2,
P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH),
EVENT_SA_REPLACE, xauth_inI0 },
EVENT_v1_RETRANSMIT, xauth_inI0 },

{ STATE_XAUTH_I1, STATE_MAIN_I4,
SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2,
P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH),
EVENT_SA_REPLACE, xauth_inI1 },
EVENT_v1_RETRANSMIT, xauth_inI1 },

#undef P
#undef PT

0 comments on commit 152d6d9

Please sign in to comment.
You can’t perform that action at this time.