Skip to content
Permalink
Browse files

IKEv2: Do not attempt to encrypt a reply without established IKE SA

This is #246

Signed-off-by: D. Hugh Redelmeier <hugh@mimosa.com>
  • Loading branch information...
letoams committed May 15, 2019
1 parent 539693c commit 7142d2c37d58cf024595a7549f0fb0d3946682f8
Showing with 15 additions and 8 deletions.
  1. +15 −8 programs/pluto/ikev2_send.c
@@ -268,25 +268,32 @@ void send_v2N_spi_response_from_state(struct ike_sa *ike,
enum isakmp_xchg_types exchange_type = md->hdr.isa_xchg;
const char *const exchange_name = enum_short_name(&ikev2_exchange_names, exchange_type);

ipstr_buf b;
libreswan_log("responding to %s message (ID %u) from %s:%u with encrypted notification %s",
exchange_name, md->hdr.isa_msgid,
sensitive_ipstr(&ike->sa.st_remoteaddr, &b),
ike->sa.st_remoteport,
notify_name);

if (!IS_IKE_SA_ESTABLISHED(md->st)) { /* XXX Andrew? how to dig into ike_sa ike ? */
loglog(RC_LOG_SERIOUS, "unable to respond to exchange type %s message with encrypted notification because there is no established IKE SA",
exchange_name);
return;
}
/*
* For encrypted messages, the EXCHANGE TYPE can't be SA_INIT.
* And the IKE SA must have been established
*/
switch (exchange_type) {
case ISAKMP_v2_IKE_SA_INIT:
PEXPECT_LOG("exchange type %s invalid for encrypted notification",
case ISAKMP_v2_IKE_AUTH:
loglog(RC_LOG_SERIOUS, "exchange type %s invalid for encrypted notification",
exchange_name);
return;
default:
break;
}

ipstr_buf b;
libreswan_log("responding to %s message (ID %u) from %s:%u with encrypted notification %s",
exchange_name, md->hdr.isa_msgid,
sensitive_ipstr(&ike->sa.st_remoteaddr, &b),
ike->sa.st_remoteport,
notify_name);

uint8_t buf[MIN_OUTPUT_UDP_SIZE];
pb_stream reply = open_out_pbs("encrypted notification",
buf, sizeof(buf));

0 comments on commit 7142d2c

Please sign in to comment.
You can’t perform that action at this time.