From 76c330e74b4a1e03df6d608db297b0201b0d76d4 Mon Sep 17 00:00:00 2001 From: Daiyuu Nobori Date: Mon, 18 Nov 2019 06:13:21 +0100 Subject: [PATCH] Cedar: add "DisableIPsecAggressiveMode" option Setting it to "true" mitigates CVE-2002-1623. --- src/Cedar/Proto_IKE.c | 5 ++++- src/Cedar/Server.c | 5 +++++ src/Cedar/Server.h | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Cedar/Proto_IKE.c b/src/Cedar/Proto_IKE.c index 94d53771..a5faa34d 100644 --- a/src/Cedar/Proto_IKE.c +++ b/src/Cedar/Proto_IKE.c @@ -38,7 +38,10 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p) break; case IKE_EXCHANGE_TYPE_AGGRESSIVE: // Aggressive mode - ProcIkeAggressiveModePacketRecv(ike, p, header); + if (ike->Cedar->Server->DisableIPsecAggressiveMode == false) + { + ProcIkeAggressiveModePacketRecv(ike, p, header); + } break; case IKE_EXCHANGE_TYPE_QUICK: // Quick mode diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index b47927b5..68f000cf 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -5821,6 +5821,9 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) // Disable the NAT-traversal feature s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal"); + // Disable IPsec's aggressive mode + s->DisableIPsecAggressiveMode = CfgGetBool(f, "DisableIPsecAggressiveMode"); + if (s->Cedar->Bridge == false) { // Enable the VPN-over-ICMP @@ -6237,6 +6240,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) } } + CfgAddBool(f, "DisableIPsecAggressiveMode", s->DisableIPsecAggressiveMode); + CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption); CfgAddBool(f, "OpenVPNPushDummyIPv4AddressOnL2Mode", c->OpenVPNPushDummyIPv4AddressOnL2Mode); diff --git a/src/Cedar/Server.h b/src/Cedar/Server.h index eaaac853..2c0cdba1 100644 --- a/src/Cedar/Server.h +++ b/src/Cedar/Server.h @@ -193,6 +193,7 @@ struct SERVER bool NoMoreSave; // Do not save any more bool EnableConditionalAccept; // Apply the Conditional Accept the Listener bool EnableLegacySSL; // Enable Legacy SSL + bool DisableIPsecAggressiveMode; // Disable IPsec's aggressive mode volatile bool Halt; // Halting flag LOCK *lock; // Lock