1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-23 01:49:53 +03:00

Cedar: add "DisableIPsecAggressiveMode" option

Setting it to "true" mitigates CVE-2002-1623.
This commit is contained in:
Daiyuu Nobori 2019-11-18 06:13:21 +01:00 committed by Davide Beatrici
parent 4acd7ab98e
commit 76c330e74b
3 changed files with 10 additions and 1 deletions

View File

@ -38,7 +38,10 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
break; break;
case IKE_EXCHANGE_TYPE_AGGRESSIVE: // Aggressive mode case IKE_EXCHANGE_TYPE_AGGRESSIVE: // Aggressive mode
if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
{
ProcIkeAggressiveModePacketRecv(ike, p, header); ProcIkeAggressiveModePacketRecv(ike, p, header);
}
break; break;
case IKE_EXCHANGE_TYPE_QUICK: // Quick mode case IKE_EXCHANGE_TYPE_QUICK: // Quick mode

View File

@ -5821,6 +5821,9 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
// Disable the NAT-traversal feature // Disable the NAT-traversal feature
s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal"); s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal");
// Disable IPsec's aggressive mode
s->DisableIPsecAggressiveMode = CfgGetBool(f, "DisableIPsecAggressiveMode");
if (s->Cedar->Bridge == false) if (s->Cedar->Bridge == false)
{ {
// Enable the VPN-over-ICMP // Enable the VPN-over-ICMP
@ -6237,6 +6240,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
} }
} }
CfgAddBool(f, "DisableIPsecAggressiveMode", s->DisableIPsecAggressiveMode);
CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption); CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption);
CfgAddBool(f, "OpenVPNPushDummyIPv4AddressOnL2Mode", c->OpenVPNPushDummyIPv4AddressOnL2Mode); CfgAddBool(f, "OpenVPNPushDummyIPv4AddressOnL2Mode", c->OpenVPNPushDummyIPv4AddressOnL2Mode);

View File

@ -193,6 +193,7 @@ struct SERVER
bool NoMoreSave; // Do not save any more bool NoMoreSave; // Do not save any more
bool EnableConditionalAccept; // Apply the Conditional Accept the Listener bool EnableConditionalAccept; // Apply the Conditional Accept the Listener
bool EnableLegacySSL; // Enable Legacy SSL bool EnableLegacySSL; // Enable Legacy SSL
bool DisableIPsecAggressiveMode; // Disable IPsec's aggressive mode
volatile bool Halt; // Halting flag volatile bool Halt; // Halting flag
LOCK *lock; // Lock LOCK *lock; // Lock