mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-23 01:49:53 +03:00
Cedar: add "DisableIPsecAggressiveMode" option
Setting it to "true" mitigates CVE-2002-1623.
This commit is contained in:
parent
4acd7ab98e
commit
76c330e74b
@ -38,7 +38,10 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case IKE_EXCHANGE_TYPE_AGGRESSIVE: // Aggressive mode
|
case IKE_EXCHANGE_TYPE_AGGRESSIVE: // Aggressive mode
|
||||||
|
if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
|
||||||
|
{
|
||||||
ProcIkeAggressiveModePacketRecv(ike, p, header);
|
ProcIkeAggressiveModePacketRecv(ike, p, header);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case IKE_EXCHANGE_TYPE_QUICK: // Quick mode
|
case IKE_EXCHANGE_TYPE_QUICK: // Quick mode
|
||||||
|
@ -5821,6 +5821,9 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
|
|||||||
// Disable the NAT-traversal feature
|
// Disable the NAT-traversal feature
|
||||||
s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal");
|
s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal");
|
||||||
|
|
||||||
|
// Disable IPsec's aggressive mode
|
||||||
|
s->DisableIPsecAggressiveMode = CfgGetBool(f, "DisableIPsecAggressiveMode");
|
||||||
|
|
||||||
if (s->Cedar->Bridge == false)
|
if (s->Cedar->Bridge == false)
|
||||||
{
|
{
|
||||||
// Enable the VPN-over-ICMP
|
// Enable the VPN-over-ICMP
|
||||||
@ -6237,6 +6240,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CfgAddBool(f, "DisableIPsecAggressiveMode", s->DisableIPsecAggressiveMode);
|
||||||
|
|
||||||
CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption);
|
CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption);
|
||||||
|
|
||||||
CfgAddBool(f, "OpenVPNPushDummyIPv4AddressOnL2Mode", c->OpenVPNPushDummyIPv4AddressOnL2Mode);
|
CfgAddBool(f, "OpenVPNPushDummyIPv4AddressOnL2Mode", c->OpenVPNPushDummyIPv4AddressOnL2Mode);
|
||||||
|
@ -193,6 +193,7 @@ struct SERVER
|
|||||||
bool NoMoreSave; // Do not save any more
|
bool NoMoreSave; // Do not save any more
|
||||||
bool EnableConditionalAccept; // Apply the Conditional Accept the Listener
|
bool EnableConditionalAccept; // Apply the Conditional Accept the Listener
|
||||||
bool EnableLegacySSL; // Enable Legacy SSL
|
bool EnableLegacySSL; // Enable Legacy SSL
|
||||||
|
bool DisableIPsecAggressiveMode; // Disable IPsec's aggressive mode
|
||||||
|
|
||||||
volatile bool Halt; // Halting flag
|
volatile bool Halt; // Halting flag
|
||||||
LOCK *lock; // Lock
|
LOCK *lock; // Lock
|
||||||
|
Loading…
Reference in New Issue
Block a user