diff options
Diffstat (limited to 'src/Cedar/IPsec_IKE.c')
| -rw-r--r-- | src/Cedar/IPsec_IKE.c | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/src/Cedar/IPsec_IKE.c b/src/Cedar/IPsec_IKE.c index 902678a6..b458aa48 100644 --- a/src/Cedar/IPsec_IKE.c +++ b/src/Cedar/IPsec_IKE.c @@ -159,6 +159,55 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p) }
}
+IKE_INFOMSG_QUOTA_ENTRY *IkeInfoMsgQuotaGetEntry(IKE_SERVER *ike, IP *client_ip)
+{
+ UINT i;
+ IKE_INFOMSG_QUOTA_ENTRY *new_entry = NULL;
+ if (ike == NULL || client_ip == NULL)
+ {
+ return NULL;
+ }
+
+ for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++)
+ {
+ IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i);
+
+ if (CmpIpAddr(&q->ClientIp, client_ip) == 0)
+ {
+ return q;
+ }
+ }
+
+ if (LIST_NUM(ike->InfoMsgQuotaList) >= IKE_QUOTA_MAX_INFOMSG_ENTRY_COUNT)
+ {
+ return NULL;
+ }
+
+ new_entry = ZeroMalloc(sizeof(IKE_INFOMSG_QUOTA_ENTRY));
+ CopyIP(&new_entry->ClientIp, client_ip);
+ Add(ike->InfoMsgQuotaList, new_entry);
+
+ return new_entry;
+}
+
+void IkeInfoMsgQuotaDeleteAll(IKE_SERVER *ike)
+{
+ UINT i;
+ if (ike == NULL)
+ {
+ return;
+ }
+
+ for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++)
+ {
+ IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i);
+
+ Free(q);
+ }
+
+ DeleteAll(ike->InfoMsgQuotaList);
+}
+
// Send a packet via IPsec
void IPsecSendPacketByIPsecSa(IKE_SERVER *ike, IPSECSA *sa, UCHAR *data, UINT data_size, UCHAR protocol_id)
{
@@ -1337,6 +1386,7 @@ void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKE BUF *tmp_buf;
UCHAR hash[IKE_MAX_HASH_SIZE];
IKE_CRYPTO_PARAM cp;
+ IKE_INFOMSG_QUOTA_ENTRY *quota_entry;
bool plain = false;
// Validate arguments
if (ike == NULL || c == NULL || payload == NULL)
@@ -1345,6 +1395,20 @@ void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKE return;
}
+ quota_entry = IkeInfoMsgQuotaGetEntry(ike, &c->ClientIP);
+ if (quota_entry == NULL)
+ {
+ IkeFreePayload(payload);
+ return;
+ }
+
+ quota_entry->Count++;
+ if (quota_entry->Count >= IKE_QUOTA_MAX_INFOMSG_SEND_PER_IP_PER_SEC)
+ {
+ IkeFreePayload(payload);
+ return;
+ }
+
sa = c->CurrentIkeSa;
if (sa == NULL)
{
@@ -5940,6 +6004,15 @@ void FreeIKEServer(IKE_SERVER *ike) FreeIkeEngine(ike->Engine);
+ for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++)
+ {
+ IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i);
+
+ Free(q);
+ }
+
+ ReleaseList(ike->InfoMsgQuotaList);
+
Debug("FreeThreadList()...\n");
FreeThreadList(ike->ThreadList);
Debug("FreeThreadList() Done.\n");
@@ -5974,6 +6047,8 @@ IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec) ike->ClientList = NewList(CmpIkeClient);
+ ike->InfoMsgQuotaList = NewList(NULL);
+
ike->Engine = NewIkeEngine();
ike->ThreadList = NewThreadList();
|