diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2015-08-19 16:47:45 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2015-08-20 16:58:09 +0200 |
| commit | 5fee79d854dbae9fdd3178d07102487c53baf72f (patch) | |
| tree | b11af26590e6775de769e69ae68da3215bb6351f | |
| parent | 47a340e1f7fb2f6e05d7ca350969c4b4e0680cdf (diff) | |
| download | strongswan-5fee79d854dbae9fdd3178d07102487c53baf72f.tar.bz2 strongswan-5fee79d854dbae9fdd3178d07102487c53baf72f.tar.xz | |
ikev2: Compare initiator flag again, partially reverts 17ec1c74de
We should ignore messages that have the flag set incorrectly.
This restores RFC compliance which was broken since the mentioned commit.
| -rw-r--r-- | src/libcharon/sa/ike_sa_id.c | 4 | ||||
| -rw-r--r-- | src/libcharon/sa/ike_sa_manager.c | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c index 0f0f1ab63..e52086483 100644 --- a/src/libcharon/sa/ike_sa_id.c +++ b/src/libcharon/sa/ike_sa_id.c @@ -18,7 +18,7 @@ #include "ike_sa_id.h" #include <stdio.h> - +#include <encoding/payloads/ike_header.h> typedef struct private_ike_sa_id_t private_ike_sa_id_t; @@ -90,6 +90,8 @@ METHOD(ike_sa_id_t, equals, bool, return FALSE; } return this->ike_version == other->ike_version && + (this->ike_version == IKEV1_MAJOR_VERSION || + this->is_initiator_flag == other->is_initiator_flag) && this->initiator_spi == other->initiator_spi && this->responder_spi == other->responder_spi; } diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 987260d0d..3e6496da5 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -157,6 +157,8 @@ static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id) } if ((id->get_responder_spi(id) == 0 || entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) && + (id->get_ike_version(id) == IKEV1_MAJOR_VERSION || + id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id)) && id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id)) { /* this is TRUE for IKE_SAs that we initiated but have not yet received a response */ |