diff options
author | Tobias Brunner <tobias@strongswan.org> | 2014-07-17 17:24:43 +0200 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2014-08-25 09:59:43 +0200 |
commit | a45ba880c856be885e3a7accdb164b8842284ca2 (patch) | |
tree | 16b9c377e41256ff3188bae0a0c2e06397e13415 /src/libcharon/plugins/unity/unity_narrow.c | |
parent | cb98380fe9e4c7e9b0fa71519de6e7faa4b484a8 (diff) | |
download | strongswan-a45ba880c856be885e3a7accdb164b8842284ca2.tar.bz2 strongswan-a45ba880c856be885e3a7accdb164b8842284ca2.tar.xz |
unity: Handle narrowing according to roles in the IKE_SA
Since the narrow hook types reflect the roles in the Quick Mode exchange
the plugin behaved incorrectly if the server initiated the CHILD_SA
rekeying.
Diffstat (limited to 'src/libcharon/plugins/unity/unity_narrow.c')
-rw-r--r-- | src/libcharon/plugins/unity/unity_narrow.c | 49 |
1 files changed, 33 insertions, 16 deletions
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c index 9f72a80da..70a96990a 100644 --- a/src/libcharon/plugins/unity/unity_narrow.c +++ b/src/libcharon/plugins/unity/unity_narrow.c @@ -146,23 +146,40 @@ METHOD(listener_t, narrow, bool, if (ike_sa->get_version(ike_sa) == IKEV1 && ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY)) { - switch (type) + /* depending on who initiates a rekeying the hooks will not match the + * roles in the IKE_SA */ + if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR)) { - case NARROW_INITIATOR_PRE_AUTH: - narrow_pre(remote, "other"); - break; - case NARROW_INITIATOR_POST_AUTH: - narrow_initiator(this, ike_sa, - child_sa->get_config(child_sa), remote); - break; - case NARROW_RESPONDER: - narrow_pre(local, "us"); - break; - case NARROW_RESPONDER_POST: - narrow_responder_post(child_sa->get_config(child_sa), local); - break; - default: - break; + switch (type) + { + case NARROW_INITIATOR_PRE_AUTH: + case NARROW_RESPONDER: + narrow_pre(remote, "other"); + break; + case NARROW_INITIATOR_POST_AUTH: + case NARROW_RESPONDER_POST: + narrow_initiator(this, ike_sa, + child_sa->get_config(child_sa), remote); + break; + default: + break; + } + } + else + { + switch (type) + { + case NARROW_INITIATOR_PRE_AUTH: + case NARROW_RESPONDER: + narrow_pre(local, "us"); + break; + case NARROW_INITIATOR_POST_AUTH: + case NARROW_RESPONDER_POST: + narrow_responder_post(child_sa->get_config(child_sa), local); + break; + default: + break; + } } } return TRUE; |