diff options
| author | Martin Willi <martin@strongswan.org> | 2017-03-23 08:48:46 +0100 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2017-03-24 08:17:01 +0100 |
| commit | 3610d7607e2193d8b088bcba4362f58297dbca0f (patch) | |
| tree | 93a89bb806e5571cb3dd4608b6df835da3f72e6f /src/libcharon | |
| parent | db12675ec45c9c9bfe5b6ae000a38c76bdf6aad5 (diff) | |
| download | strongswan-3610d7607e2193d8b088bcba4362f58297dbca0f.tar.bz2 strongswan-3610d7607e2193d8b088bcba4362f58297dbca0f.tar.xz | |
addrblock: Narrow selectors when rekeying a CHILD_SA as original responder
If a the original responder narrows the selectors of its peer in addrblock,
the peer gets a subset of that selectors. However, once the original responder
initiates rekeying of that CHILD_SA, it sends the full selectors to the peer,
and then narrows the received selectors locally for the installation, only.
This is insufficient, as the peer ends up with wider selectors, sending traffic
that the original responder will reject to the stricter IPsec policy. So
additionally narrow the selectors when rekeying CHILD_SAs before sending the
TS list to the peer.
Diffstat (limited to 'src/libcharon')
| -rw-r--r-- | src/libcharon/plugins/addrblock/addrblock_narrow.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c index 97040aa34..3b3b72ff8 100644 --- a/src/libcharon/plugins/addrblock/addrblock_narrow.c +++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c @@ -105,6 +105,7 @@ METHOD(listener_t, narrow, bool, switch (type) { case NARROW_RESPONDER: + case NARROW_INITIATOR_PRE_AUTH: case NARROW_INITIATOR_POST_AUTH: case NARROW_INITIATOR_POST_NOAUTH: narrow_addrblock(this, ike_sa, remote); |