diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2015-03-23 10:58:30 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2015-03-23 17:23:57 +0100 |
| commit | a7172ddaff8985b7a044b470ed8f5a571ebf5310 (patch) | |
| tree | fdfc107486208e6d9d95f381b8e3f152a6ae3c6d /src/libtls/tls_server.c | |
| parent | 8a0cc3f362cbbb7e0a4015baa71be3f2a2c736eb (diff) | |
| download | strongswan-a7172ddaff8985b7a044b470ed8f5a571ebf5310.tar.bz2 strongswan-a7172ddaff8985b7a044b470ed8f5a571ebf5310.tar.xz | |
ikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SA
OpenBSD's isakmpd uses the latest ISAKMP SA to delete other expired SAs.
This caused strongSwan to delete e.g. a rekeyed SA even though isakmpd
meant to delete the old one.
What isakmpd does might not be standard compliant. As RFC 2408 puts
it:
Deletion which is concerned with an ISAKMP SA will contain a
Protocol-Id of ISAKMP and the SPIs are the initiator and responder
cookies from the ISAKMP Header.
This could either be interpreted as "copy the SPIs from the ISAKMP
header of the current message to the DELETE payload" (which is what
strongSwan assumed, and the direction IKEv2 took it, by not sending SPIs
for IKE), or as clarification that ISAKMP "cookies" are actually the
SPIs meant to be put in the payload (but that any ISAKMP SA may be
deleted).
Diffstat (limited to 'src/libtls/tls_server.c')
0 files changed, 0 insertions, 0 deletions