properly checking received IDr as initiator

2 files changed, 12 insertions, 4 deletions

diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 858cef373..b1d76ac84 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -362,14 +362,15 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 
 		set_other_host(this, other->clone(other));
 	}
-	if (this->my_id == NULL || this->my_id->contains_wildcards(this->my_id))
+	/* apply IDs if they are not already set */
+	if (this->my_id->contains_wildcards(this->my_id))
 	{
 		identification_t *my_id = this->peer_cfg->get_my_id(this->peer_cfg);
-
+		
 		DESTROY_IF(this->my_id);
 		this->my_id = my_id->clone(my_id);
 	}
-	if (this->other_id == NULL || this->other_id->contains_wildcards(this->other_id))
+	if (this->other_id->contains_wildcards(this->other_id))
 	{
 		identification_t *other_id = this->peer_cfg->get_other_id(this->peer_cfg);
 
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 67f1e8bcc..9e2f6b085 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -215,7 +215,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
  */
 static status_t process_id(private_ike_auth_t *this, message_t *message)
 {
-	identification_t *id;
+	identification_t *id, *req;
 	id_payload_t *idr, *idi;
 
 	idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
@@ -230,6 +230,13 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
 	if (this->initiator)
 	{
 		id = idr->get_identification(idr);
+		req = this->ike_sa->get_other_id(this->ike_sa);
+		if (!id->matches(id, req, NULL))
+		{
+			SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req);
+			id->destroy(id);
+			return FAILED;
+		}
 		this->ike_sa->set_other_id(this->ike_sa, id);
 	}
 	else