From 91d80298f9de5e7d792b7cb0a6c7a2c61784d744 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 10 Feb 2016 10:11:31 +0100 Subject: ikev1: Send and verify IPv6 addresses correctly According to the mode-config draft there is no prefix sent for IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for backwards compatibility with older strongSwan releases. Fixes #1304. --- src/libcharon/encoding/payloads/configuration_attribute.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/libcharon/encoding/payloads/configuration_attribute.c') diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c index 481bb7bc6..0bc94708f 100644 --- a/src/libcharon/encoding/payloads/configuration_attribute.c +++ b/src/libcharon/encoding/payloads/configuration_attribute.c @@ -144,6 +144,13 @@ METHOD(payload_t, verify, status_t, } break; case INTERNAL_IP6_ADDRESS: + if (this->type == PLV1_CONFIGURATION_ATTRIBUTE && + this->length_or_value == 16) + { /* 16 bytes are correct for IKEv1, but older releases sent a + * prefix byte so we still accept 0 or 17 as in IKEv2 */ + break; + } + /* fall-through */ case INTERNAL_IP6_SUBNET: if (this->length_or_value != 0 && this->length_or_value != 17) { -- cgit v1.2.3