Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes
authorMartin Willi <martin@revosec.ch>
Thu, 14 Jun 2012 13:08:37 +0000 (15:08 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 25 Jun 2012 08:18:35 +0000 (10:18 +0200)
src/libcharon/sa/ikev1/tasks/aggressive_mode.c
src/libcharon/sa/ikev1/tasks/main_mode.c

index 8fa2d52..1b6ccc5 100644 (file)
@@ -293,14 +293,6 @@ METHOD(task_t, build_i, status_t,
                        }
                        this->id_data = chunk_empty;
 
-                       if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-                                                                                                                this->ike_sa, FALSE))
-                       {
-                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to uniqueness "
-                                        "policy");
-                               return send_notify(this, AUTHENTICATION_FAILED);
-                       }
-
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
@@ -314,6 +306,13 @@ METHOD(task_t, build_i, status_t,
                                        /* TODO-IKEv1: not yet */
                                        return FAILED;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_notify(this, AUTHENTICATION_FAILED);
@@ -466,14 +465,6 @@ METHOD(task_t, process_r, status_t,
                                return send_delete(this);
                        }
 
-                       if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-                                                                                                                this->ike_sa, FALSE))
-                       {
-                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to uniqueness "
-                                        "policy");
-                               return send_delete(this);
-                       }
-
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
@@ -488,6 +479,13 @@ METHOD(task_t, process_r, status_t,
                                        /* TODO-IKEv1: not yet supported */
                                        return FAILED;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_delete(this);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_delete(this);
index 419c9d3..11bdc1d 100644 (file)
@@ -493,12 +493,6 @@ METHOD(task_t, build_r, status_t,
                        {
                                return send_notify(this, AUTHENTICATION_FAILED);
                        }
-                       if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-                                                                                                                this->ike_sa, FALSE))
-                       {
-                               DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness policy");
-                               return send_notify(this, AUTHENTICATION_FAILED);
-                       }
 
                        switch (this->method)
                        {
@@ -514,6 +508,13 @@ METHOD(task_t, build_r, status_t,
                                        /* TODO-IKEv1: not yet supported */
                                        return FAILED;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+                                                        "policy");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_notify(this, AUTHENTICATION_FAILED);
@@ -622,12 +623,6 @@ METHOD(task_t, process_i, status_t,
                                         "cancelling");
                                return send_delete(this);
                        }
-                       if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-                                                                                                                this->ike_sa, FALSE))
-                       {
-                               DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness policy");
-                               return send_delete(this);
-                       }
 
                        switch (this->method)
                        {
@@ -642,6 +637,13 @@ METHOD(task_t, process_i, status_t,
                                        /* TODO-IKEv1: not yet */
                                        return FAILED;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+                                                        "policy");
+                                               return send_delete(this);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_delete(this);