ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcards
authorTobias Brunner <tobias@strongswan.org>
Mon, 14 Nov 2016 14:39:17 +0000 (15:39 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 6 Feb 2017 10:16:53 +0000 (11:16 +0100)
Such an identity won't equal an actual peer's identity resulting in
sending an INITIAL_CONTACT notify even if there might be an existing
IKE_SA.

src/libcharon/sa/ikev2/tasks/ike_auth.c

index 036910d..1e47144 100644 (file)
@@ -466,7 +466,8 @@ METHOD(task_t, build_i, status_t,
                get_reserved_id_bytes(this, id_payload);
                message->add_payload(message, (payload_t*)id_payload);
 
-               if (idr && message->get_message_id(message) == 1 &&
+               if (idr && !idr->contains_wildcards(idr) &&
+                       message->get_message_id(message) == 1 &&
                        this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
                        this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
                {