unity: Handle narrowing according to roles in the IKE_SA
authorTobias Brunner <tobias@strongswan.org>
Thu, 17 Jul 2014 15:24:43 +0000 (17:24 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 25 Aug 2014 07:59:43 +0000 (09:59 +0200)
Since the narrow hook types reflect the roles in the Quick Mode exchange
the plugin behaved incorrectly if the server initiated the CHILD_SA
rekeying.

src/libcharon/plugins/unity/unity_narrow.c

index 9f72a80..70a9699 100644 (file)
@@ -146,23 +146,40 @@ METHOD(listener_t, narrow, bool,
        if (ike_sa->get_version(ike_sa) == IKEV1 &&
                ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
        {
        if (ike_sa->get_version(ike_sa) == IKEV1 &&
                ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
        {
-               switch (type)
+               /* depending on who initiates a rekeying the hooks will not match the
+                * roles in the IKE_SA */
+               if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
                {
                {
-                       case NARROW_INITIATOR_PRE_AUTH:
-                               narrow_pre(remote, "other");
-                               break;
-                       case NARROW_INITIATOR_POST_AUTH:
-                               narrow_initiator(this, ike_sa,
-                                                                child_sa->get_config(child_sa), remote);
-                               break;
-                       case NARROW_RESPONDER:
-                               narrow_pre(local, "us");
-                               break;
-                       case NARROW_RESPONDER_POST:
-                               narrow_responder_post(child_sa->get_config(child_sa), local);
-                               break;
-                       default:
-                               break;
+                       switch (type)
+                       {
+                               case NARROW_INITIATOR_PRE_AUTH:
+                               case NARROW_RESPONDER:
+                                       narrow_pre(remote, "other");
+                                       break;
+                               case NARROW_INITIATOR_POST_AUTH:
+                               case NARROW_RESPONDER_POST:
+                                       narrow_initiator(this, ike_sa,
+                                                                        child_sa->get_config(child_sa), remote);
+                                       break;
+                               default:
+                                       break;
+                       }
+               }
+               else
+               {
+                       switch (type)
+                       {
+                               case NARROW_INITIATOR_PRE_AUTH:
+                               case NARROW_RESPONDER:
+                                       narrow_pre(local, "us");
+                                       break;
+                               case NARROW_INITIATOR_POST_AUTH:
+                               case NARROW_RESPONDER_POST:
+                                       narrow_responder_post(child_sa->get_config(child_sa), local);
+                                       break;
+                               default:
+                                       break;
+                       }
                }
        }
        return TRUE;
                }
        }
        return TRUE;