properly checking received IDr as initiator
authorMartin Willi <martin@strongswan.org>
Wed, 25 Apr 2007 06:06:13 +0000 (06:06 -0000)
committerMartin Willi <martin@strongswan.org>
Wed, 25 Apr 2007 06:06:13 +0000 (06:06 -0000)
src/charon/sa/ike_sa.c
src/charon/sa/tasks/ike_auth.c

index 858cef3..b1d76ac 100644 (file)
@@ -362,14 +362,15 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 
                set_other_host(this, other->clone(other));
        }
 
                set_other_host(this, other->clone(other));
        }
-       if (this->my_id == NULL || this->my_id->contains_wildcards(this->my_id))
+       /* apply IDs if they are not already set */
+       if (this->my_id->contains_wildcards(this->my_id))
        {
                identification_t *my_id = this->peer_cfg->get_my_id(this->peer_cfg);
        {
                identification_t *my_id = this->peer_cfg->get_my_id(this->peer_cfg);
-
+               
                DESTROY_IF(this->my_id);
                this->my_id = my_id->clone(my_id);
        }
                DESTROY_IF(this->my_id);
                this->my_id = my_id->clone(my_id);
        }
-       if (this->other_id == NULL || this->other_id->contains_wildcards(this->other_id))
+       if (this->other_id->contains_wildcards(this->other_id))
        {
                identification_t *other_id = this->peer_cfg->get_other_id(this->peer_cfg);
 
        {
                identification_t *other_id = this->peer_cfg->get_other_id(this->peer_cfg);
 
index 67f1e8b..9e2f6b0 100644 (file)
@@ -215,7 +215,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
  */
 static status_t process_id(private_ike_auth_t *this, message_t *message)
 {
  */
 static status_t process_id(private_ike_auth_t *this, message_t *message)
 {
-       identification_t *id;
+       identification_t *id, *req;
        id_payload_t *idr, *idi;
 
        idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
        id_payload_t *idr, *idi;
 
        idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
@@ -230,6 +230,13 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
        if (this->initiator)
        {
                id = idr->get_identification(idr);
        if (this->initiator)
        {
                id = idr->get_identification(idr);
+               req = this->ike_sa->get_other_id(this->ike_sa);
+               if (!id->matches(id, req, NULL))
+               {
+                       SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req);
+                       id->destroy(id);
+                       return FAILED;
+               }
                this->ike_sa->set_other_id(this->ike_sa, id);
        }
        else
                this->ike_sa->set_other_id(this->ike_sa, id);
        }
        else