diff options
author | Matthew Smith <mgsmith@netgate.com> | 2017-04-26 15:42:39 -0500 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2017-04-27 12:54:09 +0000 |
commit | 1e19ee4458b652058a251b5094c72d57c03fb680 (patch) | |
tree | 7f036a7c06fd5e136c240a6ed50f6a25c91d2f3f | |
parent | f7e655d69a3325b8050eb09bc6065fac10bcb81b (diff) |
VPP-716: IKEv2 responder fails to authenticate initiator
Fix handling of IDi and IDr when processing payloads in ikev2_process_auth_req
Change-Id: If0d4441dc89f08f3753f38987406c002d43558ec
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r-- | src/vnet/ipsec/ikev2.c | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c index 3f9978a7520..296654ecbac 100644 --- a/src/vnet/ipsec/ikev2.c +++ b/src/vnet/ipsec/ikev2.c @@ -875,25 +875,26 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep); } } - else if (payload == IKEV2_PAYLOAD_IDI || payload == IKEV2_PAYLOAD_IDR) /* 35, 36 */ + else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */ { ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep; - if (sa->is_initiator) - { - sa->r_id.type = id->id_type; - vec_free (sa->r_id.data); - vec_add (sa->r_id.data, id->payload, plen - sizeof (*id)); - } - else - { - sa->i_id.type = id->id_type; - vec_free (sa->i_id.data); - vec_add (sa->i_id.data, id->payload, plen - sizeof (*id)); - } + sa->i_id.type = id->id_type; + vec_free (sa->i_id.data); + vec_add (sa->i_id.data, id->payload, plen - sizeof (*id)); + + clib_warning ("received payload IDi, len %u id_type %u", + plen - sizeof (*id), id->id_type); + } + else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */ + { + ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep; + + sa->r_id.type = id->id_type; + vec_free (sa->r_id.data); + vec_add (sa->r_id.data, id->payload, plen - sizeof (*id)); - clib_warning ("received payload %s, len %u id_type %u", - (payload == IKEV2_PAYLOAD_IDI ? "IDi" : "IDr"), + clib_warning ("received payload IDr len %u id_type %u", plen - sizeof (*id), id->id_type); } else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */ |