From 1e19ee4458b652058a251b5094c72d57c03fb680 Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Wed, 26 Apr 2017 15:42:39 -0500 Subject: VPP-716: IKEv2 responder fails to authenticate initiator Fix handling of IDi and IDr when processing payloads in ikev2_process_auth_req Change-Id: If0d4441dc89f08f3753f38987406c002d43558ec Signed-off-by: Matthew Smith --- src/vnet/ipsec/ikev2.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) (limited to 'src/vnet') diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c index 3f9978a7520..296654ecbac 100644 --- a/src/vnet/ipsec/ikev2.c +++ b/src/vnet/ipsec/ikev2.c @@ -875,25 +875,26 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep); } } - else if (payload == IKEV2_PAYLOAD_IDI || payload == IKEV2_PAYLOAD_IDR) /* 35, 36 */ + else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */ { ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep; - if (sa->is_initiator) - { - sa->r_id.type = id->id_type; - vec_free (sa->r_id.data); - vec_add (sa->r_id.data, id->payload, plen - sizeof (*id)); - } - else - { - sa->i_id.type = id->id_type; - vec_free (sa->i_id.data); - vec_add (sa->i_id.data, id->payload, plen - sizeof (*id)); - } + sa->i_id.type = id->id_type; + vec_free (sa->i_id.data); + vec_add (sa->i_id.data, id->payload, plen - sizeof (*id)); + + clib_warning ("received payload IDi, len %u id_type %u", + plen - sizeof (*id), id->id_type); + } + else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */ + { + ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep; + + sa->r_id.type = id->id_type; + vec_free (sa->r_id.data); + vec_add (sa->r_id.data, id->payload, plen - sizeof (*id)); - clib_warning ("received payload %s, len %u id_type %u", - (payload == IKEV2_PAYLOAD_IDI ? "IDi" : "IDr"), + clib_warning ("received payload IDr len %u id_type %u", plen - sizeof (*id), id->id_type); } else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */ -- cgit 1.2.3-korg