[Swan-dev] pluto: Do address setting before check TS in IKEv2

Herbert Xu herbert at gondor.apana.org.au
Thu Apr 30 10:53:29 EEST 2015


We need to parse the CP payload and set the address before we do
the TS check as otherwise we are bound to fail if the TS uses the
address that CP will set.
    
Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>

diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index 5620f97..95803a3 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -2939,6 +2939,26 @@ stf_status ikev2parent_inR2(struct msg_digest *md)
 		return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
 	}
 
+	/* are we expecting a v2CP (RESP) ?  */
+	if (c->spd.this.modecfg_client) {
+		if (md->chain[ISAKMP_NEXT_v2CP] == NULL) {
+			/* not really anything to here... but it would be worth unpending again */
+			libreswan_log("missing v2CP reply, not attempting to setup child SA");
+			/* Delete previous retransmission event. */
+			delete_event(st);
+			/*
+			 * ??? this isn't really a failure, is it?
+			 * If none of those payloads appeared, isn't this is a
+			 * legitimate negotiation of a parent?
+			 */
+			return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
+		}
+		if (!ikev2_parse_cp_r_body(md->chain[ISAKMP_NEXT_v2CP], st))
+		{
+			return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
+		}
+	}
+
 	/* check TS payloads */
 	{
 		int bestfit_n, bestfit_p, bestfit_pr;
@@ -3081,26 +3101,6 @@ stf_status ikev2parent_inR2(struct msg_digest *md)
 			return ret;
 	}
 
-	/* are we expecting a v2CP (RESP) ?  */
-	if (c->spd.this.modecfg_client) {
-		if (md->chain[ISAKMP_NEXT_v2CP] == NULL) {
-			/* not really anything to here... but it would be worth unpending again */
-			libreswan_log("missing v2CP reply, not attempting to setup child SA");
-			/* Delete previous retransmission event. */
-			delete_event(st);
-			/*
-			 * ??? this isn't really a failure, is it?
-			 * If none of those payloads appeared, isn't this is a
-			 * legitimate negotiation of a parent?
-			 */
-			return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
-		}
-		if (!ikev2_parse_cp_r_body(md->chain[ISAKMP_NEXT_v2CP], st))
-		{
-			return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
-		}
-	}
-
 	/* examine each notification payload */
 	{
 		struct payload_digest *p;
-- 
Email: Herbert Xu <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Swan-dev mailing list