| From 9d9042d6d95b0ecb292d77e7d8350fcd28e1aa27 Mon Sep 17 00:00:00 2001 |
| From: Martin Willi <martin@revosec.ch> |
| Date: Thu, 7 Mar 2013 09:50:43 +0100 |
| Subject: [PATCH] As Quick Mode initiator, select a subset of the proposed and |
| the returned TS |
| |
| Cisco 5505 firewalls don't return the port if we send a specific one, letting |
| the is_contained_in() checks fail. Using get_subset() selection builds the |
| Quick Mode correctly with the common subset of selectors. |
| |
| Based on an initial patch from Paul Stewart. |
| |
| [This change will be upstream in 5.0.3] |
| --- |
| src/libcharon/sa/ikev1/tasks/quick_mode.c | 15 +++++++++++---- |
| 1 file changed, 11 insertions(+), 4 deletions(-) |
| |
| diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c |
| index 16c4763..afdff8c 100644 |
| --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c |
| +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c |
| @@ -594,20 +594,27 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) |
| |
| if (this->initiator) |
| { |
| + traffic_selector_t *tsisub, *tsrsub; |
| + |
| /* check if peer selection is valid */ |
| - if (!tsr->is_contained_in(tsr, this->tsr) || |
| - !tsi->is_contained_in(tsi, this->tsi)) |
| + tsisub = this->tsi->get_subset(this->tsi, tsi); |
| + tsrsub = this->tsr->get_subset(this->tsr, tsr); |
| + if (!tsisub || !tsrsub) |
| { |
| DBG1(DBG_IKE, "peer selected invalid traffic selectors: " |
| "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr); |
| + DESTROY_IF(tsisub); |
| + DESTROY_IF(tsrsub); |
| tsi->destroy(tsi); |
| tsr->destroy(tsr); |
| return FALSE; |
| } |
| + tsi->destroy(tsi); |
| + tsr->destroy(tsr); |
| this->tsi->destroy(this->tsi); |
| this->tsr->destroy(this->tsr); |
| - this->tsi = tsi; |
| - this->tsr = tsr; |
| + this->tsi = tsisub; |
| + this->tsr = tsrsub; |
| } |
| else |
| { |
| -- |
| 1.7.10.4 |