ikev2: Compare initiator flag again, partially reverts 17ec1c74de

We should ignore messages that have the flag set incorrectly.
This restores RFC compliance which was broken since the mentioned commit.

diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c
index 0f0f1ab637013916594571fd8ff06333a06c64fc..e52086483afea079e1afcc7239268c3813f68809 100644 (file)
--- a/src/libcharon/sa/ike_sa_id.c
+++ b/src/libcharon/sa/ike_sa_id.c
@@ -18,7 +18,7 @@
 #include "ike_sa_id.h"
 
 #include <stdio.h>
-
+#include <encoding/payloads/ike_header.h>
 
 typedef struct private_ike_sa_id_t private_ike_sa_id_t;
 
@@ -90,6 +90,8 @@ METHOD(ike_sa_id_t, equals, bool,
                return FALSE;
        }
        return this->ike_version == other->ike_version &&
+                  (this->ike_version == IKEV1_MAJOR_VERSION ||
+                       this->is_initiator_flag == other->is_initiator_flag) &&
                   this->initiator_spi == other->initiator_spi &&
                   this->responder_spi == other->responder_spi;
 }

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 987260d0d9f9d2ebd921e6fca90afb8912aa82e9..3e6496da5d3556afb8af1033cd8f3a8164db56c5 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -157,6 +157,8 @@ static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
        }
        if ((id->get_responder_spi(id) == 0 ||
                 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
+               (id->get_ike_version(id) == IKEV1_MAJOR_VERSION ||
+                id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id)) &&
                id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
        {
                /* this is TRUE for IKE_SAs that we initiated but have not yet received a response */