From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 23 Aug 2016 14:47:05 +0000 (+0200)
Subject: ikev1: Ignore the last two bytes of the Cisco Unity vendor ID
X-Git-Tag: 5.5.1dr2~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17ecc104fb65b0190b0e5136362fd8c9bd4abf4e;p=thirdparty%2Fstrongswan.git

ikev1: Ignore the last two bytes of the Cisco Unity vendor ID

These seem to indicate the major and minor version of the protocol, like
e.g. for the DPD vendor ID.  Some implementations seem to send versions
other than 1.0 so we just ignore these for now when checking for known
vendor IDs.

Fixes #2088.
---

diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index f28b83e8af..dc86fc5041 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -102,6 +102,7 @@ static struct {
 	{ "DPD", EXT_DPD, TRUE, 16,
 	  "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
 
+	/* CISCO-UNITY, similar to DPD the last two bytes indicate the version */
 	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
 	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 
@@ -190,6 +191,8 @@ static bool is_known_vid(chunk_t data, int i)
 			break;
 		case EXT_MS_WINDOWS:
 			return data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16);
+		case EXT_CISCO_UNITY:
+			return data.len == 16 && memeq(data.ptr, vendor_ids[i].id, 14);
 		default:
 			return chunk_equals(data, chunk_create(vendor_ids[i].id,
 												   vendor_ids[i].len));