[strongSwan-dev] [PATCH 2/3] ikev1: fix prefix length of vendor id Cisco Unity

Volker RĂ¼melin vr_strongswan at t-online.de
Mon Nov 1 14:49:16 CET 2021 

Before commit 6c49ddfbca ("ike: Add additional Vendor IDs for
third-party implementations") the prefix length of vendor id
Cisco Unity was hardcoded to 14. Since we need to know the
length of this VID to send it, the length can't be overloaded
with a prefix length. Revert part of commit 6c49ddfbca to
fix this problem.
---
 src/libcharon/sa/ikev1/tasks/isakmp_vendor.c | 24 ++++++++++++--------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 863479fc0..17aeee0d3 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -105,7 +105,7 @@ static struct {
 	  "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
 
 	/* CISCO-UNITY, similar to DPD the last two bytes indicate the version */
-	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, TRUE, 16,
+	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, FALSE, 16,
 	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 
 	/* Proprietary IKE fragmentation extension. Capabilities are handled
@@ -240,18 +240,22 @@ static const uint32_t fragmentation_ike = 0x80000000;
 
 static bool is_known_vid(chunk_t data, int i)
 {
-	if (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION)
+	switch (vendor_ids[i].extension)
 	{
-		if (data.len >= 16 && memeq(data.ptr, vendor_ids[i].id, 16))
-		{
-			switch (data.len)
+		case EXT_IKE_FRAGMENTATION:
+			if (data.len >= 16 && memeq(data.ptr, vendor_ids[i].id, 16))
 			{
-				case 16:
-					return TRUE;
-				case 20:
-					return untoh32(&data.ptr[16]) & fragmentation_ike;
+				switch (data.len)
+				{
+					case 16:
+						return TRUE;
+					case 20:
+						return untoh32(&data.ptr[16]) & fragmentation_ike;
+				}
 			}
-		}
+			return FALSE;
+		case EXT_CISCO_UNITY:
+			return data.len == 16 && memeq(data.ptr, vendor_ids[i].id, 14);
 	}
 	if (vendor_ids[i].prefix)
 	{
-- 
2.31.1

More information about the Dev mailing list