ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH

author Tobias Brunner <tobias@strongswan.org>

Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Wed, 29 Jun 2022 08:28:50 +0000 (10:28 +0200)
author Tobias Brunner <tobias@strongswan.org>
Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Wed, 29 Jun 2022 08:28:50 +0000 (10:28 +0200)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c

index 3c4be6e73eaa943e130d0cbc20f59d71e6239375..3f821842fc919421cd6878348cac5b251d86fcda 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -255,8 +255,10 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
  METHOD(task_t, build_i, status_t,
         private_ike_cert_post_t *this, message_t *message)
  {
-       build_certs(this, message);
-
+       if (message->get_exchange_type(message) == IKE_AUTH)
+       {
+               build_certs(this, message);
+       }
         return NEED_MORE;
  }
  
@@ -269,8 +271,10 @@ METHOD(task_t, process_r, status_t,
  METHOD(task_t, build_r, status_t,
         private_ike_cert_post_t *this, message_t *message)
  {
-       build_certs(this, message);
-
+       if (message->get_exchange_type(message) == IKE_AUTH)
+       {
+               build_certs(this, message);
+       }
         if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
         {       /* stay alive, we might have additional rounds with certs */
                 return NEED_MORE;
author	Tobias Brunner <tobias@strongswan.org>
	Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Wed, 29 Jun 2022 08:28:50 +0000 (10:28 +0200)