From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 25 Jun 2018 10:23:50 +0000 (+0200)
Subject: ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH
X-Git-Tag: 5.9.7dr2~1^2~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=09d4497536f8977c452a998642e5af1ece8cc5e4;p=thirdparty%2Fstrongswan.git

ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH

The AUTH payload check in build_certs() should be fine, but add some
extra checks just to make really sure and also for clarification.
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
index 3c4be6e73e..3f821842fc 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -255,8 +255,10 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 METHOD(task_t, build_i, status_t,
 	private_ike_cert_post_t *this, message_t *message)
 {
-	build_certs(this, message);
-
+	if (message->get_exchange_type(message) == IKE_AUTH)
+	{
+		build_certs(this, message);
+	}
 	return NEED_MORE;
 }
 
@@ -269,8 +271,10 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, build_r, status_t,
 	private_ike_cert_post_t *this, message_t *message)
 {
-	build_certs(this, message);
-
+	if (message->get_exchange_type(message) == IKE_AUTH)
+	{
+		build_certs(this, message);
+	}
 	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
 	{	/* stay alive, we might have additional rounds with certs */
 		return NEED_MORE;