ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH

The AUTH payload check should be fine, but add some extra checks just to make
really sure and also for clarification.

diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
index 68af6e35bc2d9622ee533348cdd9924d91810c45..003cc72f3d5b2848dfec296cf33850a32abf2ccb 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -241,8 +241,10 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 METHOD(task_t, build_i, status_t,
        private_ike_cert_post_t *this, message_t *message)
 {
-       build_certs(this, message);
-
+       if (message->get_exchange_type(message) == IKE_AUTH)
+       {
+               build_certs(this, message);
+       }
        return NEED_MORE;
 }
 
@@ -255,8 +257,10 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, build_r, status_t,
        private_ike_cert_post_t *this, message_t *message)
 {
-       build_certs(this, message);
-
+       if (message->get_exchange_type(message) == IKE_AUTH)
+       {
+               build_certs(this, message);
+       }
        if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
        {       /* stay alive, we might have additional rounds with certs */
                return NEED_MORE;