ike-cert-pre: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

The first IKE_AUTH does not have MID 1 if that's the case.

diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 284e59bb15b4a5358f5b9bda81066a32db9bfd45..8960901d4fd5141380e948b1cca407a6b3b07de7 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -49,11 +49,6 @@ struct private_ike_cert_pre_t {
         * Do we accept HTTP certificate lookup requests
         */
        bool do_http_lookup;
-
-       /**
-        * whether this is the final authentication round
-        */
-       bool final;
 };
 
 /**
@@ -468,24 +463,17 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
  */
 static bool final_auth(message_t *message)
 {
-       /* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
-       if (message->get_payload(message, PLV2_AUTH) == NULL)
-       {
-               return FALSE;
-       }
-       if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
-       {
-               return FALSE;
-       }
-       return TRUE;
+       return message->get_payload(message, PLV2_AUTH) != NULL &&
+                  !message->get_notify(message, ANOTHER_AUTH_FOLLOWS);
 }
 
 METHOD(task_t, build_i, status_t,
        private_ike_cert_pre_t *this, message_t *message)
 {
-       if (message->get_message_id(message) == 1)
+       if (message->get_exchange_type(message) == IKE_AUTH)
        {       /* initiator sends CERTREQs in first IKE_AUTH */
                build_certreqs(this, message);
+               this->public.task.build = (void*)return_need_more;
        }
        return NEED_MORE;
 }
@@ -493,12 +481,15 @@ METHOD(task_t, build_i, status_t,
 METHOD(task_t, process_r, status_t,
        private_ike_cert_pre_t *this, message_t *message)
 {
-       if (message->get_exchange_type(message) != IKE_SA_INIT)
+       if (message->get_exchange_type(message) == IKE_AUTH)
        {       /* handle certreqs/certs in any IKE_AUTH, just in case */
                process_certreqs(this, message);
                process_certs(this, message);
+               if (final_auth(message))
+               {
+                       return SUCCESS;
+               }
        }
-       this->final = final_auth(message);
        return NEED_MORE;
 }
 
@@ -509,25 +500,26 @@ METHOD(task_t, build_r, status_t,
        {
                build_certreqs(this, message);
        }
-       if (this->final)
-       {
-               return SUCCESS;
-       }
        return NEED_MORE;
 }
 
 METHOD(task_t, process_i, status_t,
        private_ike_cert_pre_t *this, message_t *message)
 {
-       if (message->get_exchange_type(message) == IKE_SA_INIT)
-       {
-               process_certreqs(this, message);
-       }
-       process_certs(this, message);
-
-       if (final_auth(message))
+       switch (message->get_exchange_type(message))
        {
-               return SUCCESS;
+               case IKE_SA_INIT:
+                       process_certreqs(this, message);
+                       break;
+               case IKE_AUTH:
+                       process_certs(this, message);
+                       if (final_auth(message))
+                       {
+                               return SUCCESS;
+                       }
+                       break;
+               default:
+                       break;
        }
        return NEED_MORE;
 }