ike-cert-pre: Support exchange between IKE_SA_INIT and IKE_AUTH

The first IKE_AUTH does not have MID 1 if that's the case.

diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 9fb0bcf90b756bdb4fb0408ac4158824575d0385..96d4477bbad64f4f95a36e2899dfb4283c0aa59a 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  *
  * Copyright (C) secunet Security Networks AG
@@ -50,11 +50,6 @@ struct private_ike_cert_pre_t {
         * Do we accept HTTP certificate lookup requests
         */
        bool do_http_lookup;
-
-       /**
-        * whether this is the final authentication round
-        */
-       bool final;
 };
 
 /**
@@ -469,24 +464,17 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
  */
 static bool final_auth(message_t *message)
 {
-       /* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
-       if (message->get_payload(message, PLV2_AUTH) == NULL)
-       {
-               return FALSE;
-       }
-       if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
-       {
-               return FALSE;
-       }
-       return TRUE;
+       return message->get_payload(message, PLV2_AUTH) != NULL &&
+                  !message->get_notify(message, ANOTHER_AUTH_FOLLOWS);
 }
 
 METHOD(task_t, build_i, status_t,
        private_ike_cert_pre_t *this, message_t *message)
 {
-       if (message->get_message_id(message) == 1)
-       {       /* initiator sends CERTREQs in first IKE_AUTH */
+       if (message->get_exchange_type(message) == IKE_AUTH)
+       {       /* initiator sends CERTREQs in first IKE_AUTH only */
                build_certreqs(this, message);
+               this->public.task.build = (void*)return_need_more;
        }
        return NEED_MORE;
 }
@@ -494,12 +482,15 @@ METHOD(task_t, build_i, status_t,
 METHOD(task_t, process_r, status_t,
        private_ike_cert_pre_t *this, message_t *message)
 {
-       if (message->get_exchange_type(message) != IKE_SA_INIT)
+       if (message->get_exchange_type(message) == IKE_AUTH)
        {       /* handle certreqs/certs in any IKE_AUTH, just in case */
                process_certreqs(this, message);
                process_certs(this, message);
+               if (final_auth(message))
+               {
+                       return SUCCESS;
+               }
        }
-       this->final = final_auth(message);
        return NEED_MORE;
 }
 
@@ -510,25 +501,26 @@ METHOD(task_t, build_r, status_t,
        {
                build_certreqs(this, message);
        }
-       if (this->final)
-       {
-               return SUCCESS;
-       }
        return NEED_MORE;
 }
 
 METHOD(task_t, process_i, status_t,
        private_ike_cert_pre_t *this, message_t *message)
 {
-       if (message->get_exchange_type(message) == IKE_SA_INIT)
-       {
-               process_certreqs(this, message);
-       }
-       process_certs(this, message);
-
-       if (final_auth(message))
+       switch (message->get_exchange_type(message))
        {
-               return SUCCESS;
+               case IKE_SA_INIT:
+                       process_certreqs(this, message);
+                       break;
+               case IKE_AUTH:
+                       process_certs(this, message);
+                       if (final_auth(message))
+                       {
+                               return SUCCESS;
+                       }
+                       break;
+               default:
+                       break;
        }
        return NEED_MORE;
 }
@@ -543,6 +535,7 @@ METHOD(task_t, migrate, void,
        private_ike_cert_pre_t *this, ike_sa_t *ike_sa)
 {
        this->ike_sa = ike_sa;
+       this->public.task.build = _build_i;
 }
 
 METHOD(task_t, destroy, void,