From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 25 Jun 2018 12:27:16 +0000 (+0200)
Subject: ike-auth: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f9e8eae6af0afff48f3db183858a0dd3bea9a91;p=thirdparty%2Fstrongswan.git

ike-auth: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index b055ff064a..be553dfb12 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -130,6 +130,11 @@ struct private_ike_auth_t {
 	 */
 	bool eap_acceptable;
 
+	/**
+	 * Whether we already handled the first IKE_AUTH message
+	 */
+	bool first_auth;
+
 	/**
 	 * Gateway ID if redirected
 	 */
@@ -585,10 +590,20 @@ METHOD(task_t, build_i, status_t,
 	private_ike_auth_t *this, message_t *message)
 {
 	auth_cfg_t *cfg;
+	bool first_auth = FALSE;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		return collect_my_init_data(this, message);
+		case IKE_SA_INIT:
+			return collect_my_init_data(this, message);
+		case IKE_AUTH:
+			if (!this->first_auth)
+			{	/* some special handling for the first IKE_AUTH message below */
+				first_auth = this->first_auth = TRUE;
+			}
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	if (!this->peer_cfg)
@@ -597,7 +612,7 @@ METHOD(task_t, build_i, status_t,
 		this->peer_cfg->get_ref(this->peer_cfg);
 	}
 
-	if (message->get_message_id(message) == 1)
+	if (first_auth)
 	{	/* in the first IKE_AUTH ... */
 		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
 		{	/* indicate support for multiple authentication */
@@ -665,8 +680,7 @@ METHOD(task_t, build_i, status_t,
 		get_reserved_id_bytes(this, id_payload);
 		message->add_payload(message, (payload_t*)id_payload);
 
-		if (idr && !idr->contains_wildcards(idr) &&
-			message->get_message_id(message) == 1 &&
+		if (idr && !idr->contains_wildcards(idr) && first_auth &&
 			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
 		{
 			host_t *host;
@@ -741,9 +755,14 @@ METHOD(task_t, process_r, status_t,
 	id_payload_t *id_payload;
 	identification_t *id;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		return collect_other_init_data(this, message);
+		case IKE_SA_INIT:
+			return collect_other_init_data(this, message);
+		case IKE_AUTH:
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	if (!this->my_auth && this->do_another_auth)
@@ -766,7 +785,7 @@ METHOD(task_t, process_r, status_t,
 		return NEED_MORE;
 	}
 
-	if (message->get_message_id(message) == 1)
+	if (!this->first_auth)
 	{	/* check for extensions in the first IKE_AUTH */
 		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
 		{
@@ -781,6 +800,7 @@ METHOD(task_t, process_r, status_t,
 		{
 			this->initial_contact = TRUE;
 		}
+		this->first_auth = TRUE;
 	}
 
 	if (!this->other_auth)
@@ -947,14 +967,19 @@ METHOD(task_t, build_r, status_t,
 	identification_t *gateway;
 	auth_cfg_t *cfg;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		if (multiple_auth_enabled())
-		{
-			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
-								chunk_empty);
-		}
-		return collect_my_init_data(this, message);
+		case IKE_SA_INIT:
+			if (multiple_auth_enabled())
+			{
+				message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+									chunk_empty);
+			}
+			return collect_my_init_data(this, message);
+		case IKE_AUTH:
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	if (this->authentication_failed || !this->peer_cfg)
@@ -1212,14 +1237,19 @@ METHOD(task_t, process_i, status_t,
 	auth_cfg_t *cfg;
 	bool mutual_eap = FALSE, ppk_id_received = FALSE;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
-			multiple_auth_enabled())
-		{
-			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
-		}
-		return collect_other_init_data(this, message);
+		case IKE_SA_INIT:
+			if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
+				multiple_auth_enabled())
+			{
+				this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+			}
+			return collect_other_init_data(this, message);
+		case IKE_AUTH:
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	enumerator = message->create_payload_enumerator(message);
@@ -1501,6 +1531,7 @@ METHOD(task_t, migrate, void,
 	this->expect_another_auth = TRUE;
 	this->authentication_failed = FALSE;
 	this->candidates = linked_list_create();
+	this->first_auth = FALSE;
 }
 
 METHOD(task_t, destroy, void,