From: Tobias Brunner Date: Mon, 19 Jul 2021 14:36:16 +0000 (+0200) Subject: ike-auth: Move packet collection to post_build() method X-Git-Tag: 5.9.7dr2~1^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e334bd46b184;p=thirdparty%2Fstrongswan.git ike-auth: Move packet collection to post_build() method This way we avoid having to pre-generate the message when it could theoretically still get modified by a task that follows or from a plugin via message() hook. --- diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index e6256b1266..ec887b9c76 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2018 Tobias Brunner + * Copyright (C) 2012-2019 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * @@ -159,20 +159,15 @@ static status_t collect_my_init_data(private_ike_auth_t *this, { nonce_payload_t *nonce; - /* get the nonce that was generated in ike_init */ + /* get the nonce that was generated in ike_init and a copy of the complete + * packet */ nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE); - if (!nonce) + if (!nonce || !message->is_encoded(message)) { return FAILED; } this->my_nonce = nonce->get_nonce(nonce); - - /* pre-generate the message, keep a copy */ - if (this->ike_sa->generate_message(this->ike_sa, message, - &this->my_packet) != SUCCESS) - { - return FAILED; - } + this->my_packet = message->get_packet(message); return NEED_MORE; } @@ -597,8 +592,6 @@ METHOD(task_t, build_i, status_t, switch (message->get_exchange_type(message)) { - case IKE_SA_INIT: - return collect_my_init_data(this, message); case IKE_AUTH: if (!this->first_auth) { /* some special handling for the first IKE_AUTH message below */ @@ -751,6 +744,18 @@ METHOD(task_t, build_i, status_t, return NEED_MORE; } +METHOD(task_t, post_build_i, status_t, + private_ike_auth_t *this, message_t *message) +{ + switch (message->get_exchange_type(message)) + { + case IKE_SA_INIT: + return collect_my_init_data(this, message); + default: + return NEED_MORE; + } +} + METHOD(task_t, process_r, status_t, private_ike_auth_t *this, message_t *message) { @@ -978,7 +983,7 @@ METHOD(task_t, build_r, status_t, message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty); } - return collect_my_init_data(this, message); + return NEED_MORE; case IKE_AUTH: break; default: @@ -1184,6 +1189,18 @@ local_auth_failed: return FAILED; } +METHOD(task_t, post_build_r, status_t, + private_ike_auth_t *this, message_t *message) +{ + switch (message->get_exchange_type(message)) + { + case IKE_SA_INIT: + return collect_my_init_data(this, message); + default: + return NEED_MORE; + } +} + /** * Send an INFORMATIONAL message with an AUTH_FAILED before closing IKE_SA */ @@ -1576,6 +1593,7 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) .get_type = _get_type, .migrate = _migrate, .build = _build_r, + .post_build = _post_build_r, .process = _process_r, .destroy = _destroy, }, @@ -1589,6 +1607,7 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) if (initiator) { this->public.task.build = _build_i; + this->public.task.post_build = _post_build_i; this->public.task.process = _process_i; } return &this->public;