From: Tobias Brunner Date: Mon, 25 Jun 2018 10:07:50 +0000 (+0200) Subject: ike-cert-pre: Support exchange between IKE_SA_INIT and IKE_AUTH X-Git-Tag: 5.9.7dr2~1^2~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2e79bf3349ad0baab451056e3ebc54361de184c;p=thirdparty%2Fstrongswan.git ike-cert-pre: Support exchange between IKE_SA_INIT and IKE_AUTH The first IKE_AUTH does not have MID 1 if that's the case. --- diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index 9fb0bcf90b..96d4477bba 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -50,11 +50,6 @@ struct private_ike_cert_pre_t { * Do we accept HTTP certificate lookup requests */ bool do_http_lookup; - - /** - * whether this is the final authentication round - */ - bool final; }; /** @@ -469,24 +464,17 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) */ static bool final_auth(message_t *message) { - /* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */ - if (message->get_payload(message, PLV2_AUTH) == NULL) - { - return FALSE; - } - if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS)) - { - return FALSE; - } - return TRUE; + return message->get_payload(message, PLV2_AUTH) != NULL && + !message->get_notify(message, ANOTHER_AUTH_FOLLOWS); } METHOD(task_t, build_i, status_t, private_ike_cert_pre_t *this, message_t *message) { - if (message->get_message_id(message) == 1) - { /* initiator sends CERTREQs in first IKE_AUTH */ + if (message->get_exchange_type(message) == IKE_AUTH) + { /* initiator sends CERTREQs in first IKE_AUTH only */ build_certreqs(this, message); + this->public.task.build = (void*)return_need_more; } return NEED_MORE; } @@ -494,12 +482,15 @@ METHOD(task_t, build_i, status_t, METHOD(task_t, process_r, status_t, private_ike_cert_pre_t *this, message_t *message) { - if (message->get_exchange_type(message) != IKE_SA_INIT) + if (message->get_exchange_type(message) == IKE_AUTH) { /* handle certreqs/certs in any IKE_AUTH, just in case */ process_certreqs(this, message); process_certs(this, message); + if (final_auth(message)) + { + return SUCCESS; + } } - this->final = final_auth(message); return NEED_MORE; } @@ -510,25 +501,26 @@ METHOD(task_t, build_r, status_t, { build_certreqs(this, message); } - if (this->final) - { - return SUCCESS; - } return NEED_MORE; } METHOD(task_t, process_i, status_t, private_ike_cert_pre_t *this, message_t *message) { - if (message->get_exchange_type(message) == IKE_SA_INIT) - { - process_certreqs(this, message); - } - process_certs(this, message); - - if (final_auth(message)) + switch (message->get_exchange_type(message)) { - return SUCCESS; + case IKE_SA_INIT: + process_certreqs(this, message); + break; + case IKE_AUTH: + process_certs(this, message); + if (final_auth(message)) + { + return SUCCESS; + } + break; + default: + break; } return NEED_MORE; } @@ -543,6 +535,7 @@ METHOD(task_t, migrate, void, private_ike_cert_pre_t *this, ike_sa_t *ike_sa) { this->ike_sa = ike_sa; + this->public.task.build = _build_i; } METHOD(task_t, destroy, void,