ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH

author Tobias Brunner <tobias@strongswan.org>

Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Sun, 29 Mar 2020 11:47:22 +0000 (13:47 +0200)
author Tobias Brunner <tobias@strongswan.org>
Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Sun, 29 Mar 2020 11:47:22 +0000 (13:47 +0200)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c

index c5164476af821d4399f70121bdbb6ca529465ae7..f1a455aa0647c8bd011efa09468abbfec56c517f 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -254,8 +254,10 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
  METHOD(task_t, build_i, status_t,
         private_ike_cert_post_t *this, message_t *message)
  {
-       build_certs(this, message);
-
+       if (message->get_exchange_type(message) == IKE_AUTH)
+       {
+               build_certs(this, message);
+       }
         return NEED_MORE;
  }
  
@@ -268,8 +270,10 @@ METHOD(task_t, process_r, status_t,
  METHOD(task_t, build_r, status_t,
         private_ike_cert_post_t *this, message_t *message)
  {
-       build_certs(this, message);
-
+       if (message->get_exchange_type(message) == IKE_AUTH)
+       {
+               build_certs(this, message);
+       }
         if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
         {       /* stay alive, we might have additional rounds with certs */
                 return NEED_MORE;
author	Tobias Brunner <tobias@strongswan.org>
	Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Sun, 29 Mar 2020 11:47:22 +0000 (13:47 +0200)