From: Tobias Brunner Date: Mon, 25 Jun 2018 10:07:50 +0000 (+0200) Subject: ike-cert-pre: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=8c54002cc75ab36c0e776c48022cdf28ca3e30de;p=thirdparty%2Fstrongswan.git ike-cert-pre: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH The first IKE_AUTH does not have MID 1 if that's the case. --- diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index 284e59bb15..8960901d4f 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -49,11 +49,6 @@ struct private_ike_cert_pre_t { * Do we accept HTTP certificate lookup requests */ bool do_http_lookup; - - /** - * whether this is the final authentication round - */ - bool final; }; /** @@ -468,24 +463,17 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) */ static bool final_auth(message_t *message) { - /* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */ - if (message->get_payload(message, PLV2_AUTH) == NULL) - { - return FALSE; - } - if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS)) - { - return FALSE; - } - return TRUE; + return message->get_payload(message, PLV2_AUTH) != NULL && + !message->get_notify(message, ANOTHER_AUTH_FOLLOWS); } METHOD(task_t, build_i, status_t, private_ike_cert_pre_t *this, message_t *message) { - if (message->get_message_id(message) == 1) + if (message->get_exchange_type(message) == IKE_AUTH) { /* initiator sends CERTREQs in first IKE_AUTH */ build_certreqs(this, message); + this->public.task.build = (void*)return_need_more; } return NEED_MORE; } @@ -493,12 +481,15 @@ METHOD(task_t, build_i, status_t, METHOD(task_t, process_r, status_t, private_ike_cert_pre_t *this, message_t *message) { - if (message->get_exchange_type(message) != IKE_SA_INIT) + if (message->get_exchange_type(message) == IKE_AUTH) { /* handle certreqs/certs in any IKE_AUTH, just in case */ process_certreqs(this, message); process_certs(this, message); + if (final_auth(message)) + { + return SUCCESS; + } } - this->final = final_auth(message); return NEED_MORE; } @@ -509,25 +500,26 @@ METHOD(task_t, build_r, status_t, { build_certreqs(this, message); } - if (this->final) - { - return SUCCESS; - } return NEED_MORE; } METHOD(task_t, process_i, status_t, private_ike_cert_pre_t *this, message_t *message) { - if (message->get_exchange_type(message) == IKE_SA_INIT) - { - process_certreqs(this, message); - } - process_certs(this, message); - - if (final_auth(message)) + switch (message->get_exchange_type(message)) { - return SUCCESS; + case IKE_SA_INIT: + process_certreqs(this, message); + break; + case IKE_AUTH: + process_certs(this, message); + if (final_auth(message)) + { + return SUCCESS; + } + break; + default: + break; } return NEED_MORE; }