From f59cbe0f44f508f8d6470f91445f962fe2e5201e Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 25 Jun 2018 14:27:16 +0200
Subject: [PATCH] ike-auth: Support IKE_INTERMEDIATE exchange between
 IKE_SA_INIT and IKE_AUTH

---
 src/libcharon/sa/ikev2/tasks/ike_auth.c | 75 +++++++++++++++++--------
 1 file changed, 53 insertions(+), 22 deletions(-)

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 6448d8baa9..faa320c7d9 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -130,6 +130,11 @@ struct private_ike_auth_t {
 	 */
 	bool eap_acceptable;
 
+	/**
+	 * Whether we already handled the first IKE_AUTH message
+	 */
+	bool first_auth;
+
 	/**
 	 * Gateway ID if redirected
 	 */
@@ -587,10 +592,20 @@ METHOD(task_t, build_i, status_t,
 	private_ike_auth_t *this, message_t *message)
 {
 	auth_cfg_t *cfg;
+	bool first_auth = FALSE;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		return collect_my_init_data(this, message);
+		case IKE_SA_INIT:
+			return collect_my_init_data(this, message);
+		case IKE_AUTH:
+			if (!this->first_auth)
+			{	/* some special handling for the first IKE_AUTH message below */
+				first_auth = this->first_auth = TRUE;
+			}
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	if (!this->peer_cfg)
@@ -599,7 +614,7 @@ METHOD(task_t, build_i, status_t,
 		this->peer_cfg->get_ref(this->peer_cfg);
 	}
 
-	if (message->get_message_id(message) == 1)
+	if (first_auth)
 	{	/* in the first IKE_AUTH ... */
 		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
 		{	/* indicate support for multiple authentication */
@@ -667,8 +682,7 @@ METHOD(task_t, build_i, status_t,
 		get_reserved_id_bytes(this, id_payload);
 		message->add_payload(message, (payload_t*)id_payload);
 
-		if (idr && !idr->contains_wildcards(idr) &&
-			message->get_message_id(message) == 1 &&
+		if (idr && !idr->contains_wildcards(idr) && first_auth &&
 			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
 		{
 			host_t *host;
@@ -743,9 +757,14 @@ METHOD(task_t, process_r, status_t,
 	id_payload_t *id_payload;
 	identification_t *id;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		return collect_other_init_data(this, message);
+		case IKE_SA_INIT:
+			return collect_other_init_data(this, message);
+		case IKE_AUTH:
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	if (!this->my_auth && this->do_another_auth)
@@ -768,7 +787,7 @@ METHOD(task_t, process_r, status_t,
 		return NEED_MORE;
 	}
 
-	if (message->get_message_id(message) == 1)
+	if (!this->first_auth)
 	{	/* check for extensions in the first IKE_AUTH */
 		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
 		{
@@ -783,6 +802,7 @@ METHOD(task_t, process_r, status_t,
 		{
 			this->initial_contact = TRUE;
 		}
+		this->first_auth = TRUE;
 	}
 
 	if (!this->other_auth)
@@ -949,14 +969,19 @@ METHOD(task_t, build_r, status_t,
 	identification_t *gateway;
 	auth_cfg_t *cfg;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		if (multiple_auth_enabled())
-		{
-			message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
-								chunk_empty);
-		}
-		return collect_my_init_data(this, message);
+		case IKE_SA_INIT:
+			if (multiple_auth_enabled())
+			{
+				message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+									chunk_empty);
+			}
+			return collect_my_init_data(this, message);
+		case IKE_AUTH:
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	if (this->authentication_failed || !this->peer_cfg)
@@ -1214,14 +1239,19 @@ METHOD(task_t, process_i, status_t,
 	auth_cfg_t *cfg;
 	bool mutual_eap = FALSE, ppk_id_received = FALSE;
 
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	switch (message->get_exchange_type(message))
 	{
-		if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
-			multiple_auth_enabled())
-		{
-			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
-		}
-		return collect_other_init_data(this, message);
+		case IKE_SA_INIT:
+			if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
+				multiple_auth_enabled())
+			{
+				this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+			}
+			return collect_other_init_data(this, message);
+		case IKE_AUTH:
+			break;
+		default:
+			return NEED_MORE;
 	}
 
 	enumerator = message->create_payload_enumerator(message);
@@ -1503,6 +1533,7 @@ METHOD(task_t, migrate, void,
 	this->expect_another_auth = TRUE;
 	this->authentication_failed = FALSE;
 	this->candidates = linked_list_create();
+	this->first_auth = FALSE;
 }
 
 METHOD(task_t, destroy, void,
-- 
2.47.2