sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity

ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH

Browse Source 
The AUTH payload check should be fine, but add some extra checks just to make
really sure and also for clarification.
This commit is contained in:
Tobias Brunner 2018-06-25 12:23:50 +02:00 committed by Andreas Steffen
parent 8372508d32
commit 7030cc7b7f
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libcharon/sa/ikev2/tasks/ike_cert_post.c
View File

@ -253,9 +253,11 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
METHOD(task_t, build_i, status_t, METHOD(task_t, build_i, status_t,
private_ike_cert_post_t *this, message_t *message) private_ike_cert_post_t *this, message_t *message)
{
if (message->get_exchange_type(message) == IKE_AUTH)
{ {
build_certs(this, message); build_certs(this, message);
}
return NEED_MORE; return NEED_MORE;
} }
@ -267,9 +269,11 @@ METHOD(task_t, process_r, status_t,
METHOD(task_t, build_r, status_t, METHOD(task_t, build_r, status_t,
private_ike_cert_post_t *this, message_t *message) private_ike_cert_post_t *this, message_t *message)
{
if (message->get_exchange_type(message) == IKE_AUTH)
{ {
build_certs(this, message); build_certs(this, message);
}
if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED) if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
{ /* stay alive, we might have additional rounds with certs */ { /* stay alive, we might have additional rounds with certs */
return NEED_MORE; return NEED_MORE;