ike-auth: Move packet collection to post_build() method

This way we avoid having to pre-generate the message when it could theoretically still get modified by a task that follows or from a plugin via message() hook.
2025-10-04 00:00:14 -04:00 · 2021-07-19 16:36:16 +02:00 · 2021-07-19 16:36:16 +02:00 · e334bd46b1
commit e334bd46b1
parent 44629bbadb
1 changed files with 32 additions and 13 deletions
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2018 Tobias Brunner
+ * Copyright (C) 2012-2019 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 *
@ -159,20 +159,15 @@ static status_t collect_my_init_data(private_ike_auth_t *this,
 {
 	nonce_payload_t *nonce;

-	/* get the nonce that was generated in ike_init */
+	/* get the nonce that was generated in ike_init and a copy of the complete
+	 * packet */
 	nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE);
-	if (!nonce)
+	if (!nonce || !message->is_encoded(message))
 	{
 		return FAILED;
 	}
 	this->my_nonce = nonce->get_nonce(nonce);
-
-	/* pre-generate the message, keep a copy */
-	if (this->ike_sa->generate_message(this->ike_sa, message,
-									   &this->my_packet) != SUCCESS)
-	{
-		return FAILED;
-	}
+	this->my_packet = message->get_packet(message);
 	return NEED_MORE;
 }

@ -597,8 +592,6 @@ METHOD(task_t, build_i, status_t,

 	switch (message->get_exchange_type(message))
 	{
-		case IKE_SA_INIT:
-			return collect_my_init_data(this, message);
 		case IKE_AUTH:
 			if (!this->first_auth)
 			{	/* some special handling for the first IKE_AUTH message below */
@ -751,6 +744,18 @@ METHOD(task_t, build_i, status_t,
 	return NEED_MORE;
 }

+METHOD(task_t, post_build_i, status_t,
+	private_ike_auth_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return collect_my_init_data(this, message);
+		default:
+			return NEED_MORE;
+	}
+}
+
 METHOD(task_t, process_r, status_t,
 	private_ike_auth_t *this, message_t *message)
 {
@ -978,7 +983,7 @@ METHOD(task_t, build_r, status_t,
 				message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
 									chunk_empty);
 			}
-			return collect_my_init_data(this, message);
+			return NEED_MORE;
 		case IKE_AUTH:
 			break;
 		default:
@ -1184,6 +1189,18 @@ local_auth_failed:
 	return FAILED;
 }

+METHOD(task_t, post_build_r, status_t,
+	private_ike_auth_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return collect_my_init_data(this, message);
+		default:
+			return NEED_MORE;
+	}
+}
+
 /**
 * Send an INFORMATIONAL message with an AUTH_FAILED before closing IKE_SA
 */
@ -1576,6 +1593,7 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 				.get_type = _get_type,
 				.migrate = _migrate,
 				.build = _build_r,
+				.post_build = _post_build_r,
 				.process = _process_r,
 				.destroy = _destroy,
 			},
@ -1589,6 +1607,7 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 	if (initiator)
 	{
 		this->public.task.build = _build_i;
+		this->public.task.post_build = _post_build_i;
 		this->public.task.process = _process_i;
 	}
 	return &this->public;