ikev2: Handle INITIAL_CONTACT notifies also when peer is authenticated with EAP
authorTobias Brunner <tobias@strongswan.org>
Tue, 5 Apr 2016 15:42:45 +0000 (17:42 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 6 Jun 2016 11:49:21 +0000 (13:49 +0200)
Fixes #1380.

src/libcharon/sa/ikev2/tasks/ike_auth.c

index e554ca3..036910d 100644 (file)
@@ -564,6 +564,10 @@ METHOD(task_t, process_r, status_t,
                        this->ike_sa->enable_extension(this->ike_sa,
                                                                                   EXT_EAP_ONLY_AUTHENTICATION);
                }
+               if (message->get_notify(message, INITIAL_CONTACT))
+               {
+                       this->initial_contact = TRUE;
+               }
        }
 
        if (this->other_auth == NULL)
@@ -652,14 +656,6 @@ METHOD(task_t, process_r, status_t,
                        return NEED_MORE;
        }
 
-       /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
-        * delete any existing IKE_SAs with that peer. */
-       if (message->get_message_id(message) == 1 &&
-               message->get_notify(message, INITIAL_CONTACT))
-       {
-               this->initial_contact = TRUE;
-       }
-
        /* another auth round done, invoke authorize hook */
        if (!charon->bus->authorize(charon->bus, FALSE))
        {
@@ -749,13 +745,6 @@ METHOD(task_t, build_r, status_t,
                get_reserved_id_bytes(this, id_payload);
                message->add_payload(message, (payload_t*)id_payload);
 
-               if (this->initial_contact)
-               {
-                       charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-                                                                                                        this->ike_sa, TRUE);
-                       this->initial_contact = FALSE;
-               }
-
                if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
                {       /* EAP-only authentication */
                        if (!this->ike_sa->supports_extension(this->ike_sa,
@@ -830,7 +819,7 @@ METHOD(task_t, build_r, status_t,
        }
 
        if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-                                                                                                this->ike_sa, FALSE))
+                                                                               this->ike_sa, this->initial_contact))
        {
                DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
                charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);