IKEv1 XAuth: Moving the state change to IKE_CONNECTED until after XAuth exchanges are complete.

3 files changed, 48 insertions, 23 deletions

diff --git a/src/libcharon/sa/task_manager_v1.c b/src/libcharon/sa/task_manager_v1.c
index 915644bac..9008b607a 100644
--- a/src/libcharon/sa/task_manager_v1.c
+++ b/src/libcharon/sa/task_manager_v1.c
@@ -269,16 +269,17 @@ METHOD(task_manager_t, initiate, status_t,
 					exchange = ID_PROT;
 				}
 				break;
-			case IKE_ESTABLISHED:
-				if (activate_task(this, TASK_QUICK_MODE))
+			case IKE_CONNECTING:
+				if (activate_task(this, TASK_XAUTH_REQUEST))
 				{
-					exchange = QUICK_MODE;
+					exchange = TRANSACTION;
 					new_mid = TRUE;
-					break;
 				}
-				if (activate_task(this, TASK_XAUTH_REQUEST))
+				break;
+			case IKE_ESTABLISHED:
+				if (activate_task(this, TASK_QUICK_MODE))
 				{
-					exchange = TRANSACTION;
+					exchange = QUICK_MODE;
 					new_mid = TRUE;
 					break;
 				}
@@ -508,6 +509,10 @@ static status_t process_request(private_task_manager_t *this,
 			case INFORMATIONAL_V1:
 				/* TODO-IKEv1: informational */
 				return FAILED;
+			case TRANSACTION:
+				task = (task_t *)xauth_request_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
 			default:
 				return FAILED;
 		}
diff --git a/src/libcharon/sa/tasks/main_mode.c b/src/libcharon/sa/tasks/main_mode.c
index 4efcf0dd0..a88f7a419 100644
--- a/src/libcharon/sa/tasks/main_mode.c
+++ b/src/libcharon/sa/tasks/main_mode.c
@@ -660,8 +660,6 @@ METHOD(task_t, build_r, status_t,
 				 this->ike_sa->get_my_id(this->ike_sa),
 				 this->ike_sa->get_other_host(this->ike_sa),
 				 this->ike_sa->get_other_id(this->ike_sa));
-			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-			charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 
 			switch (this->auth_method)
 			{
@@ -672,8 +670,17 @@ METHOD(task_t, build_r, status_t,
 					lib->processor->queue_job(lib->processor, job);
 					break;
 				}
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
+				{
+					break;
+				}
 				default:
+				{
+					this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+					charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 					break;
+				}
 			}
 			return SUCCESS;
 		}
@@ -774,20 +781,26 @@ METHOD(task_t, process_i, status_t,
 				 this->ike_sa->get_my_id(this->ike_sa),
 				 this->ike_sa->get_other_host(this->ike_sa),
 				 this->ike_sa->get_other_id(this->ike_sa));
-			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-			charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 
 			switch (this->auth_method)
 			{
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
 				{
-					job_t *job = (job_t *) initiate_xauth_job_create(this->ike_sa->get_id(this->ike_sa));
-					lib->processor->queue_job(lib->processor, job);
+					this->ike_sa->initiate_xauth(this->ike_sa, FALSE);
+					break;
+				}
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_INIT_RSA: /* There should be more INIT cases here once added */
+				{
 					break;
 				}
 				default:
+				{
+					this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+					charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
 					break;
+				}
 			}
 
 			return SUCCESS;
diff --git a/src/libcharon/sa/tasks/xauth_request.c b/src/libcharon/sa/tasks/xauth_request.c
index bf2a53433..8e4489ed2 100644
--- a/src/libcharon/sa/tasks/xauth_request.c
+++ b/src/libcharon/sa/tasks/xauth_request.c
@@ -364,11 +364,6 @@ METHOD(task_t, build_i, status_t,
 	version = this->ike_sa->get_version(this->ike_sa);
 	if(version == IKEV1)
 	{
-		if(this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-		{
-			return NEED_MORE;
-		}
-
 		if(!this->auth_cfg)
 		{
 			this->auth_cfg = get_auth_cfg(this, TRUE);
@@ -476,10 +471,6 @@ METHOD(task_t, process_r, status_t,
 	version = this->ike_sa->get_version(this->ike_sa);
 	if(version == IKEV1)
 	{
-		if(this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-		{
-			return NEED_MORE;
-		}
 		if(!this->auth_cfg)
 		{
 			this->auth_cfg = get_auth_cfg(this, TRUE);
@@ -488,10 +479,11 @@ METHOD(task_t, process_r, status_t,
 		{
 			case AUTH_CLASS_XAUTH_PSK:
 			case AUTH_CLASS_XAUTH_PUBKEY:
+				this->state = TASK_XAUTH_INIT;
 				break;
 			default:
 				/* We aren't XAuth, so do we should expect ConfigMode stuff */
-				return SUCCESS;
+				this->state = TASK_XAUTH_COMPLETE;
 		}
 		cp_type = CONFIGURATION_V1;
 	}
@@ -620,6 +612,11 @@ METHOD(task_t, build_r, status_t,
 		default:
 			return FAILED;
 	}
+	if(status == SUCCESS)
+	{
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+	}
 	return status;
 }
 
@@ -627,7 +624,9 @@ METHOD(task_t, process_i, status_t,
 	private_xauth_request_t *this, message_t *message)
 {
 	status_t status;
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	if (((this->ike_sa->get_version(this->ike_sa) == IKEV2) &&
+			(this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)) ||
+			(this->ike_sa->get_version(this->ike_sa) == IKEV1))
 	{	/* in last IKE_AUTH exchange */
 
 		status = process_payloads(this, message);
@@ -638,7 +637,15 @@ METHOD(task_t, process_i, status_t,
 			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
 		}
 		if(this->state == TASK_XAUTH_COMPLETE)
+		{
+			if(this->status == SUCCESS)
+			{
+				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+				charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+			}
+
 			return this->status;
+		}
 		return status;
 	}
 	return NEED_MORE;