From 2aa553d773ef1c6b39ba441ee56b407eda91e7b8 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@strongswan.org>
Date: Tue, 9 Feb 2010 16:11:07 +0100
Subject: [PATCH] Do not build own authentication data before we've verified
 others, we need the other identity in EAP

---
 src/charon/sa/tasks/ike_auth.c | 61 ++++++++++++++++++----------------
 1 file changed, 33 insertions(+), 28 deletions(-)

diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index f37ce7b34..a07f96767 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -766,6 +766,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 	enumerator_t *enumerator;
 	payload_t *payload;
 	auth_cfg_t *cfg;
+	bool mutual_eap = FALSE;
 
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
@@ -826,26 +827,6 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 	}
 	enumerator->destroy(enumerator);
 
-	if (this->my_auth)
-	{
-		switch (this->my_auth->process(this->my_auth, message))
-		{
-			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
-				this->my_auth->destroy(this->my_auth);
-				this->my_auth = NULL;
-				this->do_another_auth = do_another_auth(this);
-				break;
-			case NEED_MORE:
-				break;
-			default:
-				return FAILED;
-		}
-	}
-
 	if (this->expect_another_auth)
 	{
 		if (this->other_auth == NULL)
@@ -879,14 +860,9 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 				}
 			}
 			else
-			{	/* responder omitted AUTH payload, indicating EAP-only */
-				if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
-				{
-					DBG1(DBG_IKE, "do not allow non-mutual or weak "
-								  "EAP-only authentication");
-					return FAILED;
-				}
-				DBG1(DBG_IKE, "allow mutual EAP-only authentication");
+			{
+				/* responder omitted AUTH payload, indicating EAP-only */
+				mutual_eap = TRUE;
 			}
 		}
 		if (this->other_auth)
@@ -916,6 +892,35 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 		}
 	}
 
+	if (this->my_auth)
+	{
+		switch (this->my_auth->process(this->my_auth, message))
+		{
+			case SUCCESS:
+				cfg = auth_cfg_create();
+				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+						   TRUE);
+				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				this->my_auth->destroy(this->my_auth);
+				this->my_auth = NULL;
+				this->do_another_auth = do_another_auth(this);
+				break;
+			case NEED_MORE:
+				break;
+			default:
+				return FAILED;
+		}
+	}
+	if (mutual_eap)
+	{
+		if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
+		{
+			DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
+			return FAILED;
+		}
+		DBG1(DBG_IKE, "allow mutual EAP-only authentication");
+	}
+
 	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
 	{
 		this->expect_another_auth = FALSE;