Fixup a few problems with EAP state transition

First of all we don't need to satisfy valid EAP state flags for
IKEV2_STATE_EAP as it's an initial EAP exchange state.  Then
when waiting for the "ca" process to construct our AUTH payload
we need to bail while sa_localauth is not available.  With this
change Win7 is able to establish the the tunnel again.

ok markus

2 files changed, 7 insertions, 7 deletions

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 05b16480c70..55d1e96eade 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.115 2014/11/07 14:02:32 mikeb Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.116 2014/11/07 14:12:57 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -2276,13 +2276,14 @@ ikev2_resp_ike_eap(struct iked *env, struct iked_sa *sa, struct ibuf *eapmsg)
 	int				 ret = -1;
 	ssize_t				 len = 0;
 
-	if (!sa_stateok(sa, IKEV2_STATE_EAP))
-		return (0);
-
 	/* Responder only */
 	if (sa->sa_hdr.sh_initiator)
 		return (-1);
 
+	/* Check if "ca" has done it's job yet */
+	if (!sa->sa_localauth.id_type)
+		return (0);
+
 	/* New encrypted message buffer */
 	if ((e = ibuf_static()) == NULL)
 		goto done;
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 635e0051f90..b70fd4b2110 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.34 2014/05/06 10:24:22 markus Exp $	*/
+/*	$OpenBSD: policy.c,v 1.35 2014/11/07 14:12:57 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -286,8 +286,7 @@ sa_stateok(struct iked_sa *sa, int state)
 
 	if (state == IKEV2_STATE_SA_INIT ||
 	    state == IKEV2_STATE_VALID ||
-	    state == IKEV2_STATE_EAP_VALID ||
-	    state == IKEV2_STATE_EAP) {
+	    state == IKEV2_STATE_EAP_VALID) {
 		log_debug("%s: %s flags 0x%02x, require 0x%02x %s", __func__,
 		    print_map(state, ikev2_state_map),
 		    (sa->sa_stateflags & require), require,