summaryrefslogtreecommitdiff
path: root/src/charon/sa/tasks/ike_auth.c
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2008-10-29 20:30:44 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2008-10-29 20:30:44 +0000
commit74f0bbfc53cb5fa519e4e27ece53735ab51b397c (patch)
tree0dbab9c835be15577ff05b474b6361bb326d66ce /src/charon/sa/tasks/ike_auth.c
parent5c1fa2516bda1ccf8eb00178c0beb196c2020a94 (diff)
downloadvyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.tar.gz
vyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.zip
- New upstream release.
Diffstat (limited to 'src/charon/sa/tasks/ike_auth.c')
-rw-r--r--src/charon/sa/tasks/ike_auth.c131
1 files changed, 87 insertions, 44 deletions
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index fd5012ee6..51f37f1b0 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details
*
- * $Id: ike_auth.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: ike_auth.c 4276 2008-08-22 10:44:51Z martin $
*/
#include "ike_auth.h"
@@ -29,7 +29,6 @@
#include <sa/authenticators/eap_authenticator.h>
-
typedef struct private_ike_auth_t private_ike_auth_t;
/**
@@ -151,6 +150,44 @@ static bool check_uniqueness(private_ike_auth_t *this)
}
/**
+ * get the authentication class of a config
+ */
+auth_class_t get_auth_class(peer_cfg_t *config)
+{
+ auth_class_t *class;
+ auth_info_t *auth_info;
+
+ auth_info = config->get_auth(config);
+ if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
+ {
+ return *class;
+ }
+ /* fallback to pubkey authentication */
+ return AUTH_CLASS_PUBKEY;
+}
+
+/**
+ * get the eap type/vendor
+ */
+static eap_type_t get_eap_type(peer_cfg_t *config, u_int32_t *vendor)
+{
+ auth_info_t *auth_info;
+ u_int *ptr;
+
+ *vendor = 0;
+ auth_info = config->get_auth(config);
+ if (auth_info->get_item(auth_info, AUTHN_EAP_VENDOR, (void**)&ptr))
+ {
+ *vendor = *ptr;
+ }
+ if (auth_info->get_item(auth_info, AUTHN_EAP_TYPE, (void**)&ptr))
+ {
+ return *ptr;
+ }
+ return EAP_NAK;
+}
+
+/**
* build the AUTH payload
*/
static status_t build_auth(private_ike_auth_t *this, message_t *message)
@@ -158,23 +195,21 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
authenticator_t *auth;
auth_payload_t *auth_payload;
peer_cfg_t *config;
- config_auth_method_t method;
status_t status;
/* create own authenticator and add auth payload */
config = this->ike_sa->get_peer_cfg(this->ike_sa);
if (!config)
{
- SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found");
+ SIG_IKE(UP_FAILED, "unable to authenticate, no peer config found");
return FAILED;
}
- method = config->get_auth_method(config);
- auth = authenticator_create(this->ike_sa, method);
+ auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config));
if (auth == NULL)
{
- SIG(IKE_UP_FAILED, "configured authentication method %N not supported",
- config_auth_method_names, method);
+ SIG_IKE(UP_FAILED, "configured authentication class %N not supported",
+ auth_class_names, get_auth_class(config));
return FAILED;
}
@@ -183,7 +218,7 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
auth->destroy(auth);
if (status != SUCCESS)
{
- SIG(IKE_UP_FAILED, "generating authentication data failed");
+ SIG_IKE(UP_FAILED, "generating authentication data failed");
return FAILED;
}
message->add_payload(message, (payload_t*)auth_payload);
@@ -208,7 +243,7 @@ static status_t build_id(private_ike_auth_t *this, message_t *message)
me = config->get_my_id(config);
if (me->contains_wildcards(me))
{
- SIG(IKE_UP_FAILED, "negotiation of own ID failed");
+ SIG_IKE(UP_FAILED, "negotiation of own ID failed");
return FAILED;
}
this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
@@ -245,11 +280,11 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
}
auth_method = auth_payload->get_auth_method(auth_payload);
- auth = authenticator_create_from_auth_payload(this->ike_sa, auth_payload);
-
+ auth = authenticator_create_from_method(this->ike_sa,
+ auth_payload->get_auth_method(auth_payload));
if (auth == NULL)
{
- SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not "
+ SIG_IKE(UP_FAILED, "authentication method %N used by '%D' not "
"supported", auth_method_names, auth_method,
this->ike_sa->get_other_id(this->ike_sa));
return NOT_SUPPORTED;
@@ -259,7 +294,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
auth->destroy(auth);
if (status != SUCCESS)
{
- SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+ SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
auth_method_names, auth_method);
return FAILED;
@@ -280,7 +315,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
{
- SIG(IKE_UP_FAILED, "ID payload missing in message");
+ SIG_IKE(UP_FAILED, "ID payload missing in message");
return FAILED;
}
@@ -290,7 +325,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
req = this->ike_sa->get_other_id(this->ike_sa);
if (!id->matches(id, req))
{
- SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
+ SIG_IKE(UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
id->destroy(id);
return FAILED;
}
@@ -367,7 +402,7 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
if (auth->build(auth, this->my_packet->get_data(this->my_packet),
this->other_nonce, &auth_payload) != SUCCESS)
{
- SIG(IKE_UP_FAILED, "generating authentication data failed");
+ SIG_IKE(UP_FAILED, "generating authentication data failed");
if (!this->initiator)
{
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -378,12 +413,13 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
if (!this->initiator)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
return NEED_MORE;
@@ -412,9 +448,9 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
if (!this->peer_authenticated)
{
- SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+ SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
- auth_method_names, AUTH_EAP);
+ auth_class_names, AUTH_CLASS_EAP);
if (this->initiator)
{
return FAILED;
@@ -424,12 +460,13 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
if (this->initiator)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
return NEED_MORE;
@@ -445,7 +482,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
if (eap == NULL)
{
- SIG(IKE_UP_FAILED, "EAP payload missing");
+ SIG_IKE(UP_FAILED, "EAP payload missing");
return FAILED;
}
switch (this->eap_auth->process(this->eap_auth, eap, &eap))
@@ -461,7 +498,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
return NEED_MORE;
default:
this->eap_payload = NULL;
- SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP",
+ SIG_IKE(UP_FAILED, "failed to authenticate against '%D' using EAP",
this->ike_sa->get_other_id(this->ike_sa));
return FAILED;
}
@@ -496,7 +533,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
if (this->eap_payload == NULL)
{
- SIG(IKE_UP_FAILED, "EAP payload missing");
+ SIG_IKE(UP_FAILED, "EAP payload missing");
return FAILED;
}
@@ -511,9 +548,9 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
break;
default:
- SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+ SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
- auth_method_names, AUTH_EAP);
+ auth_class_names, AUTH_CLASS_EAP);
status = FAILED;
break;
}
@@ -539,7 +576,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
}
config = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (config->get_auth_method(config) == CONF_AUTH_EAP)
+ if (get_auth_class(config) == AUTH_CLASS_EAP)
{
this->eap_auth = eap_authenticator_create(this->ike_sa);
}
@@ -579,13 +616,14 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
case NOT_FOUND:
/* use EAP if no AUTH payload found */
this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE);
- this->eap_auth = eap_authenticator_create(this->ike_sa);
break;
default:
return NEED_MORE;
}
config = charon->backends->get_peer_cfg(charon->backends,
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa),
this->ike_sa->get_other_auth(this->ike_sa));
@@ -594,7 +632,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
this->ike_sa->set_peer_cfg(this->ike_sa, config);
config->destroy(config);
}
-
+ if (!this->peer_authenticated)
+ {
+ this->eap_auth = eap_authenticator_create(this->ike_sa);
+ }
return NEED_MORE;
}
@@ -624,7 +665,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
config = this->ike_sa->get_peer_cfg(this->ike_sa);
if (config == NULL)
{
- SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'",
+ SIG_IKE(UP_FAILED, "no matching config found for '%D'...'%D'",
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -648,23 +689,24 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
if (this->peer_authenticated)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
/* initiate EAP authenitcation */
- eap_type = config->get_eap_type(config, &eap_vendor);
+ eap_type = get_eap_type(config, &eap_vendor);
status = this->eap_auth->initiate(this->eap_auth, eap_type,
eap_vendor, &eap_payload);
message->add_payload(message, (payload_t*)eap_payload);
if (status != NEED_MORE)
{
- SIG(IKE_UP_FAILED, "unable to initiate EAP authentication");
+ SIG_IKE(UP_FAILED, "unable to initiate EAP authentication");
return FAILED;
}
@@ -724,7 +766,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
{
if (type < 16383)
{
- SIG(IKE_UP_FAILED, "received %N notify error",
+ SIG_IKE(UP_FAILED, "received %N notify error",
notify_type_names, type);
iterator->destroy(iterator);
return FAILED;
@@ -756,17 +798,18 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
auth = this->ike_sa->get_other_auth(this->ike_sa);
if (!auth->complies(auth, config->get_auth(config)))
{
- SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed",
+ SIG_IKE(UP_FAILED, "authorization of '%D' for config %s failed",
this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
return FAILED;
}
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}