diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-10-29 20:30:44 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-10-29 20:30:44 +0000 |
commit | 74f0bbfc53cb5fa519e4e27ece53735ab51b397c (patch) | |
tree | 0dbab9c835be15577ff05b474b6361bb326d66ce /src/charon/sa/tasks/ike_auth.c | |
parent | 5c1fa2516bda1ccf8eb00178c0beb196c2020a94 (diff) | |
download | vyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.tar.gz vyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.zip |
- New upstream release.
Diffstat (limited to 'src/charon/sa/tasks/ike_auth.c')
-rw-r--r-- | src/charon/sa/tasks/ike_auth.c | 131 |
1 files changed, 87 insertions, 44 deletions
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index fd5012ee6..51f37f1b0 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details * - * $Id: ike_auth.c 4051 2008-06-10 09:08:27Z tobias $ + * $Id: ike_auth.c 4276 2008-08-22 10:44:51Z martin $ */ #include "ike_auth.h" @@ -29,7 +29,6 @@ #include <sa/authenticators/eap_authenticator.h> - typedef struct private_ike_auth_t private_ike_auth_t; /** @@ -151,6 +150,44 @@ static bool check_uniqueness(private_ike_auth_t *this) } /** + * get the authentication class of a config + */ +auth_class_t get_auth_class(peer_cfg_t *config) +{ + auth_class_t *class; + auth_info_t *auth_info; + + auth_info = config->get_auth(config); + if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class)) + { + return *class; + } + /* fallback to pubkey authentication */ + return AUTH_CLASS_PUBKEY; +} + +/** + * get the eap type/vendor + */ +static eap_type_t get_eap_type(peer_cfg_t *config, u_int32_t *vendor) +{ + auth_info_t *auth_info; + u_int *ptr; + + *vendor = 0; + auth_info = config->get_auth(config); + if (auth_info->get_item(auth_info, AUTHN_EAP_VENDOR, (void**)&ptr)) + { + *vendor = *ptr; + } + if (auth_info->get_item(auth_info, AUTHN_EAP_TYPE, (void**)&ptr)) + { + return *ptr; + } + return EAP_NAK; +} + +/** * build the AUTH payload */ static status_t build_auth(private_ike_auth_t *this, message_t *message) @@ -158,23 +195,21 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message) authenticator_t *auth; auth_payload_t *auth_payload; peer_cfg_t *config; - config_auth_method_t method; status_t status; /* create own authenticator and add auth payload */ config = this->ike_sa->get_peer_cfg(this->ike_sa); if (!config) { - SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found"); + SIG_IKE(UP_FAILED, "unable to authenticate, no peer config found"); return FAILED; } - method = config->get_auth_method(config); - auth = authenticator_create(this->ike_sa, method); + auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config)); if (auth == NULL) { - SIG(IKE_UP_FAILED, "configured authentication method %N not supported", - config_auth_method_names, method); + SIG_IKE(UP_FAILED, "configured authentication class %N not supported", + auth_class_names, get_auth_class(config)); return FAILED; } @@ -183,7 +218,7 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message) auth->destroy(auth); if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "generating authentication data failed"); + SIG_IKE(UP_FAILED, "generating authentication data failed"); return FAILED; } message->add_payload(message, (payload_t*)auth_payload); @@ -208,7 +243,7 @@ static status_t build_id(private_ike_auth_t *this, message_t *message) me = config->get_my_id(config); if (me->contains_wildcards(me)) { - SIG(IKE_UP_FAILED, "negotiation of own ID failed"); + SIG_IKE(UP_FAILED, "negotiation of own ID failed"); return FAILED; } this->ike_sa->set_my_id(this->ike_sa, me->clone(me)); @@ -245,11 +280,11 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) } auth_method = auth_payload->get_auth_method(auth_payload); - auth = authenticator_create_from_auth_payload(this->ike_sa, auth_payload); - + auth = authenticator_create_from_method(this->ike_sa, + auth_payload->get_auth_method(auth_payload)); if (auth == NULL) { - SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not " + SIG_IKE(UP_FAILED, "authentication method %N used by '%D' not " "supported", auth_method_names, auth_method, this->ike_sa->get_other_id(this->ike_sa)); return NOT_SUPPORTED; @@ -259,7 +294,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) auth->destroy(auth); if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", + SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, auth_method); return FAILED; @@ -280,7 +315,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL)) { - SIG(IKE_UP_FAILED, "ID payload missing in message"); + SIG_IKE(UP_FAILED, "ID payload missing in message"); return FAILED; } @@ -290,7 +325,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) req = this->ike_sa->get_other_id(this->ike_sa); if (!id->matches(id, req)) { - SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req); + SIG_IKE(UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req); id->destroy(id); return FAILED; } @@ -367,7 +402,7 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message) if (auth->build(auth, this->my_packet->get_data(this->my_packet), this->other_nonce, &auth_payload) != SUCCESS) { - SIG(IKE_UP_FAILED, "generating authentication data failed"); + SIG_IKE(UP_FAILED, "generating authentication data failed"); if (!this->initiator) { message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); @@ -378,12 +413,13 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message) if (!this->initiator) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } return NEED_MORE; @@ -412,9 +448,9 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message) if (!this->peer_authenticated) { - SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", + SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), - auth_method_names, AUTH_EAP); + auth_class_names, AUTH_CLASS_EAP); if (this->initiator) { return FAILED; @@ -424,12 +460,13 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message) if (this->initiator) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } return NEED_MORE; @@ -445,7 +482,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message) eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION); if (eap == NULL) { - SIG(IKE_UP_FAILED, "EAP payload missing"); + SIG_IKE(UP_FAILED, "EAP payload missing"); return FAILED; } switch (this->eap_auth->process(this->eap_auth, eap, &eap)) @@ -461,7 +498,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; default: this->eap_payload = NULL; - SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP", + SIG_IKE(UP_FAILED, "failed to authenticate against '%D' using EAP", this->ike_sa->get_other_id(this->ike_sa)); return FAILED; } @@ -496,7 +533,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) if (this->eap_payload == NULL) { - SIG(IKE_UP_FAILED, "EAP payload missing"); + SIG_IKE(UP_FAILED, "EAP payload missing"); return FAILED; } @@ -511,9 +548,9 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap; break; default: - SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", + SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), - auth_method_names, AUTH_EAP); + auth_class_names, AUTH_CLASS_EAP); status = FAILED; break; } @@ -539,7 +576,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) } config = this->ike_sa->get_peer_cfg(this->ike_sa); - if (config->get_auth_method(config) == CONF_AUTH_EAP) + if (get_auth_class(config) == AUTH_CLASS_EAP) { this->eap_auth = eap_authenticator_create(this->ike_sa); } @@ -579,13 +616,14 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) case NOT_FOUND: /* use EAP if no AUTH payload found */ this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE); - this->eap_auth = eap_authenticator_create(this->ike_sa); break; default: return NEED_MORE; } config = charon->backends->get_peer_cfg(charon->backends, + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa), this->ike_sa->get_other_auth(this->ike_sa)); @@ -594,7 +632,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) this->ike_sa->set_peer_cfg(this->ike_sa, config); config->destroy(config); } - + if (!this->peer_authenticated) + { + this->eap_auth = eap_authenticator_create(this->ike_sa); + } return NEED_MORE; } @@ -624,7 +665,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) config = this->ike_sa->get_peer_cfg(this->ike_sa); if (config == NULL) { - SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'", + SIG_IKE(UP_FAILED, "no matching config found for '%D'...'%D'", this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); @@ -648,23 +689,24 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) if (this->peer_authenticated) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } /* initiate EAP authenitcation */ - eap_type = config->get_eap_type(config, &eap_vendor); + eap_type = get_eap_type(config, &eap_vendor); status = this->eap_auth->initiate(this->eap_auth, eap_type, eap_vendor, &eap_payload); message->add_payload(message, (payload_t*)eap_payload); if (status != NEED_MORE) { - SIG(IKE_UP_FAILED, "unable to initiate EAP authentication"); + SIG_IKE(UP_FAILED, "unable to initiate EAP authentication"); return FAILED; } @@ -724,7 +766,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) { if (type < 16383) { - SIG(IKE_UP_FAILED, "received %N notify error", + SIG_IKE(UP_FAILED, "received %N notify error", notify_type_names, type); iterator->destroy(iterator); return FAILED; @@ -756,17 +798,18 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) auth = this->ike_sa->get_other_auth(this->ike_sa); if (!auth->complies(auth, config->get_auth(config))) { - SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed", + SIG_IKE(UP_FAILED, "authorization of '%D' for config %s failed", this->ike_sa->get_other_id(this->ike_sa), config->get_name(config)); return FAILED; } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } |