- Update to new upstream release.

author: Rene Mayrhofer <rene@mayrhofer.eu.org> 2007-06-03 17:46:37 +0000
committer: Rene Mayrhofer <rene@mayrhofer.eu.org> 2007-06-03 17:46:37 +0000
commit: 62bf8ed9e48c18169c43ae6c44f345f401bd4393 (patch)
tree: 61a58c5c24278a9013b23b2cea5605a1ee142cdb /src/charon/sa/tasks/ike_auth.c
parent: 59dbcced8de77b3b861cd2307543226f0abc10a6 (diff)
download: vyos-strongswan-62bf8ed9e48c18169c43ae6c44f345f401bd4393.tar.gz
vyos-strongswan-62bf8ed9e48c18169c43ae6c44f345f401bd4393.zip
1 files changed, 44 insertions, 22 deletions
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 541e1bb37..d0dd49aee 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -100,18 +100,18 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
 {
 	authenticator_t *auth;
 	auth_payload_t *auth_payload;
-	policy_t *policy;
+	peer_cfg_t *config;
 	auth_method_t method;
 	status_t status;
 	
 	/* create own authenticator and add auth payload */
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	if (!policy)
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (!config)
 	{
-		SIG(IKE_UP_FAILED, "unable to authenticate, no policy found");
+		SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found");
 		return FAILED;
 	}
-	method = policy->get_auth_method(policy);
+	method = config->get_auth_method(config);
 	
 	auth = authenticator_create(this->ike_sa, method);
 	if (auth == NULL)
@@ -140,15 +140,15 @@ static status_t build_id(private_ike_auth_t *this, message_t *message)
 {
 	identification_t *me, *other;
 	id_payload_t *id;
-	policy_t *policy;
+	peer_cfg_t *config;
 	
 	me = this->ike_sa->get_my_id(this->ike_sa);
 	other = this->ike_sa->get_other_id(this->ike_sa);
-	policy = this->ike_sa->get_policy(this->ike_sa);
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
 	
 	if (me->contains_wildcards(me))
 	{
-		me = policy->get_my_id(policy);
+		me = config->get_my_id(config);
 		if (me->contains_wildcards(me))
 		{
 			SIG(IKE_UP_FAILED, "negotiation of own ID failed");
@@ -202,7 +202,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
 	auth->destroy(auth);
 	if (status != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+		SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
 			 auth_method_names, auth_method);	
 		return FAILED;
@@ -215,7 +215,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
  */
 static status_t process_id(private_ike_auth_t *this, message_t *message)
 {
-	identification_t *id;
+	identification_t *id, *req;
 	id_payload_t *idr, *idi;
 
 	idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
@@ -230,6 +230,13 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
 	if (this->initiator)
 	{
 		id = idr->get_identification(idr);
+		req = this->ike_sa->get_other_id(this->ike_sa);
+		if (!id->matches(id, req, NULL))
+		{
+			SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req);
+			id->destroy(id);
+			return FAILED;
+		}
 		this->ike_sa->set_other_id(this->ike_sa, id);
 	}
 	else
@@ -346,7 +353,7 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
 
 	if (!this->peer_authenticated)
 	{
-		SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+		SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
 			 auth_method_names, AUTH_EAP);
 		if (this->initiator)
@@ -444,7 +451,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
 			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
 			break;
 		default:
-			SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+			SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
 				this->ike_sa->get_other_id(this->ike_sa),
 				auth_method_names, AUTH_EAP);
 			status = FAILED;
@@ -459,7 +466,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
  */
 static status_t build_i(private_ike_auth_t *this, message_t *message)
 {
-	policy_t *policy;
+	peer_cfg_t *config;
 
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
@@ -471,8 +478,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 		return FAILED;
 	}
 	
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	if (policy->get_auth_method(policy) == AUTH_EAP)
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (config->get_auth_method(config) == AUTH_EAP)
 	{
 		this->eap_auth = eap_authenticator_create(this->ike_sa);
 	}
@@ -488,10 +495,12 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 }
 
 /**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_auth_t *this, message_t *message)
-{	
+{
+	peer_cfg_t *config;
+	
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		return collect_other_init_data(this, message);
@@ -514,6 +523,17 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		default:
 			break;
 	}
+
+	config = charon->backends->get_peer_cfg(charon->backends,
+									this->ike_sa->get_my_id(this->ike_sa),
+									this->ike_sa->get_other_id(this->ike_sa),
+									this->ike_sa->get_other_ca(this->ike_sa));
+	if (config)
+	{
+		this->ike_sa->set_peer_cfg(this->ike_sa, config);
+		config->destroy(config);
+	}
+	
 	return NEED_MORE;
 }
 
@@ -522,7 +542,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
  */
 static status_t build_r(private_ike_auth_t *this, message_t *message)
 {
-	policy_t *policy;
+	peer_cfg_t *config;
 	eap_type_t eap_type;
 	eap_payload_t *eap_payload;
 	status_t status;
@@ -532,10 +552,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 		return collect_my_init_data(this, message);
 	}
 	
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	if (policy == NULL)
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (config == NULL)
 	{
-		SIG(IKE_UP_FAILED, "no acceptable policy found");
+		SIG(IKE_UP_FAILED, "no matching config found for %D...%D",
+			this->ike_sa->get_my_id(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 		return FAILED;
 	}
@@ -567,7 +589,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	}
 		
 	/* initiate EAP authenitcation */
-	eap_type = policy->get_eap_type(policy);
+	eap_type = config->get_eap_type(config);
 	status = this->eap_auth->initiate(this->eap_auth, eap_type, &eap_payload);
 	message->add_payload(message, (payload_t*)eap_payload);
 	if (status != NEED_MORE)
author	Rene Mayrhofer <rene@mayrhofer.eu.org>	2007-06-03 17:46:37 +0000
committer	Rene Mayrhofer <rene@mayrhofer.eu.org>	2007-06-03 17:46:37 +0000
commit	62bf8ed9e48c18169c43ae6c44f345f401bd4393 (patch)
tree	61a58c5c24278a9013b23b2cea5605a1ee142cdb /src/charon/sa/tasks/ike_auth.c
parent	59dbcced8de77b3b861cd2307543226f0abc10a6 (diff)
download	vyos-strongswan-62bf8ed9e48c18169c43ae6c44f345f401bd4393.tar.gz vyos-strongswan-62bf8ed9e48c18169c43ae6c44f345f401bd4393.zip