Imported Upstream version 5.0.1

5 files changed, 176 insertions, 66 deletions

diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index e7a3d780a..e098c2c75 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -49,6 +49,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -86,7 +87,7 @@ libstrongswan_eap_aka_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 @MONOLITHIC_FALSE@am_libstrongswan_eap_aka_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_aka_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
@@ -112,6 +113,7 @@ AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
@@ -206,11 +208,14 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -227,11 +232,12 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -247,6 +253,7 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
 p_plugins = @p_plugins@
@@ -256,7 +263,6 @@ pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
index 8c392405e..810a19c55 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -81,12 +81,30 @@ struct private_eap_aka_peer_t {
 };
 
 /**
+ * Generate a payload from a message, destroy message
+ */
+static bool generate_payload(simaka_message_t *message, chunk_t data,
+							 eap_payload_t **out)
+{
+	chunk_t chunk;
+	bool ok;
+
+	ok = message->generate(message, data, &chunk);
+	if (ok)
+	{
+		*out = eap_payload_create_data_own(chunk);
+	}
+	message->destroy(message);
+	return ok;
+}
+
+/**
  * Create a AKA_CLIENT_ERROR: "Unable to process"
  */
-static eap_payload_t* create_client_error(private_eap_aka_peer_t *this)
+static bool create_client_error(private_eap_aka_peer_t *this,
+								eap_payload_t **out)
 {
 	simaka_message_t *message;
-	eap_payload_t *out;
 	u_int16_t encoded;
 
 	DBG1(DBG_IKE, "sending client error '%N'",
@@ -97,9 +115,8 @@ static eap_payload_t* create_client_error(private_eap_aka_peer_t *this)
 	encoded = htons(AKA_UNABLE_TO_PROCESS);
 	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
 						   chunk_create((char*)&encoded, sizeof(encoded)));
-	out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-	return out;
+
+	return generate_payload(message, chunk_empty, out);
 }
 
 /**
@@ -134,8 +151,11 @@ static status_t process_identity(private_eap_aka_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -175,9 +195,10 @@ static status_t process_identity(private_eap_aka_peer_t *this,
 	{
 		message->add_attribute(message, AT_IDENTITY, id);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -210,8 +231,11 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -222,7 +246,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	if (!rand.len || !autn.len)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-AKA challenge message");
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -237,9 +264,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 									AKA_SYNCHRONIZATION_FAILURE, this->crypto);
 		message->add_attribute(message, AT_AUTS,
 							   chunk_create(auts, AKA_AUTS_LEN));
-		*out = eap_payload_create_data_own(message->generate(message,
-										   chunk_empty));
-		message->destroy(message);
+		if (!generate_payload(message, chunk_empty, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	if (status != SUCCESS)
@@ -248,9 +276,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 			 this->permanent, simaka_subtype_names, AKA_AUTHENTICATION_REJECT);
 		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
 										AKA_AUTHENTICATION_REJECT, this->crypto);
-		*out = eap_payload_create_data_own(message->generate(message,
-										   chunk_empty));
-		message->destroy(message);
+		if (!generate_payload(message, chunk_empty, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -261,16 +290,22 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	}
 	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
 					  chunk_create(ck, AKA_CK_LEN));
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	chunk_clear(&this->msk);
+	if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk))
+	{
+		return FAILED;
+	}
 	memcpy(this->mk, mk.ptr, mk.len);
-	free(mk.ptr);
+	chunk_clear(&mk);
 
 	/* Verify AT_MAC attribute and parse() again after key derivation,
 	 * reading encrypted attributes */
 	if (!in->verify(in, chunk_empty) || !in->parse(in))
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -300,8 +335,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
 									AKA_CHALLENGE, this->crypto);
 	message->add_attribute(message, AT_RES, chunk_create(res, res_len));
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -332,17 +369,26 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 	{
 		DBG1(DBG_IKE, "received %N, but not expected",
 			 simaka_subtype_names, AKA_REAUTHENTICATION);
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
-	this->crypto->derive_keys_reauth(this->crypto,
-									 chunk_create(this->mk, HASH_SIZE_SHA1));
+	if (!this->crypto->derive_keys_reauth(this->crypto,
+								chunk_create(this->mk, HASH_SIZE_SHA1)))
+	{
+		return FAILED;
+	}
 
 	/* verify MAC and parse again with decryption key */
 	if (!in->verify(in, chunk_empty) || !in->parse(in))
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -363,8 +409,11 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -375,7 +424,10 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 	if (!nonce.len || !counter.len)
 	{
 		DBG1(DBG_IKE, "EAP-AKA/Request/Reauthentication message incomplete");
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -388,10 +440,14 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 	}
 	else
 	{
-		free(this->msk.ptr);
-		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-										this->reauth, counter, nonce,
-										chunk_create(this->mk, HASH_SIZE_SHA1));
+		chunk_clear(&this->msk);
+		if (!this->crypto->derive_keys_reauth_msk(this->crypto,
+						this->reauth, counter, nonce,
+						chunk_create(this->mk, HASH_SIZE_SHA1), &this->msk))
+		{
+			message->destroy(message);
+			return FAILED;
+		}
 		if (id.len)
 		{
 			identification_t *reauth;
@@ -403,8 +459,10 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 		}
 	}
 	message->add_attribute(message, AT_COUNTER, counter);
-	*out = eap_payload_create_data_own(message->generate(message, nonce));
-	message->destroy(message);
+	if (!generate_payload(message, nonce, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -454,13 +512,17 @@ static status_t process_notification(private_eap_aka_peer_t *this,
 	{	/* empty notification reply */
 		message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
 										AKA_NOTIFICATION, this->crypto);
-		*out = eap_payload_create_data_own(message->generate(message,
-															 chunk_empty));
-		message->destroy(message);
+		if (!generate_payload(message, chunk_empty, out))
+		{
+			return FAILED;
+		}
 	}
 	else
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 	}
 	return NEED_MORE;
 }
@@ -478,13 +540,19 @@ METHOD(eap_method_t, process, status_t,
 	message = simaka_message_create_from_payload(in->get_data(in), this->crypto);
 	if (!message)
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	if (!message->parse(message))
 	{
 		message->destroy(message);
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	switch (message->get_subtype(message))
@@ -504,8 +572,14 @@ METHOD(eap_method_t, process, status_t,
 		default:
 			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
 				 simaka_subtype_names, message->get_subtype(message));
-			*out = create_client_error(this);
-			status = NEED_MORE;
+			if (!create_client_error(this, out))
+			{
+				status = FAILED;
+			}
+			else
+			{
+				status = NEED_MORE;
+			}
 			break;
 	}
 	message->destroy(message);
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.h b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
index 974ba2721..b6ab5cdc5 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.h
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_aka_peer_t eap_aka_peer_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * EAP-AKA peer implementation.
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
index d8e85ceef..b7608382d 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -119,6 +119,24 @@ struct private_eap_aka_server_t {
 };
 
 /**
+ * Generate a payload from a message, destroy message
+ */
+static bool generate_payload(simaka_message_t *message, chunk_t data,
+							 eap_payload_t **out)
+{
+	chunk_t chunk;
+	bool ok;
+
+	ok = message->generate(message, data, &chunk);
+	if (ok)
+	{
+		*out = eap_payload_create_data_own(chunk);
+	}
+	message->destroy(message);
+	return ok;
+}
+
+/**
  * Create EAP-AKA/Request/Identity message
  */
 static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
@@ -139,9 +157,10 @@ static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
 	{
 		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = AKA_IDENTITY;
 	return NEED_MORE;
 }
@@ -180,8 +199,11 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 	}
 	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
 					  chunk_create(ck, AKA_CK_LEN));
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	chunk_clear(&this->msk);
+	if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk))
+	{
+		return FAILED;
+	}
 	this->rand = chunk_clone(chunk_create(rand, AKA_RAND_LEN));
 	this->xres = chunk_clone(chunk_create(xres, xres_len));
 
@@ -190,6 +212,7 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 	message->add_attribute(message, AT_RAND, this->rand);
 	message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
 	id = this->mgr->provider_gen_reauth(this->mgr, this->permanent, mk.ptr);
+	free(mk.ptr);
 	if (id)
 	{
 		message->add_attribute(message, AT_NEXT_REAUTH_ID,
@@ -203,10 +226,10 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 							   id->get_encoding(id));
 		id->destroy(id);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
-	free(mk.ptr);
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = AKA_CHALLENGE;
 	return NEED_MORE;
 }
@@ -226,15 +249,21 @@ static status_t reauthenticate(private_eap_aka_server_t *this,
 	DBG1(DBG_IKE, "initiating EAP-AKA reauthentication");
 
 	rng = this->crypto->get_rng(this->crypto);
-	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+	if (!rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
+	{
+		return FAILED;
+	}
 
 	mkc = chunk_create(mk, HASH_SIZE_SHA1);
 	counter = htons(counter);
 	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
 
-	this->crypto->derive_keys_reauth(this->crypto, mkc);
-	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-								this->reauth, this->counter, this->nonce, mkc);
+	if (!this->crypto->derive_keys_reauth(this->crypto, mkc) ||
+		!this->crypto->derive_keys_reauth_msk(this->crypto,
+					this->reauth, this->counter, this->nonce, mkc, &this->msk))
+	{
+		return FAILED;
+	}
 
 	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
 									AKA_REAUTHENTICATION, this->crypto);
@@ -247,9 +276,10 @@ static status_t reauthenticate(private_eap_aka_server_t *this,
 							   next->get_encoding(next));
 		next->destroy(next);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = SIM_REAUTHENTICATION;
 	return NEED_MORE;
 }
@@ -691,7 +721,7 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
 	this->permanent = peer->clone(peer);
 	this->use_reauth = this->use_pseudonym = this->use_permanent =
 		lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-aka.request_identity", TRUE);
+					"%s.plugins.eap-aka.request_identity", TRUE, charon->name);
 
 	/* generate a non-zero identifier */
 	do {
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.h b/src/libcharon/plugins/eap_aka/eap_aka_server.h
index 5ab1c4dfd..5c95180ac 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.h
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_aka_server_t eap_aka_server_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * EAP-AKA server implementation.