diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2015-06-08 15:35:16 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2015-06-08 15:35:16 +0200 |
commit | b238cf34df3fe4476ae6b7012e7cb3e9769d4d51 (patch) | |
tree | f17b69b2ade74cd41aaee818e50657465602522d /src/libcharon/sa/ikev2/tasks | |
parent | fc556ec2bc92a9d476c11406fad2c33db8bf7cb0 (diff) | |
download | vyos-strongswan-b238cf34df3fe4476ae6b7012e7cb3e9769d4d51.tar.gz vyos-strongswan-b238cf34df3fe4476ae6b7012e7cb3e9769d4d51.zip |
Imported Upstream version 5.3.2
Diffstat (limited to 'src/libcharon/sa/ikev2/tasks')
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index bf747a49e..2554496c1 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -112,6 +112,11 @@ struct private_ike_auth_t { * received an INITIAL_CONTACT? */ bool initial_contact; + + /** + * Is EAP acceptable, did we strictly authenticate peer? + */ + bool eap_acceptable; }; /** @@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this, message->destroy(message); } +/** + * Check if strict constraint fullfillment required to continue current auth + */ +static bool require_strict(private_ike_auth_t *this, bool mutual_eap) +{ + auth_cfg_t *cfg; + + if (this->eap_acceptable) + { + return FALSE; + } + + cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) + { + case AUTH_CLASS_EAP: + if (mutual_eap && this->my_auth) + { + this->eap_acceptable = TRUE; + return !this->my_auth->is_mutual(this->my_auth); + } + return TRUE; + case AUTH_CLASS_PSK: + return TRUE; + case AUTH_CLASS_PUBKEY: + case AUTH_CLASS_ANY: + default: + return FALSE; + } +} + METHOD(task_t, process_i, status_t, private_ike_auth_t *this, message_t *message) { @@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t, } } + if (require_strict(this, mutual_eap)) + { + if (!update_cfg_candidates(this, TRUE)) + { + goto peer_auth_failed; + } + } + if (this->my_auth) { switch (this->my_auth->process(this->my_auth, message)) |