summaryrefslogtreecommitdiff
path: root/src/libcharon/sa
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2015-06-08 15:35:16 +0200
committerYves-Alexis Perez <corsac@debian.org>2015-06-08 15:35:16 +0200
commitb238cf34df3fe4476ae6b7012e7cb3e9769d4d51 (patch)
treef17b69b2ade74cd41aaee818e50657465602522d /src/libcharon/sa
parentfc556ec2bc92a9d476c11406fad2c33db8bf7cb0 (diff)
downloadvyos-strongswan-b238cf34df3fe4476ae6b7012e7cb3e9769d4d51.tar.gz
vyos-strongswan-b238cf34df3fe4476ae6b7012e7cb3e9769d4d51.zip
Imported Upstream version 5.3.2
Diffstat (limited to 'src/libcharon/sa')
-rw-r--r--src/libcharon/sa/child_sa.c4
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth.c44
2 files changed, 46 insertions, 2 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index e0db2e655..94cf07c33 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -698,7 +698,7 @@ METHOD(child_sa_t, install, status_t,
this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
&esn, NULL);
- if (!this->reqid_allocated)
+ if (!this->reqid_allocated && !this->reqid)
{
status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
my_ts, other_ts, this->mark_in, this->mark_out,
@@ -826,7 +826,7 @@ METHOD(child_sa_t, add_policies, status_t,
traffic_selector_t *my_ts, *other_ts;
status_t status = SUCCESS;
- if (!this->reqid_allocated)
+ if (!this->reqid_allocated && !this->reqid)
{
/* trap policy, get or confirm reqid */
status = hydra->kernel_interface->alloc_reqid(
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index bf747a49e..2554496c1 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -112,6 +112,11 @@ struct private_ike_auth_t {
* received an INITIAL_CONTACT?
*/
bool initial_contact;
+
+ /**
+ * Is EAP acceptable, did we strictly authenticate peer?
+ */
+ bool eap_acceptable;
};
/**
@@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this,
message->destroy(message);
}
+/**
+ * Check if strict constraint fullfillment required to continue current auth
+ */
+static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
+{
+ auth_cfg_t *cfg;
+
+ if (this->eap_acceptable)
+ {
+ return FALSE;
+ }
+
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
+ {
+ case AUTH_CLASS_EAP:
+ if (mutual_eap && this->my_auth)
+ {
+ this->eap_acceptable = TRUE;
+ return !this->my_auth->is_mutual(this->my_auth);
+ }
+ return TRUE;
+ case AUTH_CLASS_PSK:
+ return TRUE;
+ case AUTH_CLASS_PUBKEY:
+ case AUTH_CLASS_ANY:
+ default:
+ return FALSE;
+ }
+}
+
METHOD(task_t, process_i, status_t,
private_ike_auth_t *this, message_t *message)
{
@@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t,
}
}
+ if (require_strict(this, mutual_eap))
+ {
+ if (!update_cfg_candidates(this, TRUE))
+ {
+ goto peer_auth_failed;
+ }
+ }
+
if (this->my_auth)
{
switch (this->my_auth->process(this->my_auth, message))