diff options
Diffstat (limited to 'src/charon/sa/tasks/ike_auth.c')
-rw-r--r-- | src/charon/sa/tasks/ike_auth.c | 66 |
1 files changed, 44 insertions, 22 deletions
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 541e1bb37..d0dd49aee 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -100,18 +100,18 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message) { authenticator_t *auth; auth_payload_t *auth_payload; - policy_t *policy; + peer_cfg_t *config; auth_method_t method; status_t status; /* create own authenticator and add auth payload */ - policy = this->ike_sa->get_policy(this->ike_sa); - if (!policy) + config = this->ike_sa->get_peer_cfg(this->ike_sa); + if (!config) { - SIG(IKE_UP_FAILED, "unable to authenticate, no policy found"); + SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found"); return FAILED; } - method = policy->get_auth_method(policy); + method = config->get_auth_method(config); auth = authenticator_create(this->ike_sa, method); if (auth == NULL) @@ -140,15 +140,15 @@ static status_t build_id(private_ike_auth_t *this, message_t *message) { identification_t *me, *other; id_payload_t *id; - policy_t *policy; + peer_cfg_t *config; me = this->ike_sa->get_my_id(this->ike_sa); other = this->ike_sa->get_other_id(this->ike_sa); - policy = this->ike_sa->get_policy(this->ike_sa); + config = this->ike_sa->get_peer_cfg(this->ike_sa); if (me->contains_wildcards(me)) { - me = policy->get_my_id(policy); + me = config->get_my_id(config); if (me->contains_wildcards(me)) { SIG(IKE_UP_FAILED, "negotiation of own ID failed"); @@ -202,7 +202,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) auth->destroy(auth); if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "authentication of %D using %N failed", + SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, auth_method); return FAILED; @@ -215,7 +215,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) */ static status_t process_id(private_ike_auth_t *this, message_t *message) { - identification_t *id; + identification_t *id, *req; id_payload_t *idr, *idi; idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR); @@ -230,6 +230,13 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) if (this->initiator) { id = idr->get_identification(idr); + req = this->ike_sa->get_other_id(this->ike_sa); + if (!id->matches(id, req, NULL)) + { + SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req); + id->destroy(id); + return FAILED; + } this->ike_sa->set_other_id(this->ike_sa, id); } else @@ -346,7 +353,7 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message) if (!this->peer_authenticated) { - SIG(IKE_UP_FAILED, "authentication of %D using %N failed", + SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, AUTH_EAP); if (this->initiator) @@ -444,7 +451,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap; break; default: - SIG(IKE_UP_FAILED, "authentication of %D using %N failed", + SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, AUTH_EAP); status = FAILED; @@ -459,7 +466,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) */ static status_t build_i(private_ike_auth_t *this, message_t *message) { - policy_t *policy; + peer_cfg_t *config; if (message->get_exchange_type(message) == IKE_SA_INIT) { @@ -471,8 +478,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) return FAILED; } - policy = this->ike_sa->get_policy(this->ike_sa); - if (policy->get_auth_method(policy) == AUTH_EAP) + config = this->ike_sa->get_peer_cfg(this->ike_sa); + if (config->get_auth_method(config) == AUTH_EAP) { this->eap_auth = eap_authenticator_create(this->ike_sa); } @@ -488,10 +495,12 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) } /** - * Implementation of task_t.process for initiator + * Implementation of task_t.process for responder */ static status_t process_r(private_ike_auth_t *this, message_t *message) -{ +{ + peer_cfg_t *config; + if (message->get_exchange_type(message) == IKE_SA_INIT) { return collect_other_init_data(this, message); @@ -514,6 +523,17 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) default: break; } + + config = charon->backends->get_peer_cfg(charon->backends, + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa), + this->ike_sa->get_other_ca(this->ike_sa)); + if (config) + { + this->ike_sa->set_peer_cfg(this->ike_sa, config); + config->destroy(config); + } + return NEED_MORE; } @@ -522,7 +542,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) */ static status_t build_r(private_ike_auth_t *this, message_t *message) { - policy_t *policy; + peer_cfg_t *config; eap_type_t eap_type; eap_payload_t *eap_payload; status_t status; @@ -532,10 +552,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return collect_my_init_data(this, message); } - policy = this->ike_sa->get_policy(this->ike_sa); - if (policy == NULL) + config = this->ike_sa->get_peer_cfg(this->ike_sa); + if (config == NULL) { - SIG(IKE_UP_FAILED, "no acceptable policy found"); + SIG(IKE_UP_FAILED, "no matching config found for %D...%D", + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); return FAILED; } @@ -567,7 +589,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) } /* initiate EAP authenitcation */ - eap_type = policy->get_eap_type(policy); + eap_type = config->get_eap_type(config); status = this->eap_auth->initiate(this->eap_auth, eap_type, &eap_payload); message->add_payload(message, (payload_t*)eap_payload); if (status != NEED_MORE) |