summaryrefslogtreecommitdiff
path: root/src/charon/sa/tasks/ike_auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/sa/tasks/ike_auth.c')
-rw-r--r--src/charon/sa/tasks/ike_auth.c66
1 files changed, 44 insertions, 22 deletions
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 541e1bb37..d0dd49aee 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -100,18 +100,18 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
{
authenticator_t *auth;
auth_payload_t *auth_payload;
- policy_t *policy;
+ peer_cfg_t *config;
auth_method_t method;
status_t status;
/* create own authenticator and add auth payload */
- policy = this->ike_sa->get_policy(this->ike_sa);
- if (!policy)
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (!config)
{
- SIG(IKE_UP_FAILED, "unable to authenticate, no policy found");
+ SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found");
return FAILED;
}
- method = policy->get_auth_method(policy);
+ method = config->get_auth_method(config);
auth = authenticator_create(this->ike_sa, method);
if (auth == NULL)
@@ -140,15 +140,15 @@ static status_t build_id(private_ike_auth_t *this, message_t *message)
{
identification_t *me, *other;
id_payload_t *id;
- policy_t *policy;
+ peer_cfg_t *config;
me = this->ike_sa->get_my_id(this->ike_sa);
other = this->ike_sa->get_other_id(this->ike_sa);
- policy = this->ike_sa->get_policy(this->ike_sa);
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
if (me->contains_wildcards(me))
{
- me = policy->get_my_id(policy);
+ me = config->get_my_id(config);
if (me->contains_wildcards(me))
{
SIG(IKE_UP_FAILED, "negotiation of own ID failed");
@@ -202,7 +202,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
auth->destroy(auth);
if (status != SUCCESS)
{
- SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+ SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
auth_method_names, auth_method);
return FAILED;
@@ -215,7 +215,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
*/
static status_t process_id(private_ike_auth_t *this, message_t *message)
{
- identification_t *id;
+ identification_t *id, *req;
id_payload_t *idr, *idi;
idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
@@ -230,6 +230,13 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
if (this->initiator)
{
id = idr->get_identification(idr);
+ req = this->ike_sa->get_other_id(this->ike_sa);
+ if (!id->matches(id, req, NULL))
+ {
+ SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req);
+ id->destroy(id);
+ return FAILED;
+ }
this->ike_sa->set_other_id(this->ike_sa, id);
}
else
@@ -346,7 +353,7 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
if (!this->peer_authenticated)
{
- SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+ SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
auth_method_names, AUTH_EAP);
if (this->initiator)
@@ -444,7 +451,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
break;
default:
- SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+ SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
auth_method_names, AUTH_EAP);
status = FAILED;
@@ -459,7 +466,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
*/
static status_t build_i(private_ike_auth_t *this, message_t *message)
{
- policy_t *policy;
+ peer_cfg_t *config;
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
@@ -471,8 +478,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
return FAILED;
}
- policy = this->ike_sa->get_policy(this->ike_sa);
- if (policy->get_auth_method(policy) == AUTH_EAP)
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (config->get_auth_method(config) == AUTH_EAP)
{
this->eap_auth = eap_authenticator_create(this->ike_sa);
}
@@ -488,10 +495,12 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
}
/**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
*/
static status_t process_r(private_ike_auth_t *this, message_t *message)
-{
+{
+ peer_cfg_t *config;
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
return collect_other_init_data(this, message);
@@ -514,6 +523,17 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
default:
break;
}
+
+ config = charon->backends->get_peer_cfg(charon->backends,
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa),
+ this->ike_sa->get_other_ca(this->ike_sa));
+ if (config)
+ {
+ this->ike_sa->set_peer_cfg(this->ike_sa, config);
+ config->destroy(config);
+ }
+
return NEED_MORE;
}
@@ -522,7 +542,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
*/
static status_t build_r(private_ike_auth_t *this, message_t *message)
{
- policy_t *policy;
+ peer_cfg_t *config;
eap_type_t eap_type;
eap_payload_t *eap_payload;
status_t status;
@@ -532,10 +552,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
return collect_my_init_data(this, message);
}
- policy = this->ike_sa->get_policy(this->ike_sa);
- if (policy == NULL)
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (config == NULL)
{
- SIG(IKE_UP_FAILED, "no acceptable policy found");
+ SIG(IKE_UP_FAILED, "no matching config found for %D...%D",
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
return FAILED;
}
@@ -567,7 +589,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
}
/* initiate EAP authenitcation */
- eap_type = policy->get_eap_type(policy);
+ eap_type = config->get_eap_type(config);
status = this->eap_auth->initiate(this->eap_auth, eap_type, &eap_payload);
message->add_payload(message, (payload_t*)eap_payload);
if (status != NEED_MORE)