From b238cf34df3fe4476ae6b7012e7cb3e9769d4d51 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 8 Jun 2015 15:35:16 +0200 Subject: Imported Upstream version 5.3.2 --- src/libcharon/sa/child_sa.c | 4 +-- src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 +++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) (limited to 'src/libcharon') diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index e0db2e655..94cf07c33 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -698,7 +698,7 @@ METHOD(child_sa_t, install, status_t, this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, &esn, NULL); - if (!this->reqid_allocated) + if (!this->reqid_allocated && !this->reqid) { status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, my_ts, other_ts, this->mark_in, this->mark_out, @@ -826,7 +826,7 @@ METHOD(child_sa_t, add_policies, status_t, traffic_selector_t *my_ts, *other_ts; status_t status = SUCCESS; - if (!this->reqid_allocated) + if (!this->reqid_allocated && !this->reqid) { /* trap policy, get or confirm reqid */ status = hydra->kernel_interface->alloc_reqid( diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index bf747a49e..2554496c1 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -112,6 +112,11 @@ struct private_ike_auth_t { * received an INITIAL_CONTACT? */ bool initial_contact; + + /** + * Is EAP acceptable, did we strictly authenticate peer? + */ + bool eap_acceptable; }; /** @@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this, message->destroy(message); } +/** + * Check if strict constraint fullfillment required to continue current auth + */ +static bool require_strict(private_ike_auth_t *this, bool mutual_eap) +{ + auth_cfg_t *cfg; + + if (this->eap_acceptable) + { + return FALSE; + } + + cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) + { + case AUTH_CLASS_EAP: + if (mutual_eap && this->my_auth) + { + this->eap_acceptable = TRUE; + return !this->my_auth->is_mutual(this->my_auth); + } + return TRUE; + case AUTH_CLASS_PSK: + return TRUE; + case AUTH_CLASS_PUBKEY: + case AUTH_CLASS_ANY: + default: + return FALSE; + } +} + METHOD(task_t, process_i, status_t, private_ike_auth_t *this, message_t *message) { @@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t, } } + if (require_strict(this, mutual_eap)) + { + if (!update_cfg_candidates(this, TRUE)) + { + goto peer_auth_failed; + } + } + if (this->my_auth) { switch (this->my_auth->process(this->my_auth, message)) -- cgit v1.2.3