diff options
| author | Martin Willi <martin@revosec.ch> | 2012-07-26 12:40:27 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2012-07-26 12:40:27 +0200 |
| commit | 40ca05cff8d566c252730e4c69c255bbdcf9cdac (patch) | |
| tree | 255e86fe6a474bf431d91d3af9bc82c9eaefce06 /src/libcharon/sa/ikev1 | |
| parent | 6a8786b55ff8f63d062bc49c6bcc6df4b5f18184 (diff) | |
| download | strongswan-40ca05cff8d566c252730e4c69c255bbdcf9cdac.tar.bz2 strongswan-40ca05cff8d566c252730e4c69c255bbdcf9cdac.tar.xz | |
Check if XAuth round complies to configured authentication round
Diffstat (limited to 'src/libcharon/sa/ikev1')
| -rw-r--r-- | src/libcharon/sa/ikev1/tasks/xauth.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index 446445a55..a2f33d6f2 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -51,6 +51,11 @@ struct private_xauth_t { bool initiator; /** + * Authentication requirements to fulfill + */ + auth_cfg_t *auth; + + /** * XAuth backend to use */ xauth_method_t *xauth; @@ -114,13 +119,14 @@ static xauth_method_t *load_method(private_xauth_t* this) return NULL; } } + enumerator->destroy(enumerator); name = auth->get(auth, AUTH_RULE_XAUTH_BACKEND); this->user = auth->get(auth, AUTH_RULE_XAUTH_IDENTITY); if (!this->initiator && this->user) { /* use XAUTH username, if configured */ peer = this->user; } - enumerator->destroy(enumerator); + this->auth = auth; xauth = charon->xauth->create_instance(charon->xauth, name, role, server, peer); if (!xauth) @@ -183,16 +189,22 @@ static bool establish(private_xauth_t *this) /** * Create auth config after successful authentication */ -static void add_auth_cfg(private_xauth_t *this, identification_t *id, bool local) +static bool add_auth_cfg(private_xauth_t *this, identification_t *id, bool local) { auth_cfg_t *auth; auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH); auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id)); - auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), FALSE); + auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), TRUE); + if (!auth->complies(auth, this->auth, TRUE)) + { + auth->destroy(auth); + return FALSE; + } this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); + return TRUE; } METHOD(task_t, build_i_status, status_t, @@ -305,11 +317,11 @@ METHOD(task_t, process_r, status_t, } } enumerator->destroy(enumerator); - if (this->status == XAUTH_OK) + if (this->status == XAUTH_OK && + add_auth_cfg(this, this->xauth->get_identity(this->xauth), TRUE)) { DBG1(DBG_IKE, "XAuth authentication of '%Y' (myself) successful", this->xauth->get_identity(this->xauth)); - add_auth_cfg(this, this->xauth->get_identity(this->xauth), TRUE); } else { @@ -385,8 +397,7 @@ METHOD(task_t, process_i, status_t, break; } DBG1(DBG_IKE, "XAuth authentication of '%Y' successful", id); - add_auth_cfg(this, id, FALSE); - if (allowed(this)) + if (add_auth_cfg(this, id, FALSE) && allowed(this)) { this->status = XAUTH_OK; } |