diff options
| author | Martin Willi <martin@strongswan.org> | 2010-01-07 14:30:28 +0100 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2010-01-07 14:30:28 +0100 |
| commit | 12fca6cc9f3a88348c01fc242a840d02ba106b7c (patch) | |
| tree | 38852dbf336187c60c5a499e99710fa75bfb1d6f /src | |
| parent | cdad91de494b617382d57b4407ef388eb590a62c (diff) | |
| download | strongswan-12fca6cc9f3a88348c01fc242a840d02ba106b7c.tar.bz2 strongswan-12fca6cc9f3a88348c01fc242a840d02ba106b7c.tar.xz | |
Indicate and dected support for EAP-only authentication
Diffstat (limited to 'src')
| -rw-r--r-- | src/charon/sa/ike_sa.h | 5 | ||||
| -rw-r--r-- | src/charon/sa/tasks/ike_auth.c | 30 |
2 files changed, 28 insertions, 7 deletions
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index 122e23810..4dce1937c 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -91,6 +91,11 @@ enum ike_extension_t { * peer uses strongSwan, accept private use extensions */ EXT_STRONGSWAN = (1<<4), + + /** + * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth + */ + EXT_EAP_ONLY_AUTHENTICATION = (1<<5), }; /** diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 7714b28ce..0e81d2bea 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -347,10 +347,16 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) this->peer_cfg->get_ref(this->peer_cfg); } - if (message->get_message_id(message) == 1 && - this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH)) - { /* in the first IKE_AUTH, indicate support for multiple authentication */ - message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty); + if (message->get_message_id(message) == 1) + { /* in the first IKE_AUTH ... */ + if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH)) + { /* indicate support for multiple authentication */ + message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, + chunk_empty); + } + /* indicate support for EAP-only authentication */ + message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION, + chunk_empty); } if (!this->do_another_auth && !this->my_auth) @@ -468,9 +474,19 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) { return NEED_MORE; } - if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED)) - { - this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH); + + if (message->get_message_id(message) == 1) + { /* check for extensions in the first IKE_AUTH */ + if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED)) + { + this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH); + } + if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) && + message->get_notify(message, EAP_ONLY_AUTHENTICATION)) + { /* EAP-only has no official notify, accept only from strongSwan */ + this->ike_sa->enable_extension(this->ike_sa, + EXT_EAP_ONLY_AUTHENTICATION); + } } if (this->other_auth == NULL) |