ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Fixed EAP authentication regression 

Use correct nonce/init message again for EAP AUTH payload
sent from responder to initiator.
This commit is contained in:
Martin Willi 2009-05-11 10:35:44 +02:00
parent b81917ea00
commit 25f2d52f30
5 changed files with 76 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/charon/sa/authenticators/authenticator.c
View File

@ -44,9 +44,9 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
/**
* Described in header.
*/
authenticator_t *authenticator_create_builder(
ike_sa_t *ike_sa, auth_cfg_t *cfg,
chunk_t received_nonce, chunk_t sent_init)
authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init)
{
switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
{
@ -60,7 +60,7 @@ authenticator_t *authenticator_create_builder(
received_nonce, sent_init);
case AUTH_CLASS_EAP:
return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
received_nonce, sent_init);
received_nonce, sent_nonce, received_init, sent_init);
default:
return NULL;
}
@ -71,7 +71,8 @@ authenticator_t *authenticator_create_builder(
*/
authenticator_t *authenticator_create_verifier(
ike_sa_t *ike_sa, message_t *message,
chunk_t sent_nonce, chunk_t received_init)
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init)
{
auth_payload_t *auth_payload;
@ -79,7 +80,7 @@ authenticator_t *authenticator_create_verifier(
if (auth_payload == NULL)
{
return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
sent_nonce, received_init);
received_nonce, sent_nonce, received_init, sent_init);
}
switch (auth_payload->get_auth_method(auth_payload))
{

10
src/charon/sa/authenticators/authenticator.h
View File

@ -139,24 +139,30 @@ struct authenticator_t {
* @param ike_sa associated ike_sa
* @param cfg authentication configuration
* @param received_nonce nonce received in IKE_SA_INIT
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
* @return authenticator, NULL if not supported
*/
authenticator_t *authenticator_create_builder(
ike_sa_t *ike_sa, auth_cfg_t *cfg,
chunk_t received_nonce, chunk_t sent_init);
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init);
/**
* Create an authenticator to verify signatures.
*
* @param ike_sa associated ike_sa
* @param message message containing authentication data
* @param received_nonce nonce received in IKE_SA_INIT
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
* @return authenticator, NULL if not supported
*/
authenticator_t *authenticator_create_verifier(
ike_sa_t *ike_sa, message_t *message,
chunk_t sent_nonce, chunk_t received_init);
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init);
#endif /** AUTHENTICATOR_H_ @}*/

57
src/charon/sa/authenticators/eap_authenticator.c
View File

@ -38,14 +38,24 @@ struct private_eap_authenticator_t {
ike_sa_t *ike_sa;
/**
* nonce to include in AUTH calculation
* others nonce to include in AUTH calculation
*/
chunk_t nonce;
chunk_t received_nonce;
/**
* IKE_SA_INIT message data to include in AUTH calculation
* our nonce to include in AUTH calculation
*/
chunk_t ike_sa_init;
chunk_t sent_nonce;
/**
* others IKE_SA_INIT message data to include in AUTH calculation
*/
chunk_t received_init;
/**
* our IKE_SA_INIT message data to include in AUTH calculation
*/
chunk_t sent_init;
/**
* Current EAP method processing
@ -349,7 +359,8 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
/**
* Verify AUTH payload
*/
static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
chunk_t nonce, chunk_t init)
{
auth_payload_t *auth_payload;
chunk_t auth_data, recv_auth_data;
@ -366,8 +377,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
}
other_id = this->ike_sa->get_other_id(this->ike_sa);
keymat = this->ike_sa->get_keymat(this->ike_sa);
auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
this->nonce, this->msk, other_id);
auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
this->msk, other_id);
recv_auth_data = auth_payload->get_data(auth_payload);
if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
{
@ -389,7 +400,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
/**
* Build AUTH payload
*/
static void build_auth(private_eap_authenticator_t *this, message_t *message)
static void build_auth(private_eap_authenticator_t *this, message_t *message,
chunk_t nonce, chunk_t init)
{
auth_payload_t *auth_payload;
identification_t *my_id;
@ -402,8 +414,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message)
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_class_names, AUTH_CLASS_EAP);
auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
this->nonce, this->msk, my_id);
auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
auth_payload = auth_payload_create();
auth_payload->set_auth_method(auth_payload, AUTH_PSK);
auth_payload->set_data(auth_payload, auth_data);
@ -421,7 +432,7 @@ static status_t process_server(private_eap_authenticator_t *this,
if (this->eap_complete)
{
if (!verify_auth(this, message))
if (!verify_auth(this, message, this->sent_nonce, this->received_init))
{
return FAILED;
}
@ -466,7 +477,7 @@ static status_t build_server(private_eap_authenticator_t *this,
}
if (this->eap_complete && this->auth_complete)
{
build_auth(this, message);
build_auth(this, message, this->received_nonce, this->sent_init);
return SUCCESS;
}
return FAILED;
@ -482,7 +493,7 @@ static status_t process_client(private_eap_authenticator_t *this,
if (this->eap_complete)
{
if (!verify_auth(this, message))
if (!verify_auth(this, message, this->sent_nonce, this->received_init))
{
return FAILED;
}
@ -557,7 +568,7 @@ static status_t build_client(private_eap_authenticator_t *this,
}
if (this->eap_complete)
{
build_auth(this, message);
build_auth(this, message, this->received_nonce, this->sent_init);
return NEED_MORE;
}
return NEED_MORE;
@ -579,7 +590,8 @@ static void destroy(private_eap_authenticator_t *this)
* Described in header.
*/
eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
chunk_t received_nonce, chunk_t sent_init)
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init)
{
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
@ -588,8 +600,10 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
this->ike_sa = ike_sa;
this->ike_sa_init = sent_init;
this->nonce = received_nonce;
this->received_init = received_init;
this->received_nonce = received_nonce;
this->sent_init = sent_init;
this->sent_nonce = sent_nonce;
this->msk = chunk_empty;
this->method = NULL;
this->eap_payload = NULL;
@ -604,7 +618,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
* Described in header.
*/
eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
chunk_t sent_nonce, chunk_t received_init)
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init)
{
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
@ -613,8 +628,10 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
this->ike_sa = ike_sa;
this->ike_sa_init = received_init;
this->nonce = sent_nonce;
this->received_init = received_init;
this->received_nonce = received_nonce;
this->sent_init = sent_init;
this->sent_nonce = sent_nonce;
this->msk = chunk_empty;
this->method = NULL;
this->eap_payload = NULL;

10
src/charon/sa/authenticators/eap_authenticator.h
View File

@ -72,21 +72,27 @@ struct eap_authenticator_t {
*
* @param ike_sa associated ike_sa
* @param received_nonce nonce received in IKE_SA_INIT
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
* @return EAP authenticator
*/
eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
chunk_t received_nonce, chunk_t sent_init);
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init);
/**
* Create an authenticator to authenticate EAP clients.
*
* @param ike_sa associated ike_sa
* @param received_nonce nonce received in IKE_SA_INIT
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
* @return EAP authenticator
*/
eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
chunk_t sent_nonce, chunk_t received_init);
chunk_t received_nonce, chunk_t sent_nonce,
chunk_t received_init, chunk_t sent_init);
#endif /** EAP_AUTHENTICATOR_H_ @}*/

28
src/charon/sa/tasks/ike_auth.c
View File

@ -412,9 +412,10 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
message->add_payload(message, (payload_t*)id_payload);
/* build authentication data */
this->my_auth = authenticator_create_builder(
this->ike_sa, cfg, this->other_nonce,
this->my_packet->get_data(this->my_packet));
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
this->my_packet->get_data(this->my_packet));
if (!this->my_auth)
{
return FAILED;
@ -531,9 +532,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
}
/* verify authentication data */
this->other_auth = authenticator_create_verifier(
this->ike_sa, message, this->my_nonce,
this->other_packet->get_data(this->other_packet));
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
this->my_packet->get_data(this->my_packet));
if (!this->other_auth)
{
this->authentication_failed = TRUE;
@ -651,9 +653,10 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
message->add_payload(message, (payload_t*)id_payload);
/* build authentication data */
this->my_auth = authenticator_create_builder(
this->ike_sa, cfg, this->other_nonce,
this->my_packet->get_data(this->my_packet));
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
this->my_packet->get_data(this->my_packet));
if (!this->my_auth)
{
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@ -856,9 +859,10 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
/* verify authentication data */
this->other_auth = authenticator_create_verifier(
this->ike_sa, message, this->my_nonce,
this->other_packet->get_data(this->other_packet));
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
this->my_packet->get_data(this->my_packet));
if (!this->other_auth)
{
return FAILED;