Fixed EAP authentication regression
Use correct nonce/init message again for EAP AUTH payload sent from responder to initiator.
This commit is contained in:
parent
b81917ea00
commit
25f2d52f30
|
@ -44,9 +44,9 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
|
|||
/**
|
||||
* Described in header.
|
||||
*/
|
||||
authenticator_t *authenticator_create_builder(
|
||||
ike_sa_t *ike_sa, auth_cfg_t *cfg,
|
||||
chunk_t received_nonce, chunk_t sent_init)
|
||||
authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init)
|
||||
{
|
||||
switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
|
||||
{
|
||||
|
@ -60,7 +60,7 @@ authenticator_t *authenticator_create_builder(
|
|||
received_nonce, sent_init);
|
||||
case AUTH_CLASS_EAP:
|
||||
return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
|
||||
received_nonce, sent_init);
|
||||
received_nonce, sent_nonce, received_init, sent_init);
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
|
@ -71,7 +71,8 @@ authenticator_t *authenticator_create_builder(
|
|||
*/
|
||||
authenticator_t *authenticator_create_verifier(
|
||||
ike_sa_t *ike_sa, message_t *message,
|
||||
chunk_t sent_nonce, chunk_t received_init)
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init)
|
||||
{
|
||||
auth_payload_t *auth_payload;
|
||||
|
||||
|
@ -79,7 +80,7 @@ authenticator_t *authenticator_create_verifier(
|
|||
if (auth_payload == NULL)
|
||||
{
|
||||
return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
|
||||
sent_nonce, received_init);
|
||||
received_nonce, sent_nonce, received_init, sent_init);
|
||||
}
|
||||
switch (auth_payload->get_auth_method(auth_payload))
|
||||
{
|
||||
|
|
|
@ -139,24 +139,30 @@ struct authenticator_t {
|
|||
* @param ike_sa associated ike_sa
|
||||
* @param cfg authentication configuration
|
||||
* @param received_nonce nonce received in IKE_SA_INIT
|
||||
* @param sent_nonce nonce sent in IKE_SA_INIT
|
||||
* @param received_init received IKE_SA_INIT message data
|
||||
* @param sent_init sent IKE_SA_INIT message data
|
||||
* @return authenticator, NULL if not supported
|
||||
*/
|
||||
authenticator_t *authenticator_create_builder(
|
||||
ike_sa_t *ike_sa, auth_cfg_t *cfg,
|
||||
chunk_t received_nonce, chunk_t sent_init);
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init);
|
||||
|
||||
/**
|
||||
* Create an authenticator to verify signatures.
|
||||
*
|
||||
* @param ike_sa associated ike_sa
|
||||
* @param message message containing authentication data
|
||||
* @param received_nonce nonce received in IKE_SA_INIT
|
||||
* @param sent_nonce nonce sent in IKE_SA_INIT
|
||||
* @param received_init received IKE_SA_INIT message data
|
||||
* @param sent_init sent IKE_SA_INIT message data
|
||||
* @return authenticator, NULL if not supported
|
||||
*/
|
||||
authenticator_t *authenticator_create_verifier(
|
||||
ike_sa_t *ike_sa, message_t *message,
|
||||
chunk_t sent_nonce, chunk_t received_init);
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init);
|
||||
|
||||
#endif /** AUTHENTICATOR_H_ @}*/
|
||||
|
|
|
@ -38,14 +38,24 @@ struct private_eap_authenticator_t {
|
|||
ike_sa_t *ike_sa;
|
||||
|
||||
/**
|
||||
* nonce to include in AUTH calculation
|
||||
* others nonce to include in AUTH calculation
|
||||
*/
|
||||
chunk_t nonce;
|
||||
chunk_t received_nonce;
|
||||
|
||||
/**
|
||||
* IKE_SA_INIT message data to include in AUTH calculation
|
||||
* our nonce to include in AUTH calculation
|
||||
*/
|
||||
chunk_t ike_sa_init;
|
||||
chunk_t sent_nonce;
|
||||
|
||||
/**
|
||||
* others IKE_SA_INIT message data to include in AUTH calculation
|
||||
*/
|
||||
chunk_t received_init;
|
||||
|
||||
/**
|
||||
* our IKE_SA_INIT message data to include in AUTH calculation
|
||||
*/
|
||||
chunk_t sent_init;
|
||||
|
||||
/**
|
||||
* Current EAP method processing
|
||||
|
@ -349,7 +359,8 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
|
|||
/**
|
||||
* Verify AUTH payload
|
||||
*/
|
||||
static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
|
||||
static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
|
||||
chunk_t nonce, chunk_t init)
|
||||
{
|
||||
auth_payload_t *auth_payload;
|
||||
chunk_t auth_data, recv_auth_data;
|
||||
|
@ -366,8 +377,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
|
|||
}
|
||||
other_id = this->ike_sa->get_other_id(this->ike_sa);
|
||||
keymat = this->ike_sa->get_keymat(this->ike_sa);
|
||||
auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
|
||||
this->nonce, this->msk, other_id);
|
||||
auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
|
||||
this->msk, other_id);
|
||||
recv_auth_data = auth_payload->get_data(auth_payload);
|
||||
if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
|
||||
{
|
||||
|
@ -389,7 +400,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
|
|||
/**
|
||||
* Build AUTH payload
|
||||
*/
|
||||
static void build_auth(private_eap_authenticator_t *this, message_t *message)
|
||||
static void build_auth(private_eap_authenticator_t *this, message_t *message,
|
||||
chunk_t nonce, chunk_t init)
|
||||
{
|
||||
auth_payload_t *auth_payload;
|
||||
identification_t *my_id;
|
||||
|
@ -402,8 +414,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message)
|
|||
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
|
||||
my_id, auth_class_names, AUTH_CLASS_EAP);
|
||||
|
||||
auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
|
||||
this->nonce, this->msk, my_id);
|
||||
auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
|
||||
auth_payload = auth_payload_create();
|
||||
auth_payload->set_auth_method(auth_payload, AUTH_PSK);
|
||||
auth_payload->set_data(auth_payload, auth_data);
|
||||
|
@ -421,7 +432,7 @@ static status_t process_server(private_eap_authenticator_t *this,
|
|||
|
||||
if (this->eap_complete)
|
||||
{
|
||||
if (!verify_auth(this, message))
|
||||
if (!verify_auth(this, message, this->sent_nonce, this->received_init))
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
|
@ -466,7 +477,7 @@ static status_t build_server(private_eap_authenticator_t *this,
|
|||
}
|
||||
if (this->eap_complete && this->auth_complete)
|
||||
{
|
||||
build_auth(this, message);
|
||||
build_auth(this, message, this->received_nonce, this->sent_init);
|
||||
return SUCCESS;
|
||||
}
|
||||
return FAILED;
|
||||
|
@ -482,7 +493,7 @@ static status_t process_client(private_eap_authenticator_t *this,
|
|||
|
||||
if (this->eap_complete)
|
||||
{
|
||||
if (!verify_auth(this, message))
|
||||
if (!verify_auth(this, message, this->sent_nonce, this->received_init))
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
|
@ -557,7 +568,7 @@ static status_t build_client(private_eap_authenticator_t *this,
|
|||
}
|
||||
if (this->eap_complete)
|
||||
{
|
||||
build_auth(this, message);
|
||||
build_auth(this, message, this->received_nonce, this->sent_init);
|
||||
return NEED_MORE;
|
||||
}
|
||||
return NEED_MORE;
|
||||
|
@ -579,7 +590,8 @@ static void destroy(private_eap_authenticator_t *this)
|
|||
* Described in header.
|
||||
*/
|
||||
eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
|
||||
chunk_t received_nonce, chunk_t sent_init)
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init)
|
||||
{
|
||||
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
|
||||
|
||||
|
@ -588,8 +600,10 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
|
|||
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
|
||||
|
||||
this->ike_sa = ike_sa;
|
||||
this->ike_sa_init = sent_init;
|
||||
this->nonce = received_nonce;
|
||||
this->received_init = received_init;
|
||||
this->received_nonce = received_nonce;
|
||||
this->sent_init = sent_init;
|
||||
this->sent_nonce = sent_nonce;
|
||||
this->msk = chunk_empty;
|
||||
this->method = NULL;
|
||||
this->eap_payload = NULL;
|
||||
|
@ -604,7 +618,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
|
|||
* Described in header.
|
||||
*/
|
||||
eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
|
||||
chunk_t sent_nonce, chunk_t received_init)
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init)
|
||||
{
|
||||
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
|
||||
|
||||
|
@ -613,8 +628,10 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
|
|||
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
|
||||
|
||||
this->ike_sa = ike_sa;
|
||||
this->ike_sa_init = received_init;
|
||||
this->nonce = sent_nonce;
|
||||
this->received_init = received_init;
|
||||
this->received_nonce = received_nonce;
|
||||
this->sent_init = sent_init;
|
||||
this->sent_nonce = sent_nonce;
|
||||
this->msk = chunk_empty;
|
||||
this->method = NULL;
|
||||
this->eap_payload = NULL;
|
||||
|
|
|
@ -72,21 +72,27 @@ struct eap_authenticator_t {
|
|||
*
|
||||
* @param ike_sa associated ike_sa
|
||||
* @param received_nonce nonce received in IKE_SA_INIT
|
||||
* @param sent_nonce nonce sent in IKE_SA_INIT
|
||||
* @param received_init received IKE_SA_INIT message data
|
||||
* @param sent_init sent IKE_SA_INIT message data
|
||||
* @return EAP authenticator
|
||||
*/
|
||||
eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
|
||||
chunk_t received_nonce, chunk_t sent_init);
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init);
|
||||
|
||||
/**
|
||||
* Create an authenticator to authenticate EAP clients.
|
||||
*
|
||||
* @param ike_sa associated ike_sa
|
||||
* @param received_nonce nonce received in IKE_SA_INIT
|
||||
* @param sent_nonce nonce sent in IKE_SA_INIT
|
||||
* @param received_init received IKE_SA_INIT message data
|
||||
* @param sent_init sent IKE_SA_INIT message data
|
||||
* @return EAP authenticator
|
||||
*/
|
||||
eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
|
||||
chunk_t sent_nonce, chunk_t received_init);
|
||||
chunk_t received_nonce, chunk_t sent_nonce,
|
||||
chunk_t received_init, chunk_t sent_init);
|
||||
|
||||
#endif /** EAP_AUTHENTICATOR_H_ @}*/
|
||||
|
|
|
@ -412,9 +412,10 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
|
|||
message->add_payload(message, (payload_t*)id_payload);
|
||||
|
||||
/* build authentication data */
|
||||
this->my_auth = authenticator_create_builder(
|
||||
this->ike_sa, cfg, this->other_nonce,
|
||||
this->my_packet->get_data(this->my_packet));
|
||||
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
|
||||
this->other_nonce, this->my_nonce,
|
||||
this->other_packet->get_data(this->other_packet),
|
||||
this->my_packet->get_data(this->my_packet));
|
||||
if (!this->my_auth)
|
||||
{
|
||||
return FAILED;
|
||||
|
@ -531,9 +532,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
|
|||
}
|
||||
|
||||
/* verify authentication data */
|
||||
this->other_auth = authenticator_create_verifier(
|
||||
this->ike_sa, message, this->my_nonce,
|
||||
this->other_packet->get_data(this->other_packet));
|
||||
this->other_auth = authenticator_create_verifier(this->ike_sa,
|
||||
message, this->other_nonce, this->my_nonce,
|
||||
this->other_packet->get_data(this->other_packet),
|
||||
this->my_packet->get_data(this->my_packet));
|
||||
if (!this->other_auth)
|
||||
{
|
||||
this->authentication_failed = TRUE;
|
||||
|
@ -651,9 +653,10 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
|
|||
message->add_payload(message, (payload_t*)id_payload);
|
||||
|
||||
/* build authentication data */
|
||||
this->my_auth = authenticator_create_builder(
|
||||
this->ike_sa, cfg, this->other_nonce,
|
||||
this->my_packet->get_data(this->my_packet));
|
||||
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
|
||||
this->other_nonce, this->my_nonce,
|
||||
this->other_packet->get_data(this->other_packet),
|
||||
this->my_packet->get_data(this->my_packet));
|
||||
if (!this->my_auth)
|
||||
{
|
||||
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
||||
|
@ -856,9 +859,10 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
|
|||
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
|
||||
|
||||
/* verify authentication data */
|
||||
this->other_auth = authenticator_create_verifier(
|
||||
this->ike_sa, message, this->my_nonce,
|
||||
this->other_packet->get_data(this->other_packet));
|
||||
this->other_auth = authenticator_create_verifier(this->ike_sa,
|
||||
message, this->other_nonce, this->my_nonce,
|
||||
this->other_packet->get_data(this->other_packet),
|
||||
this->my_packet->get_data(this->my_packet));
|
||||
if (!this->other_auth)
|
||||
{
|
||||
return FAILED;
|
||||
|
|
Loading…
Reference in New Issue