diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c index 53bba83b1..ea8a16279 100644 --- a/src/charon/sa/authenticators/authenticator.c +++ b/src/charon/sa/authenticators/authenticator.c @@ -44,9 +44,9 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, /** * Described in header. */ -authenticator_t *authenticator_create_builder( - ike_sa_t *ike_sa, auth_cfg_t *cfg, - chunk_t received_nonce, chunk_t sent_init) +authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) { switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) { @@ -60,7 +60,7 @@ authenticator_t *authenticator_create_builder( received_nonce, sent_init); case AUTH_CLASS_EAP: return (authenticator_t*)eap_authenticator_create_builder(ike_sa, - received_nonce, sent_init); + received_nonce, sent_nonce, received_init, sent_init); default: return NULL; } @@ -71,7 +71,8 @@ authenticator_t *authenticator_create_builder( */ authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, - chunk_t sent_nonce, chunk_t received_init) + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) { auth_payload_t *auth_payload; @@ -79,7 +80,7 @@ authenticator_t *authenticator_create_verifier( if (auth_payload == NULL) { return (authenticator_t*)eap_authenticator_create_verifier(ike_sa, - sent_nonce, received_init); + received_nonce, sent_nonce, received_init, sent_init); } switch (auth_payload->get_auth_method(auth_payload)) { diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h index 70146dced..c60881629 100644 --- a/src/charon/sa/authenticators/authenticator.h +++ b/src/charon/sa/authenticators/authenticator.h @@ -139,24 +139,30 @@ struct authenticator_t { * @param ike_sa associated ike_sa * @param cfg authentication configuration * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_builder( ike_sa_t *ike_sa, auth_cfg_t *cfg, - chunk_t received_nonce, chunk_t sent_init); + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); /** * Create an authenticator to verify signatures. * * @param ike_sa associated ike_sa * @param message message containing authentication data + * @param received_nonce nonce received in IKE_SA_INIT * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, - chunk_t sent_nonce, chunk_t received_init); + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); #endif /** AUTHENTICATOR_H_ @}*/ diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c index 09b6d06dd..1bd8e7898 100644 --- a/src/charon/sa/authenticators/eap_authenticator.c +++ b/src/charon/sa/authenticators/eap_authenticator.c @@ -38,14 +38,24 @@ struct private_eap_authenticator_t { ike_sa_t *ike_sa; /** - * nonce to include in AUTH calculation + * others nonce to include in AUTH calculation */ - chunk_t nonce; + chunk_t received_nonce; /** - * IKE_SA_INIT message data to include in AUTH calculation + * our nonce to include in AUTH calculation */ - chunk_t ike_sa_init; + chunk_t sent_nonce; + + /** + * others IKE_SA_INIT message data to include in AUTH calculation + */ + chunk_t received_init; + + /** + * our IKE_SA_INIT message data to include in AUTH calculation + */ + chunk_t sent_init; /** * Current EAP method processing @@ -349,7 +359,8 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, /** * Verify AUTH payload */ -static bool verify_auth(private_eap_authenticator_t *this, message_t *message) +static bool verify_auth(private_eap_authenticator_t *this, message_t *message, + chunk_t nonce, chunk_t init) { auth_payload_t *auth_payload; chunk_t auth_data, recv_auth_data; @@ -366,8 +377,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message) } other_id = this->ike_sa->get_other_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); - auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, - this->nonce, this->msk, other_id); + auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce, + this->msk, other_id); recv_auth_data = auth_payload->get_data(auth_payload); if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) { @@ -389,7 +400,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message) /** * Build AUTH payload */ -static void build_auth(private_eap_authenticator_t *this, message_t *message) +static void build_auth(private_eap_authenticator_t *this, message_t *message, + chunk_t nonce, chunk_t init) { auth_payload_t *auth_payload; identification_t *my_id; @@ -402,8 +414,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message) DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); - auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, - this->nonce, this->msk, my_id); + auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id); auth_payload = auth_payload_create(); auth_payload->set_auth_method(auth_payload, AUTH_PSK); auth_payload->set_data(auth_payload, auth_data); @@ -421,7 +432,7 @@ static status_t process_server(private_eap_authenticator_t *this, if (this->eap_complete) { - if (!verify_auth(this, message)) + if (!verify_auth(this, message, this->sent_nonce, this->received_init)) { return FAILED; } @@ -466,7 +477,7 @@ static status_t build_server(private_eap_authenticator_t *this, } if (this->eap_complete && this->auth_complete) { - build_auth(this, message); + build_auth(this, message, this->received_nonce, this->sent_init); return SUCCESS; } return FAILED; @@ -482,7 +493,7 @@ static status_t process_client(private_eap_authenticator_t *this, if (this->eap_complete) { - if (!verify_auth(this, message)) + if (!verify_auth(this, message, this->sent_nonce, this->received_init)) { return FAILED; } @@ -557,7 +568,7 @@ static status_t build_client(private_eap_authenticator_t *this, } if (this->eap_complete) { - build_auth(this, message); + build_auth(this, message, this->received_nonce, this->sent_init); return NEED_MORE; } return NEED_MORE; @@ -579,7 +590,8 @@ static void destroy(private_eap_authenticator_t *this) * Described in header. */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init) + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) { private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t); @@ -588,8 +600,10 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; this->ike_sa = ike_sa; - this->ike_sa_init = sent_init; - this->nonce = received_nonce; + this->received_init = received_init; + this->received_nonce = received_nonce; + this->sent_init = sent_init; + this->sent_nonce = sent_nonce; this->msk = chunk_empty; this->method = NULL; this->eap_payload = NULL; @@ -604,7 +618,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, * Described in header. */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init) + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) { private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t); @@ -613,8 +628,10 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; this->ike_sa = ike_sa; - this->ike_sa_init = received_init; - this->nonce = sent_nonce; + this->received_init = received_init; + this->received_nonce = received_nonce; + this->sent_init = sent_init; + this->sent_nonce = sent_nonce; this->msk = chunk_empty; this->method = NULL; this->eap_payload = NULL; diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h index e650b0ef6..b90a6f4df 100644 --- a/src/charon/sa/authenticators/eap_authenticator.h +++ b/src/charon/sa/authenticators/eap_authenticator.h @@ -72,21 +72,27 @@ struct eap_authenticator_t { * * @param ike_sa associated ike_sa * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init); + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); /** * Create an authenticator to authenticate EAP clients. * * @param ike_sa associated ike_sa + * @param received_nonce nonce received in IKE_SA_INIT * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init); + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); #endif /** EAP_AUTHENTICATOR_H_ @}*/ diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 4456aae90..8d6cd56bd 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -412,9 +412,10 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) message->add_payload(message, (payload_t*)id_payload); /* build authentication data */ - this->my_auth = authenticator_create_builder( - this->ike_sa, cfg, this->other_nonce, - this->my_packet->get_data(this->my_packet)); + this->my_auth = authenticator_create_builder(this->ike_sa, cfg, + this->other_nonce, this->my_nonce, + this->other_packet->get_data(this->other_packet), + this->my_packet->get_data(this->my_packet)); if (!this->my_auth) { return FAILED; @@ -531,9 +532,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) } /* verify authentication data */ - this->other_auth = authenticator_create_verifier( - this->ike_sa, message, this->my_nonce, - this->other_packet->get_data(this->other_packet)); + this->other_auth = authenticator_create_verifier(this->ike_sa, + message, this->other_nonce, this->my_nonce, + this->other_packet->get_data(this->other_packet), + this->my_packet->get_data(this->my_packet)); if (!this->other_auth) { this->authentication_failed = TRUE; @@ -651,9 +653,10 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) message->add_payload(message, (payload_t*)id_payload); /* build authentication data */ - this->my_auth = authenticator_create_builder( - this->ike_sa, cfg, this->other_nonce, - this->my_packet->get_data(this->my_packet)); + this->my_auth = authenticator_create_builder(this->ike_sa, cfg, + this->other_nonce, this->my_nonce, + this->other_packet->get_data(this->other_packet), + this->my_packet->get_data(this->my_packet)); if (!this->my_auth) { message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); @@ -856,9 +859,10 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); /* verify authentication data */ - this->other_auth = authenticator_create_verifier( - this->ike_sa, message, this->my_nonce, - this->other_packet->get_data(this->other_packet)); + this->other_auth = authenticator_create_verifier(this->ike_sa, + message, this->other_nonce, this->my_nonce, + this->other_packet->get_data(this->other_packet), + this->my_packet->get_data(this->my_packet)); if (!this->other_auth) { return FAILED;