ike-auth: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH
This commit is contained in:
parent
b1348ae9d4
commit
4b99524e34
|
@ -130,6 +130,11 @@ struct private_ike_auth_t {
|
|||
*/
|
||||
bool eap_acceptable;
|
||||
|
||||
/**
|
||||
* Whether we already handled the first IKE_AUTH message
|
||||
*/
|
||||
bool first_auth;
|
||||
|
||||
/**
|
||||
* Gateway ID if redirected
|
||||
*/
|
||||
|
@ -587,10 +592,20 @@ METHOD(task_t, build_i, status_t,
|
|||
private_ike_auth_t *this, message_t *message)
|
||||
{
|
||||
auth_cfg_t *cfg;
|
||||
bool first_auth = FALSE;
|
||||
|
||||
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
||||
switch (message->get_exchange_type(message))
|
||||
{
|
||||
return collect_my_init_data(this, message);
|
||||
case IKE_SA_INIT:
|
||||
return collect_my_init_data(this, message);
|
||||
case IKE_AUTH:
|
||||
if (!this->first_auth)
|
||||
{ /* some special handling for the first IKE_AUTH message below */
|
||||
first_auth = this->first_auth = TRUE;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
if (!this->peer_cfg)
|
||||
|
@ -599,7 +614,7 @@ METHOD(task_t, build_i, status_t,
|
|||
this->peer_cfg->get_ref(this->peer_cfg);
|
||||
}
|
||||
|
||||
if (message->get_message_id(message) == 1)
|
||||
if (first_auth)
|
||||
{ /* in the first IKE_AUTH ... */
|
||||
if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
|
||||
{ /* indicate support for multiple authentication */
|
||||
|
@ -667,8 +682,7 @@ METHOD(task_t, build_i, status_t,
|
|||
get_reserved_id_bytes(this, id_payload);
|
||||
message->add_payload(message, (payload_t*)id_payload);
|
||||
|
||||
if (idr && !idr->contains_wildcards(idr) &&
|
||||
message->get_message_id(message) == 1 &&
|
||||
if (idr && !idr->contains_wildcards(idr) && first_auth &&
|
||||
this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
|
||||
{
|
||||
host_t *host;
|
||||
|
@ -743,9 +757,14 @@ METHOD(task_t, process_r, status_t,
|
|||
id_payload_t *id_payload;
|
||||
identification_t *id;
|
||||
|
||||
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
||||
switch (message->get_exchange_type(message))
|
||||
{
|
||||
return collect_other_init_data(this, message);
|
||||
case IKE_SA_INIT:
|
||||
return collect_other_init_data(this, message);
|
||||
case IKE_AUTH:
|
||||
break;
|
||||
default:
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
if (!this->my_auth && this->do_another_auth)
|
||||
|
@ -768,7 +787,7 @@ METHOD(task_t, process_r, status_t,
|
|||
return NEED_MORE;
|
||||
}
|
||||
|
||||
if (message->get_message_id(message) == 1)
|
||||
if (!this->first_auth)
|
||||
{ /* check for extensions in the first IKE_AUTH */
|
||||
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
|
||||
{
|
||||
|
@ -783,6 +802,7 @@ METHOD(task_t, process_r, status_t,
|
|||
{
|
||||
this->initial_contact = TRUE;
|
||||
}
|
||||
this->first_auth = TRUE;
|
||||
}
|
||||
|
||||
if (!this->other_auth)
|
||||
|
@ -949,14 +969,19 @@ METHOD(task_t, build_r, status_t,
|
|||
identification_t *gateway;
|
||||
auth_cfg_t *cfg;
|
||||
|
||||
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
||||
switch (message->get_exchange_type(message))
|
||||
{
|
||||
if (multiple_auth_enabled())
|
||||
{
|
||||
message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
|
||||
chunk_empty);
|
||||
}
|
||||
return collect_my_init_data(this, message);
|
||||
case IKE_SA_INIT:
|
||||
if (multiple_auth_enabled())
|
||||
{
|
||||
message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
|
||||
chunk_empty);
|
||||
}
|
||||
return collect_my_init_data(this, message);
|
||||
case IKE_AUTH:
|
||||
break;
|
||||
default:
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
if (this->authentication_failed || !this->peer_cfg)
|
||||
|
@ -1224,14 +1249,19 @@ METHOD(task_t, process_i, status_t,
|
|||
auth_cfg_t *cfg;
|
||||
bool mutual_eap = FALSE, ppk_id_received = FALSE;
|
||||
|
||||
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
||||
switch (message->get_exchange_type(message))
|
||||
{
|
||||
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
|
||||
multiple_auth_enabled())
|
||||
{
|
||||
this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
|
||||
}
|
||||
return collect_other_init_data(this, message);
|
||||
case IKE_SA_INIT:
|
||||
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
|
||||
multiple_auth_enabled())
|
||||
{
|
||||
this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
|
||||
}
|
||||
return collect_other_init_data(this, message);
|
||||
case IKE_AUTH:
|
||||
break;
|
||||
default:
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
enumerator = message->create_payload_enumerator(message);
|
||||
|
@ -1513,6 +1543,7 @@ METHOD(task_t, migrate, void,
|
|||
this->expect_another_auth = TRUE;
|
||||
this->authentication_failed = FALSE;
|
||||
this->candidates = linked_list_create();
|
||||
this->first_auth = FALSE;
|
||||
}
|
||||
|
||||
METHOD(task_t, destroy, void,
|
||||
|
|
Loading…
Reference in New Issue