ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Allow clients to request a configured EAP method via EAP-Nak

This commit is contained in:
Tobias Brunner 2012-08-21 17:11:14 +02:00
parent 34742f1bf8
commit 78e8dca94f
5 changed files with 37 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libcharon/encoding/payloads/eap_payload.c
View File

@ -336,7 +336,8 @@ static void write_type(bio_writer_t *writer, eap_type_t type, u_int32_t vendor,
/* /*
* Described in header * Described in header
*/ */
eap_payload_t *eap_payload_create_nak(u_int8_t identifier, bool expanded) eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
u_int32_t vendor, bool expanded)
{ {
enumerator_t *enumerator; enumerator_t *enumerator;
eap_type_t reg_type; eap_type_t reg_type;
@ -356,6 +357,11 @@ eap_payload_t *eap_payload_create_nak(u_int8_t identifier, bool expanded)
enumerator = charon->eap->create_enumerator(charon->eap, EAP_PEER); enumerator = charon->eap->create_enumerator(charon->eap, EAP_PEER);
while (enumerator->enumerate(enumerator, &reg_type, &reg_vendor)) while (enumerator->enumerate(enumerator, &reg_type, &reg_vendor))
{ {
if ((type && type != reg_type) ||
(type && vendor && vendor != reg_vendor))
{ /* the preferred type is only sent if we actually find it */
continue;
}
if (!reg_vendor || expanded) if (!reg_vendor || expanded)
{ {
write_type(writer, reg_type, reg_vendor, expanded); write_type(writer, reg_type, reg_vendor, expanded);

5
src/libcharon/encoding/payloads/eap_payload.h
View File

@ -127,10 +127,13 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
* Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK. * Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK.
* *
* @param identifier EAP identifier to use in payload * @param identifier EAP identifier to use in payload
* @param type preferred auth type, 0 to send all supported types
* @param vendor vendor identifier for auth type, 0 for default
* @param expanded TRUE to send an expanded Nak (as response to an expanded * @param expanded TRUE to send an expanded Nak (as response to an expanded
* request, i.e. one with vendor specific type) * request, i.e. one with vendor specific type)
* @return eap_payload_t object * @return eap_payload_t object
*/ */
eap_payload_t *eap_payload_create_nak(u_int8_t identifier, bool expanded); eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
u_int32_t vendor, bool expanded);
#endif /** EAP_PAYLOAD_H_ @}*/ #endif /** EAP_PAYLOAD_H_ @}*/

2
src/libcharon/plugins/eap_peap/eap_peap_peer.c
View File

@ -151,7 +151,7 @@ METHOD(tls_application_t, process, status_t,
if (!this->ph2_method) if (!this->ph2_method)
{ {
DBG1(DBG_IKE, "EAP method not supported"); DBG1(DBG_IKE, "EAP method not supported");
this->out = eap_payload_create_nak(in->get_identifier(in), this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
received_vendor != 0); received_vendor != 0);
in->destroy(in); in->destroy(in);
return NEED_MORE; return NEED_MORE;

2
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
View File

@ -192,7 +192,7 @@ METHOD(tls_application_t, process, status_t,
if (!this->method) if (!this->method)
{ {
DBG1(DBG_IKE, "EAP method not supported"); DBG1(DBG_IKE, "EAP method not supported");
this->out = eap_payload_create_nak(in->get_identifier(in), this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
received_vendor != 0); received_vendor != 0);
in->destroy(in); in->destroy(in);
return NEED_MORE; return NEED_MORE;

28
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
View File

@ -336,8 +336,8 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
eap_payload_t *in) eap_payload_t *in)
{ {
eap_type_t type; eap_type_t type, conf_type;
u_int32_t vendor; u_int32_t vendor, conf_vendor;
auth_cfg_t *auth; auth_cfg_t *auth;
eap_payload_t *out; eap_payload_t *out;
identification_t *id; identification_t *id;
@ -373,7 +373,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
* EAP method (types 3-253, 255) */ * EAP method (types 3-253, 255) */
DBG1(DBG_IKE, "%N not supported, sending EAP_NAK", DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
eap_type_names, type); eap_type_names, type);
return eap_payload_create_nak(in->get_identifier(in), FALSE); return eap_payload_create_nak(in->get_identifier(in), 0, 0, FALSE);
} }
if (this->method == NULL) if (this->method == NULL)
{ {
@ -387,11 +387,31 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)", DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)",
eap_type_names, type, in->get_identifier(in)); eap_type_names, type, in->get_identifier(in));
} }
auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
conf_type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
conf_vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
if (conf_type != EAP_NAK &&
(conf_type != type || conf_vendor != vendor))
{
if (conf_vendor)
{
DBG1(DBG_IKE, "requesting EAP method %d-%d, sending EAP_NAK",
conf_type, conf_vendor);
}
else
{
DBG1(DBG_IKE, "requesting %N authentication, sending EAP_NAK",
eap_type_names, conf_type);
}
return eap_payload_create_nak(in->get_identifier(in), conf_type,
conf_vendor, vendor != 0);
}
this->method = load_method(this, type, vendor, EAP_PEER); this->method = load_method(this, type, vendor, EAP_PEER);
if (!this->method) if (!this->method)
{ {
DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK"); DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
return eap_payload_create_nak(in->get_identifier(in), vendor != 0); return eap_payload_create_nak(in->get_identifier(in), 0, 0,
vendor != 0);
} }
} }