Fixed EAP authentication regression
authorMartin Willi <martin@strongswan.org>
Mon, 11 May 2009 08:35:44 +0000 (10:35 +0200)
committerMartin Willi <martin@strongswan.org>
Mon, 11 May 2009 08:42:52 +0000 (10:42 +0200)
Use correct nonce/init message again for EAP AUTH payload
sent from responder to initiator.

src/charon/sa/authenticators/authenticator.c
src/charon/sa/authenticators/authenticator.h
src/charon/sa/authenticators/eap_authenticator.c
src/charon/sa/authenticators/eap_authenticator.h
src/charon/sa/tasks/ike_auth.c

index 53bba83..ea8a162 100644 (file)
@@ -44,9 +44,9 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
 /**
  * Described in header.
  */
-authenticator_t *authenticator_create_builder(
-                                                                       ike_sa_t *ike_sa, auth_cfg_t *cfg,
-                                                                       chunk_t received_nonce, chunk_t sent_init)
+authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init)
 {
        switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
        {
@@ -60,7 +60,7 @@ authenticator_t *authenticator_create_builder(
                                                                                        received_nonce, sent_init);
                case AUTH_CLASS_EAP:
                        return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
-                                                                                       received_nonce, sent_init);
+                                               received_nonce, sent_nonce, received_init, sent_init);
                default:
                        return NULL;
        }
@@ -71,7 +71,8 @@ authenticator_t *authenticator_create_builder(
  */
 authenticator_t *authenticator_create_verifier(
                                                                        ike_sa_t *ike_sa, message_t *message,
-                                                                       chunk_t sent_nonce, chunk_t received_init)
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init)
 {
        auth_payload_t *auth_payload;
        
@@ -79,7 +80,7 @@ authenticator_t *authenticator_create_verifier(
        if (auth_payload == NULL)
        {
                return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
-                                                                                                       sent_nonce, received_init);
+                                               received_nonce, sent_nonce, received_init, sent_init);
        }
        switch (auth_payload->get_auth_method(auth_payload))
        {
index 70146dc..c608816 100644 (file)
@@ -139,24 +139,30 @@ struct authenticator_t {
  * @param ike_sa                       associated ike_sa
  * @param cfg                          authentication configuration
  * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
  * @param sent_init                    sent IKE_SA_INIT message data
  * @return                                     authenticator, NULL if not supported
  */
 authenticator_t *authenticator_create_builder(
                                                                        ike_sa_t *ike_sa, auth_cfg_t *cfg,
-                                                                       chunk_t received_nonce, chunk_t sent_init);
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
 
 /**
  * Create an authenticator to verify signatures.
  * 
  * @param ike_sa                       associated ike_sa
  * @param message                      message containing authentication data
+ * @param received_nonce       nonce received in IKE_SA_INIT
  * @param sent_nonce           nonce sent in IKE_SA_INIT
  * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
  * @return                                     authenticator, NULL if not supported
  */
 authenticator_t *authenticator_create_verifier(
                                                                        ike_sa_t *ike_sa, message_t *message,
-                                                                       chunk_t sent_nonce, chunk_t received_init);
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
 
 #endif /** AUTHENTICATOR_H_ @}*/
index 09b6d06..1bd8e78 100644 (file)
@@ -38,14 +38,24 @@ struct private_eap_authenticator_t {
        ike_sa_t *ike_sa;
        
        /**
-        * nonce to include in AUTH calculation
+        * others nonce to include in AUTH calculation
         */
-       chunk_t nonce;
+       chunk_t received_nonce;
        
        /**
-        * IKE_SA_INIT message data to include in AUTH calculation
+        * our nonce to include in AUTH calculation
         */
-       chunk_t ike_sa_init;
+       chunk_t sent_nonce;
+       
+       /**
+        * others IKE_SA_INIT message data to include in AUTH calculation
+        */
+       chunk_t received_init;
+       
+       /**
+        * our IKE_SA_INIT message data to include in AUTH calculation
+        */
+       chunk_t sent_init;
        
        /**
         * Current EAP method processing
@@ -349,7 +359,8 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 /**
  * Verify AUTH payload
  */
-static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
+static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
+                                               chunk_t nonce, chunk_t init)
 {
        auth_payload_t *auth_payload;
        chunk_t auth_data, recv_auth_data;
@@ -366,8 +377,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
        }
        other_id = this->ike_sa->get_other_id(this->ike_sa);
        keymat = this->ike_sa->get_keymat(this->ike_sa);
-       auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
-                                                                       this->nonce, this->msk, other_id);
+       auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
+                                                                       this->msk, other_id);
        recv_auth_data = auth_payload->get_data(auth_payload);
        if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
        {
@@ -389,7 +400,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
 /**
  * Build AUTH payload
  */
-static void build_auth(private_eap_authenticator_t *this, message_t *message)
+static void build_auth(private_eap_authenticator_t *this, message_t *message,
+                                          chunk_t nonce, chunk_t init)
 {
        auth_payload_t *auth_payload;
        identification_t *my_id;
@@ -402,8 +414,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message)
        DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
                 my_id, auth_class_names, AUTH_CLASS_EAP);
        
-       auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
-                                                                       this->nonce, this->msk, my_id);
+       auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
        auth_payload = auth_payload_create();
        auth_payload->set_auth_method(auth_payload, AUTH_PSK);
        auth_payload->set_data(auth_payload, auth_data);
@@ -421,7 +432,7 @@ static status_t process_server(private_eap_authenticator_t *this,
        
        if (this->eap_complete)
        {
-               if (!verify_auth(this, message))
+               if (!verify_auth(this, message, this->sent_nonce, this->received_init))
                {
                        return FAILED;
                }
@@ -466,7 +477,7 @@ static status_t build_server(private_eap_authenticator_t *this,
        }
        if (this->eap_complete && this->auth_complete)
        {
-               build_auth(this, message);
+               build_auth(this, message, this->received_nonce, this->sent_init);
                return SUCCESS;
        }
        return FAILED;
@@ -482,7 +493,7 @@ static status_t process_client(private_eap_authenticator_t *this,
        
        if (this->eap_complete)
        {
-               if (!verify_auth(this, message))
+               if (!verify_auth(this, message, this->sent_nonce, this->received_init))
                {
                        return FAILED;
                }
@@ -557,7 +568,7 @@ static status_t build_client(private_eap_authenticator_t *this,
        }
        if (this->eap_complete)
        {
-               build_auth(this, message);
+               build_auth(this, message, this->received_nonce, this->sent_init);
                return NEED_MORE;
        }
        return NEED_MORE;
@@ -579,7 +590,8 @@ static void destroy(private_eap_authenticator_t *this)
  * Described in header.
  */
 eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_init)
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init)
 {
        private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
        
@@ -588,8 +600,10 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
        this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
        
        this->ike_sa = ike_sa;
-       this->ike_sa_init = sent_init;
-       this->nonce = received_nonce;
+       this->received_init = received_init;
+       this->received_nonce = received_nonce;
+       this->sent_init = sent_init;
+       this->sent_nonce = sent_nonce;
        this->msk = chunk_empty;
        this->method = NULL;
        this->eap_payload = NULL;
@@ -604,7 +618,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
  * Described in header.
  */
 eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t sent_nonce, chunk_t received_init)
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init)
 {
        private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
        
@@ -613,8 +628,10 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
        this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
        
        this->ike_sa = ike_sa;
-       this->ike_sa_init = received_init;
-       this->nonce = sent_nonce;
+       this->received_init = received_init;
+       this->received_nonce = received_nonce;
+       this->sent_init = sent_init;
+       this->sent_nonce = sent_nonce;
        this->msk = chunk_empty;
        this->method = NULL;
        this->eap_payload = NULL;
index e650b0e..b90a6f4 100644 (file)
@@ -72,21 +72,27 @@ struct eap_authenticator_t {
  *
  * @param ike_sa                       associated ike_sa
  * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
  * @param sent_init                    sent IKE_SA_INIT message data
  * @return                                     EAP authenticator
  */
 eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_init);
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
 
 /**
  * Create an authenticator to authenticate EAP clients.
  * 
  * @param ike_sa                       associated ike_sa
+ * @param received_nonce       nonce received in IKE_SA_INIT
  * @param sent_nonce           nonce sent in IKE_SA_INIT
  * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
  * @return                                     EAP authenticator
  */
 eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t sent_nonce, chunk_t received_init);
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
 
 #endif /** EAP_AUTHENTICATOR_H_ @}*/
index 4456aae..8d6cd56 100644 (file)
@@ -412,9 +412,10 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
                message->add_payload(message, (payload_t*)id_payload);
                
                /* build authentication data */
-               this->my_auth = authenticator_create_builder(
-                                                                       this->ike_sa, cfg, this->other_nonce, 
-                                                                       this->my_packet->get_data(this->my_packet));
+               this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+                                                       this->other_nonce, this->my_nonce,
+                                                       this->other_packet->get_data(this->other_packet),
+                                                       this->my_packet->get_data(this->my_packet));
                if (!this->my_auth)
                {
                        return FAILED;
@@ -531,9 +532,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
                }
                
                /* verify authentication data */
-               this->other_auth = authenticator_create_verifier(
-                                                       this->ike_sa, message, this->my_nonce,
-                                                       this->other_packet->get_data(this->other_packet));
+               this->other_auth = authenticator_create_verifier(this->ike_sa,
+                                                       message, this->other_nonce, this->my_nonce,
+                                                       this->other_packet->get_data(this->other_packet),
+                                                       this->my_packet->get_data(this->my_packet));
                if (!this->other_auth)
                {
                        this->authentication_failed = TRUE;
@@ -651,9 +653,10 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
                message->add_payload(message, (payload_t*)id_payload);
                
                /* build authentication data */
-               this->my_auth = authenticator_create_builder(
-                                                               this->ike_sa, cfg, this->other_nonce, 
-                                                               this->my_packet->get_data(this->my_packet));
+               this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+                                                       this->other_nonce, this->my_nonce,
+                                                       this->other_packet->get_data(this->other_packet),
+                                                       this->my_packet->get_data(this->my_packet));
                if (!this->my_auth)
                {
                        message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -856,9 +859,10 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
                        cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
                        
                        /* verify authentication data */
-                       this->other_auth = authenticator_create_verifier(
-                                                       this->ike_sa, message, this->my_nonce,
-                                                       this->other_packet->get_data(this->other_packet));
+                       this->other_auth = authenticator_create_verifier(this->ike_sa,
+                                                       message, this->other_nonce, this->my_nonce,
+                                                       this->other_packet->get_data(this->other_packet),
+                                                       this->my_packet->get_data(this->my_packet));
                        if (!this->other_auth)
                        {
                                return FAILED;