Virtual EAP methods handle EAP-Naks themselves
authorTobias Brunner <tobias@strongswan.org>
Tue, 21 Aug 2012 14:57:34 +0000 (16:57 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 31 Aug 2012 09:40:27 +0000 (11:40 +0200)
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c

index 46913a7..7cc8625 100644 (file)
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -233,9 +234,10 @@ static void replace_eap_identity(private_eap_authenticator_t *this)
 static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
                                                                                 eap_payload_t *in)
 {
-       eap_type_t type, received_type;
-       u_int32_t vendor, received_vendor;
+       eap_type_t type, received_type, conf_type;
+       u_int32_t vendor, received_vendor, conf_vendor;
        eap_payload_t *out;
+       auth_cfg_t *auth;
 
        if (in->get_code(in) != EAP_RESPONSE)
        {
@@ -250,15 +252,25 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
        {
                if (received_vendor == 0 && received_type == EAP_NAK)
                {
-                       DBG1(DBG_IKE, "received %N, sending %N",
-                                eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+                       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+                       conf_type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
+                       conf_vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+                       if ((type == EAP_IDENTITY && !vendor) ||
+                               (type == conf_type && vendor == conf_vendor))
+                       {
+                               DBG1(DBG_IKE, "received %N, sending %N",
+                                        eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+                               return eap_payload_create_code(EAP_FAILURE,
+                                                                                          in->get_identifier(in));
+                       }
+                       /* virtual methods handle NAKs in process() */
                }
                else
                {
                        DBG1(DBG_IKE, "received invalid EAP response, sending %N",
                                 eap_code_names, EAP_FAILURE);
+                       return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
                }
-               return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
        }
 
        switch (this->method->process(this->method, in, &out))