fixed broken XAUTH authentication
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 12 Jun 2009 19:04:48 +0000 (21:04 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 12 Jun 2009 19:04:48 +0000 (21:04 +0200)
src/pluto/connections.c
src/pluto/crypto.c
src/pluto/crypto.h
src/pluto/ipsec_doi.c

index 2d62c81..5e2ed39 100644 (file)
@@ -3320,6 +3320,7 @@ refine_host_connection(const struct state *st, const struct id *peer_id
        case OAKLEY_ECDSA_512:
                auth_policy = POLICY_PUBKEY;
                break;
+       case XAUTHInitRSA:
        case XAUTHRespRSA:
                auth_policy = POLICY_XAUTH_RSASIG;
                break;
index 539c289..8140030 100644 (file)
@@ -259,6 +259,26 @@ pseudo_random_function_t oakley_to_prf(int alg)
 }
 
 /**
+ * Maps IKEv1 authentication method to IKEv2 signature scheme
+ */
+signature_scheme_t oakley_to_signature_scheme(int method)
+{
+       switch (method)
+       {
+               case OAKLEY_RSA_SIG:
+               case XAUTHInitRSA:
+               case XAUTHRespRSA:
+                       return SIGN_RSA_EMSA_PKCS1_NULL;
+               case OAKLEY_ECDSA_256:
+               case OAKLEY_ECDSA_384:
+               case OAKLEY_ECDSA_512:
+                       return SIGN_ECDSA_WITH_NULL;
+               default:
+                       return SIGN_UNKNOWN;
+       }
+}
+
+/**
  * Converts IKEv2 encryption to IKEv1 encryption algorithm
  */
 int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
index 0c9bc8e..06c4e1d 100644 (file)
@@ -16,6 +16,7 @@
 #include <crypto/signers/signer.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/prfs/prf.h>
+#include <credentials/keys/public_key.h>
 
 #include "ike_alg.h"
 
@@ -48,6 +49,7 @@ struct state;   /* forward declaration, dammit */
 extern encryption_algorithm_t oakley_to_encryption_algorithm(int alg);
 extern hash_algorithm_t oakley_to_hash_algorithm(int alg);
 extern pseudo_random_function_t oakley_to_prf(int alg);
+extern signature_scheme_t oakley_to_signature_scheme(int method);
 extern int oakley_from_encryption_algorithm(encryption_algorithm_t alg);
 extern int oakley_from_integrity_algorithm(integrity_algorithm_t alg);
 extern int esp_from_encryption_algorithm(encryption_algorithm_t alg);
index 3d7a743..fd97ddd 100644 (file)
@@ -1498,9 +1498,8 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
        identification_t *keyid = pub_key->get_id(pub_key, ID_PUBKEY_INFO_SHA1);
        signature_scheme_t scheme;
 
-       scheme = (s->st->st_oakley.auth == OAKLEY_RSA_SIG) ?
-                                       SIGN_RSA_EMSA_PKCS1_NULL : SIGN_ECDSA_WITH_NULL;
        s->tried_cnt++;
+       scheme = oakley_to_signature_scheme(s->st->st_oakley.auth);
 
        if (pub_key->verify(pub_key, scheme, s->hash, s->sig))
        {
@@ -2975,17 +2974,27 @@ stf_status main_inI1_outR1(struct msg_digest *md)
 
        /* determine how many Vendor ID payloads we will be sending */
        if (SEND_PLUTO_VID)
+       {
                vids_to_send++;
+       }
        if (SEND_CISCO_UNITY_VID)
+       {
                vids_to_send++;
+       }
        if (md->openpgp)
+       {
                vids_to_send++;
+       }
        if (SEND_XAUTH_VID)
+       {
                vids_to_send++;
+       }
        /* always send DPD Vendor ID */
                vids_to_send++;
        if (md->nat_traversal_vid && nat_traversal_enabled)
+       {
                vids_to_send++;
+       }
 
        /* HDR out.
         * We can't leave this to comm_handle() because we must
@@ -3477,8 +3486,8 @@ stf_status main_inR2_outI3(struct msg_digest *md)
                        signature_scheme_t scheme;
                        size_t sig_len;
 
-                       scheme = (st->st_oakley.auth == OAKLEY_RSA_SIG) ?
-                                                       SIGN_RSA_EMSA_PKCS1_NULL : SIGN_ECDSA_WITH_NULL;
+                       scheme = oakley_to_signature_scheme(st->st_oakley.auth);
+
                        sig_len = sign_hash(scheme, st->st_connection, sig_val, hash);
                        if (sig_len == 0)
                        {
@@ -3892,8 +3901,8 @@ main_inI3_outR3_tail(struct msg_digest *md
                        signature_scheme_t scheme;
                        size_t sig_len;
 
-                       scheme = (st->st_oakley.auth == OAKLEY_RSA_SIG) ?
-                                                       SIGN_RSA_EMSA_PKCS1_NULL : SIGN_ECDSA_WITH_NULL;
+                       scheme = oakley_to_signature_scheme(st->st_oakley.auth);
+
                        sig_len = sign_hash(scheme, st->st_connection, sig_val, hash);
                        if (sig_len == 0)
                        {