Map auth_class to auth method and IKEv1 proposal attribute
authorMartin Willi <martin@revosec.ch>
Thu, 24 Nov 2011 15:07:13 +0000 (16:07 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:30:53 +0000 (17:30 +0100)
src/libcharon/encoding/payloads/proposal_substructure.c
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/sa/authenticators/authenticator.h
src/libcharon/sa/tasks/main_mode.c
src/libstrongswan/credentials/auth_cfg.h

index ca19ba7..7f075f1 100644 (file)
@@ -583,8 +583,12 @@ static u_int16_t get_ikev1_auth(auth_method_t method)
                        return IKEV1_AUTH_RSA_SIG;
                case AUTH_DSS:
                        return IKEV1_AUTH_DSS_SIG;
                        return IKEV1_AUTH_RSA_SIG;
                case AUTH_DSS:
                        return IKEV1_AUTH_DSS_SIG;
+               case AUTH_XAUTH_INIT_PSK:
+                       return IKEV1_AUTH_XAUTH_INIT_PSK;
+               case AUTH_XAUTH_INIT_RSA:
+                       return IKEV1_AUTH_XAUTH_INIT_RSA;
                default:
                default:
-                       /* TODO-IKEv1: Handle XAUTH methods */
+                       /* TODO-IKEv1: Handle other XAUTH methods */
                        /* TODO-IKEv1: Handle ECDSA methods */
                case AUTH_PSK:
                        return IKEV1_AUTH_PSK;
                        /* TODO-IKEv1: Handle ECDSA methods */
                case AUTH_PSK:
                        return IKEV1_AUTH_PSK;
@@ -877,8 +881,12 @@ METHOD(proposal_substructure_t, get_auth_method, auth_method_t,
                        return AUTH_RSA;
                case IKEV1_AUTH_DSS_SIG:
                        return AUTH_DSS;
                        return AUTH_RSA;
                case IKEV1_AUTH_DSS_SIG:
                        return AUTH_DSS;
+               case IKEV1_AUTH_XAUTH_INIT_PSK:
+                       return AUTH_XAUTH_INIT_PSK;
+               case IKEV1_AUTH_XAUTH_INIT_RSA:
+                       return AUTH_XAUTH_INIT_RSA;
                default:
                default:
-                       /* TODO-IKEv1: XAUTH, ECDSA sigs */
+                       /* TODO-IKEv1: other XAUTH, ECDSA sigs */
                        return AUTH_NONE;
        }
 }
                        return AUTH_NONE;
        }
 }
index 97d2a78..0d612f1 100644 (file)
@@ -473,6 +473,10 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
        {
                cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH_PSK);
        }
        {
                cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH_PSK);
        }
+       else if (streq(auth, "xauthrsasig"))
+       {
+               cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH_PUBKEY);
+       }
        else if (strneq(auth, "eap", 3))
        {
                enumerator_t *enumerator;
        else if (strneq(auth, "eap", 3))
        {
                enumerator_t *enumerator;
index a3850bb..8116477 100644 (file)
@@ -73,6 +73,16 @@ enum auth_method_t {
         * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
         */
        AUTH_ECDSA_521 = 11,
         * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
         */
        AUTH_ECDSA_521 = 11,
+
+       /**
+        * IKEv1 initiator XAUTH with PSK, outside of IANA range
+        */
+       AUTH_XAUTH_INIT_PSK = 256,
+
+       /**
+        * IKEv1 initiator XAUTH with RSA, outside of IANA range
+        */
+       AUTH_XAUTH_INIT_RSA,
 };
 
 /**
 };
 
 /**
index 263439b..8a1ac6c 100644 (file)
@@ -298,6 +298,10 @@ static auth_method_t get_auth_method(private_main_mode_t *this)
        {
                case AUTH_CLASS_PSK:
                        return AUTH_PSK;
        {
                case AUTH_CLASS_PSK:
                        return AUTH_PSK;
+               case AUTH_CLASS_XAUTH_PSK:
+                       return AUTH_XAUTH_INIT_PSK;
+               case AUTH_CLASS_XAUTH_PUBKEY:
+                       return AUTH_XAUTH_INIT_RSA;
                case AUTH_CLASS_PUBKEY:
                        /* TODO-IKEv1: look for a key, return RSA or ECDSA */
                default:
                case AUTH_CLASS_PUBKEY:
                        /* TODO-IKEv1: look for a key, return RSA or ECDSA */
                default:
@@ -586,6 +590,7 @@ static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
        switch (auth)
        {
                case AUTH_CLASS_PSK:
        switch (auth)
        {
                case AUTH_CLASS_PSK:
+               case AUTH_CLASS_XAUTH_PSK:
                        shared_key = lookup_shared_key(this);
                        break;
                default:
                        shared_key = lookup_shared_key(this);
                        break;
                default:
index 2554b3f..ea98470 100644 (file)
@@ -44,6 +44,8 @@ enum auth_class_t {
        AUTH_CLASS_EAP = 3,
        /** authentication using pre-shared secrets in combination with XAuth */
        AUTH_CLASS_XAUTH_PSK = 4,
        AUTH_CLASS_EAP = 3,
        /** authentication using pre-shared secrets in combination with XAuth */
        AUTH_CLASS_XAUTH_PSK = 4,
+       /** authentication using public keys in combination with XAuth */
+       AUTH_CLASS_XAUTH_PUBKEY = 5,
 };
 
 /**
 };
 
 /**