Throw an alert if authentication of the peer fails (not only for initiator).
authorTobias Brunner <tobias@strongswan.org>
Wed, 10 Aug 2011 15:29:06 +0000 (17:29 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Aug 2011 08:04:02 +0000 (10:04 +0200)
src/libcharon/bus/bus.h
src/libcharon/sa/tasks/ike_auth.c

index b524fe7..2ade796 100644 (file)
@@ -84,8 +84,8 @@ enum alert_t {
        ALERT_RADIUS_NOT_RESPONDING,
        /** a shutdown signal has been received, argument is the signal (int) */
        ALERT_SHUTDOWN_SIGNAL,
-       /** responder authentication failed, no arguments */
-       ALERT_RESPONDER_AUTH_FAILED,
+       /** peer authentication failed, no arguments */
+       ALERT_PEER_AUTH_FAILED,
        /** failed to resolve peer address, no arguments */
        ALERT_PEER_ADDR_FAILED,
 };
index f52f17a..6709d0a 100644 (file)
@@ -669,8 +669,7 @@ METHOD(task_t, build_r, status_t,
 
        if (this->authentication_failed || this->peer_cfg == NULL)
        {
-               message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-               return FAILED;
+               goto peer_auth_failed;
        }
 
        if (this->my_auth == NULL && this->do_another_auth)
@@ -690,9 +689,7 @@ METHOD(task_t, build_r, status_t,
                        if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
                        {
                                DBG1(DBG_CFG, "IDr not configured and negotiation failed");
-                               message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-                                                                       chunk_empty);
-                               return FAILED;
+                               goto peer_auth_failed;
                        }
                        this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
                        id = id_cfg;
@@ -702,9 +699,7 @@ METHOD(task_t, build_r, status_t,
                        if (id_cfg && !id->matches(id, id_cfg))
                        {
                                DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
-                               message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-                                                                       chunk_empty);
-                               return FAILED;
+                               goto peer_auth_failed;
                        }
                }
 
@@ -726,9 +721,7 @@ METHOD(task_t, build_r, status_t,
                        {
                                DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
                                         "does not support it");
-                               message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-                                                                       chunk_empty);
-                               return FAILED;
+                               goto peer_auth_failed;
                        }
                }
                else
@@ -741,9 +734,7 @@ METHOD(task_t, build_r, status_t,
                                                                this->reserved);
                        if (!this->my_auth)
                        {
-                               message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-                                                                       chunk_empty);
-                               return FAILED;
+                               goto peer_auth_failed;
                        }
                }
        }
@@ -759,12 +750,11 @@ METHOD(task_t, build_r, status_t,
                        case NEED_MORE:
                                break;
                        default:
-                               if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+                               if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
                                {       /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
-                                       message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-                                                                               chunk_empty);
+                                       goto peer_auth_failed_no_notify;
                                }
-                               return FAILED;
+                               goto peer_auth_failed;
                }
        }
        if (this->my_auth)
@@ -803,16 +793,12 @@ METHOD(task_t, build_r, status_t,
                                                                                                         this->ike_sa, FALSE))
                {
                        DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
-                       message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-                                                               chunk_empty);
-                       return FAILED;
+                       goto peer_auth_failed;
                }
                if (!charon->bus->authorize(charon->bus, TRUE))
                {
                        DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
-                       message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-                                                               chunk_empty);
-                       return FAILED;
+                       goto peer_auth_failed;
                }
                DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                         this->ike_sa->get_name(this->ike_sa),
@@ -826,6 +812,13 @@ METHOD(task_t, build_r, status_t,
                return SUCCESS;
        }
        return NEED_MORE;
+
+peer_auth_failed:
+       message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+                                               chunk_empty);
+peer_auth_failed_no_notify:
+       charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+       return FAILED;
 }
 
 METHOD(task_t, process_i, status_t,
@@ -908,7 +901,7 @@ METHOD(task_t, process_i, status_t,
                        if (!id_payload)
                        {
                                DBG1(DBG_IKE, "IDr payload missing");
-                               goto remote_auth_failed;
+                               goto peer_auth_failed;
                        }
                        id = id_payload->get_identification(id_payload);
                        get_reserved_id_bytes(this, id_payload);
@@ -926,7 +919,7 @@ METHOD(task_t, process_i, status_t,
                                                                this->reserved);
                                if (!this->other_auth)
                                {
-                                       goto remote_auth_failed;
+                                       goto peer_auth_failed;
                                }
                        }
                        else
@@ -944,7 +937,7 @@ METHOD(task_t, process_i, status_t,
                                case NEED_MORE:
                                        return NEED_MORE;
                                default:
-                                       goto remote_auth_failed;
+                                       goto peer_auth_failed;
                        }
                        this->other_auth->destroy(this->other_auth);
                        this->other_auth = NULL;
@@ -953,7 +946,7 @@ METHOD(task_t, process_i, status_t,
                if (!charon->bus->authorize(charon->bus, FALSE))
                {
                        DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
-                       goto remote_auth_failed;
+                       goto peer_auth_failed;
                }
 
                /* store authentication information, reset authenticator */
@@ -978,7 +971,7 @@ METHOD(task_t, process_i, status_t,
                        case NEED_MORE:
                                break;
                        default:
-                               goto remote_auth_failed;
+                               goto peer_auth_failed;
                }
        }
        if (mutual_eap)
@@ -986,7 +979,7 @@ METHOD(task_t, process_i, status_t,
                if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
                {
                        DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
-                       goto remote_auth_failed;
+                       goto peer_auth_failed;
                }
                DBG1(DBG_IKE, "allow mutual EAP-only authentication");
        }
@@ -999,13 +992,13 @@ METHOD(task_t, process_i, status_t,
        {
                if (!update_cfg_candidates(this, TRUE))
                {
-                       goto remote_auth_failed;
+                       goto peer_auth_failed;
                }
                if (!charon->bus->authorize(charon->bus, TRUE))
                {
                        DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
                                              "cancelling");
-                       goto remote_auth_failed;
+                       goto peer_auth_failed;
                }
                DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                         this->ike_sa->get_name(this->ike_sa),
@@ -1020,8 +1013,8 @@ METHOD(task_t, process_i, status_t,
        }
        return NEED_MORE;
 
-remote_auth_failed:
-       charon->bus->alert(charon->bus, ALERT_RESPONDER_AUTH_FAILED);
+peer_auth_failed:
+       charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
        return FAILED;
 }