From: Martin Willi Date: Thu, 7 Jan 2010 13:30:28 +0000 (+0100) Subject: Indicate and dected support for EAP-only authentication X-Git-Tag: 4.3.6~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12fca6cc9f3a88348c01fc242a840d02ba106b7c;p=thirdparty%2Fstrongswan.git Indicate and dected support for EAP-only authentication --- diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index 122e23810b..4dce1937ca 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -91,6 +91,11 @@ enum ike_extension_t { * peer uses strongSwan, accept private use extensions */ EXT_STRONGSWAN = (1<<4), + + /** + * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth + */ + EXT_EAP_ONLY_AUTHENTICATION = (1<<5), }; /** diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 7714b28ce9..0e81d2bea9 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -347,10 +347,16 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) this->peer_cfg->get_ref(this->peer_cfg); } - if (message->get_message_id(message) == 1 && - this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH)) - { /* in the first IKE_AUTH, indicate support for multiple authentication */ - message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty); + if (message->get_message_id(message) == 1) + { /* in the first IKE_AUTH ... */ + if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH)) + { /* indicate support for multiple authentication */ + message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, + chunk_empty); + } + /* indicate support for EAP-only authentication */ + message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION, + chunk_empty); } if (!this->do_another_auth && !this->my_auth) @@ -468,9 +474,19 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) { return NEED_MORE; } - if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED)) - { - this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH); + + if (message->get_message_id(message) == 1) + { /* check for extensions in the first IKE_AUTH */ + if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED)) + { + this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH); + } + if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) && + message->get_notify(message, EAP_ONLY_AUTHENTICATION)) + { /* EAP-only has no official notify, accept only from strongSwan */ + this->ike_sa->enable_extension(this->ike_sa, + EXT_EAP_ONLY_AUTHENTICATION); + } } if (this->other_auth == NULL)