Repair initiator with PSK auth

Attempt state transition to VALID (or EAP_VALID) in the ikev2_ike_auth after we have completed authentication synchronously (PSK) or asynchronously (X.509 and RSA) eliminating the need to do so in multiple places and restoring the correct order for PSK. ok markus
author: mikeb <mikeb@openbsd.org> 2014-11-07 14:02:32 +0000
committer: mikeb <mikeb@openbsd.org> 2014-11-07 14:02:32 +0000
commit: 3e93108a493cf9570886fc1d1db53c44f9910e90 (patch)
tree: d6d6aecd51dfd7f23b3fb304e9239f20f45a8a90
parent: missing outlen in tls_write decl (diff)
download: wireguard-openbsd-3e93108a493cf9570886fc1d1db53c44f9910e90.tar.xz
wireguard-openbsd-3e93108a493cf9570886fc1d1db53c44f9910e90.zip
3 files changed, 19 insertions, 18 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index c2bf3573a90..05b16480c70 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.114 2014/07/09 12:05:01 markus Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.115 2014/11/07 14:02:32 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -250,7 +250,6 @@ ikev2_dispatch_cert(int fd, struct privsep_proc *p, struct imsg *imsg)
 		if (imsg->hdr.type == IMSG_CERTVALID) {
 			log_debug("%s: peer certificate is valid", __func__);
 			sa_stateflags(sa, IKED_REQ_CERTVALID);
-			sa_state(env, sa, IKEV2_STATE_VALID);
 		} else {
 			log_warnx("%s: peer certificate is invalid", __func__);
 		}
@@ -330,8 +329,6 @@ ikev2_dispatch_cert(int fd, struct privsep_proc *p, struct imsg *imsg)
 		}
 
 		sa_stateflags(sa, IKED_REQ_AUTH);
-		/* Switch in case we already have certvalid or authvalid */
-		sa_state(env, sa, IKEV2_STATE_VALID);
 
 		if (ikev2_ike_auth(env, sa) != 0)
 			log_debug("%s: failed to send ike auth", __func__);
@@ -627,7 +624,7 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
 			sa_stateflags(sa, IKED_REQ_AUTHVALID);
 			sa_stateflags(sa, IKED_REQ_EAPVALID);
 
-			sa_state(env, sa, IKEV2_STATE_EAP_VALID);
+			sa_state(env, sa, IKEV2_STATE_EAP_SUCCESS);
 		}
 	}
 
@@ -640,12 +637,19 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
 		} else
 			sa_stateflags(sa, IKED_REQ_SA);
 	}
+
 	return ikev2_ike_auth(env, sa);
 }
 
 int
 ikev2_ike_auth(struct iked *env, struct iked_sa *sa)
 {
+	/* Attempt state transition */
+	if (sa->sa_state == IKEV2_STATE_EAP_SUCCESS)
+		sa_state(env, sa, IKEV2_STATE_EAP_VALID);
+	else if (sa->sa_state == IKEV2_STATE_AUTH_SUCCESS)
+		sa_state(env, sa, IKEV2_STATE_VALID);
+
 	if (sa->sa_hdr.sh_initiator) {
 		if (sa_stateok(sa, IKEV2_STATE_AUTH_SUCCESS))
 			return (ikev2_init_done(env, sa));
diff --git a/sbin/iked/ikev2.h b/sbin/iked/ikev2.h
index 5fed74ea0f9..8d307a41eeb 100644
--- a/sbin/iked/ikev2.h
+++ b/sbin/iked/ikev2.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.h,v 1.16 2014/08/27 10:28:57 reyk Exp $	*/
+/*	$OpenBSD: ikev2.h,v 1.17 2014/11/07 14:02:32 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -32,13 +32,14 @@
 #define IKEV2_STATE_COOKIE		1	/* cookie requested */
 #define IKEV2_STATE_SA_INIT		2	/* init IKE SA */
 #define IKEV2_STATE_EAP			3	/* EAP requested */
-#define IKEV2_STATE_AUTH_REQUEST	4	/* auth received */
-#define IKEV2_STATE_AUTH_SUCCESS	5	/* authenticated */
-#define IKEV2_STATE_VALID		6	/* authenticated AND validated certs */
-#define IKEV2_STATE_EAP_VALID		7	/* EAP validated */
-#define IKEV2_STATE_ESTABLISHED		8	/* active IKE SA */
-#define IKEV2_STATE_CLOSING		9	/* expect delete for this SA */
-#define IKEV2_STATE_CLOSED		10	/* delete this SA */
+#define IKEV2_STATE_EAP_SUCCESS		4	/* EAP succeeded */
+#define IKEV2_STATE_AUTH_REQUEST	5	/* auth received */
+#define IKEV2_STATE_AUTH_SUCCESS	6	/* authenticated */
+#define IKEV2_STATE_VALID		7	/* authenticated AND validated certs */
+#define IKEV2_STATE_EAP_VALID		8	/* EAP validated */
+#define IKEV2_STATE_ESTABLISHED		9	/* active IKE SA */
+#define IKEV2_STATE_CLOSING		10	/* expect delete for this SA */
+#define IKEV2_STATE_CLOSED		11	/* delete this SA */
 
 extern struct iked_constmap ikev2_state_map[];
 
diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c
index abd25c4462f..08ed571be82 100644
--- a/sbin/iked/ikev2_msg.c
+++ b/sbin/iked/ikev2_msg.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_msg.c,v 1.36 2014/08/25 07:50:25 doug Exp $	*/
+/*	$OpenBSD: ikev2_msg.c,v 1.37 2014/11/07 14:02:32 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -773,10 +773,6 @@ ikev2_msg_authverify(struct iked *env, struct iked_sa *sa,
 		log_debug("%s: authentication successful", __func__);
 		sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS);
 		sa_stateflags(sa, IKED_REQ_AUTHVALID);
-
-		if (!sa->sa_policy->pol_auth.auth_eap &&
-		    auth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC)
-			sa_state(env, sa, IKEV2_STATE_VALID);
 	} else {
 		log_debug("%s: authentication failed", __func__);
 		sa_state(env, sa, IKEV2_STATE_AUTH_REQUEST);
author	mikeb <mikeb@openbsd.org>	2014-11-07 14:02:32 +0000
committer	mikeb <mikeb@openbsd.org>	2014-11-07 14:02:32 +0000
commit	3e93108a493cf9570886fc1d1db53c44f9910e90 (patch)
tree	d6d6aecd51dfd7f23b3fb304e9239f20f45a8a90
parent	missing outlen in tls_write decl (diff)
download	wireguard-openbsd-3e93108a493cf9570886fc1d1db53c44f9910e90.tar.xz wireguard-openbsd-3e93108a493cf9570886fc1d1db53c44f9910e90.zip