diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2014-09-10 11:35:04 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2014-11-06 16:28:40 +0100 |
| commit | 34ca3795c80c19c0dab4f27933be1ca66b0558bc (patch) | |
| tree | 4d6d05ce0e0873c0bfdd74ba15e48414d467db30 | |
| parent | 93923149e4db9cee62b5accc50b0a71070a2fce8 (diff) | |
| download | strongswan-34ca3795c80c19c0dab4f27933be1ca66b0558bc.tar.bz2 strongswan-34ca3795c80c19c0dab4f27933be1ca66b0558bc.tar.xz | |
android: Handle EAP-TLS in Android service
| -rw-r--r-- | src/frontends/android/jni/libandroidbridge/backend/android_service.c | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 881ff00f1..41df5fba9 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -617,8 +617,8 @@ METHOD(listener_t, ike_reestablish_post, bool, return TRUE; } -static void add_auth_cfg_eap(private_android_service_t *this, - peer_cfg_t *peer_cfg, bool byod) +static void add_auth_cfg_pw(private_android_service_t *this, + peer_cfg_t *peer_cfg, bool byod) { identification_t *user; auth_cfg_t *auth; @@ -653,7 +653,15 @@ static bool add_auth_cfg_cert(private_android_service_t *this, } auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + if (strpfx("ikev2-eap-tls", this->type)) + { + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS); + } + else + { + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + } auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert); id = cert->get_subject(cert); @@ -698,7 +706,8 @@ static job_requeue_t initiate(private_android_service_t *this) /* local auth config */ if (streq("ikev2-cert", this->type) || - streq("ikev2-cert-eap", this->type)) + streq("ikev2-cert-eap", this->type) || + streq("ikev2-eap-tls", this->type)) { if (!add_auth_cfg_cert(this, peer_cfg)) { @@ -712,15 +721,19 @@ static job_requeue_t initiate(private_android_service_t *this) streq("ikev2-cert-eap", this->type) || streq("ikev2-byod-eap", this->type)) { - add_auth_cfg_eap(this, peer_cfg, strpfx(this->type, "ikev2-byod")); + add_auth_cfg_pw(this, peer_cfg, strpfx(this->type, "ikev2-byod")); } /* remote auth config */ auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); gateway = identification_create_from_string(this->gateway); auth->add(auth, AUTH_RULE_IDENTITY, gateway); auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE); + /* for EAP-TLS we don't add an auth class to allow pubkey and EAP-only */ + if (!streq("ikev2-eap-tls", this->type)) + { + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + } peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, |