android: Use %any as AAA identity, but disable EAP-only authentication

Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway.  So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.

1 files changed, 3 insertions, 5 deletions

diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
index 41df5fba9..960edbee5 100644
--- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
@@ -657,6 +657,8 @@ static bool add_auth_cfg_cert(private_android_service_t *this,
 	{
 		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
 		auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
+		id = identification_create_from_string("%any");
+		auth->add(auth, AUTH_RULE_AAA_IDENTITY, id);
 	}
 	else
 	{
@@ -729,11 +731,7 @@ static job_requeue_t initiate(private_android_service_t *this)
 	gateway = identification_create_from_string(this->gateway);
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
 	auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
-	/* for EAP-TLS we don't add an auth class to allow pubkey and EAP-only */
-	if (!streq("ikev2-eap-tls", this->type))
-	{
-		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	}
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
 	child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,