aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2015-03-03 14:08:55 +0100
committerMartin Willi <martin@revosec.ch>2015-03-03 14:08:55 +0100
commitec57527475579dde7eb5f2efbf953afca0af78da (patch)
tree6c1ebab7c7a8ba5a5bb496b25f2a0b94a198f9e1 /src/libcharon/plugins
parent1fd70254993da6cfbe5e55a247b42ca86423ff73 (diff)
parentf05a578b8bff4bb7750e461aaeb5094f0eca4a50 (diff)
downloadstrongswan-ec57527475579dde7eb5f2efbf953afca0af78da.tar.bz2
strongswan-ec57527475579dde7eb5f2efbf953afca0af78da.tar.xz
Merge branch 'eap-constraints'
Introduces basic support for EAP server module authentication constraints. With EAP-(T)TLS, public key, signature and end entity or CA certificate constraints can be enforced for connections. Fixes #762.
Diffstat (limited to 'src/libcharon/plugins')
-rw-r--r--src/libcharon/plugins/eap_tls/eap_tls.c7
-rw-r--r--src/libcharon/plugins/eap_ttls/eap_ttls.c7
-rw-r--r--src/libcharon/plugins/stroke/stroke_config.c9
3 files changed, 22 insertions, 1 deletions
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index dffbaf266..bc01ba5df 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -109,6 +109,12 @@ METHOD(eap_method_t, is_mutual, bool,
return TRUE;
}
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+ private_eap_tls_t *this)
+{
+ return this->tls_eap->get_auth(this->tls_eap);
+}
+
METHOD(eap_method_t, destroy, void,
private_eap_tls_t *this)
{
@@ -138,6 +144,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
.get_msk = _get_msk,
.get_identifier = _get_identifier,
.set_identifier = _set_identifier,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index 703cd3f29..c99d47f8d 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -111,6 +111,12 @@ METHOD(eap_method_t, is_mutual, bool,
return TRUE;
}
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+ private_eap_ttls_t *this)
+{
+ return this->tls_eap->get_auth(this->tls_eap);
+}
+
METHOD(eap_method_t, destroy, void,
private_eap_ttls_t *this)
{
@@ -141,6 +147,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
.get_identifier = _get_identifier,
.set_identifier = _set_identifier,
.get_msk = _get_msk,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 3e40a7888..88abe4951 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -620,9 +620,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
else if (strpfx(auth, "eap"))
{
eap_vendor_type_t *type;
+ char *pos;
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-
+ /* check for public key constraints for EAP-TLS etc. */
+ pos = strchr(auth, ':');
+ if (pos)
+ {
+ *pos = 0;
+ parse_pubkey_constraints(pos + 1, cfg);
+ }
type = eap_vendor_type_from_string(auth);
if (type)
{