diff options
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_config.c | 43 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 59 |
2 files changed, 40 insertions, 62 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index bc2518a08..8ca1464fb 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -266,7 +266,6 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, char *auth, *id, *cert, *ca; stroke_end_t *end, *other_end; auth_cfg_t *cfg; - char eap_buf[32]; /* select strings */ if (local) @@ -314,47 +313,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, { if (primary) { - if (local) - { /* "leftauth" not defined, fall back to deprecated "authby" */ - switch (msg->add_conn.auth_method) - { - default: - case AUTH_CLASS_PUBKEY: - auth = "pubkey"; - break; - case AUTH_CLASS_PSK: - auth = "psk"; - break; - case AUTH_CLASS_EAP: - auth = "eap"; - break; - case AUTH_CLASS_ANY: - auth = "any"; - break; - } - } - else - { /* "rightauth" not defined, fall back to deprecated "eap" */ - if (msg->add_conn.eap_type) - { - if (msg->add_conn.eap_vendor) - { - snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d", - msg->add_conn.eap_type, - msg->add_conn.eap_vendor); - } - else - { - snprintf(eap_buf, sizeof(eap_buf), "eap-%d", - msg->add_conn.eap_type); - } - auth = eap_buf; - } - else - { /* not EAP => no constraints for this peer */ - auth = "any"; - } - } + auth = "pubkey"; } else { /* no second authentication round, fine. But load certificates diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 9fbfffc83..c527ae0b4 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -198,26 +198,6 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.length = offsetof(stroke_msg_t, buffer); msg.add_conn.version = conn->keyexchange; msg.add_conn.name = push_string(&msg, connection_name(conn)); - - /* PUBKEY is preferred to PSK and EAP */ - if (conn->policy & POLICY_PUBKEY) - { - msg.add_conn.auth_method = AUTH_CLASS_PUBKEY; - } - else if (conn->policy & POLICY_PSK) - { - msg.add_conn.auth_method = AUTH_CLASS_PSK; - } - else if (conn->policy & POLICY_XAUTH_PSK) - { - msg.add_conn.auth_method = AUTH_CLASS_EAP; - } - else - { - msg.add_conn.auth_method = AUTH_CLASS_ANY; - } - msg.add_conn.eap_type = conn->eap_type; - msg.add_conn.eap_vendor = conn->eap_vendor; msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity); msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity); msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity); @@ -287,6 +267,45 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); + if (!msg.add_conn.me.auth && !msg.add_conn.other.auth) + { /* leftauth/rightauth not set, use legacy options */ + if (conn->policy & POLICY_PUBKEY) + { + msg.add_conn.me.auth = push_string(&msg, "pubkey"); + msg.add_conn.other.auth = push_string(&msg, "pubkey"); + } + else if (conn->policy & POLICY_PSK) + { + msg.add_conn.me.auth = push_string(&msg, "psk"); + msg.add_conn.other.auth = push_string(&msg, "psk"); + } + else if (conn->policy & POLICY_XAUTH_RSASIG) + { + msg.add_conn.me.auth = push_string(&msg, "pubkey"); + msg.add_conn.other.auth = push_string(&msg, "pubkey"); + if (conn->policy & POLICY_XAUTH_SERVER) + { + msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + } + else + { + msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + } + } + else if (conn->policy & POLICY_XAUTH_PSK) + { + msg.add_conn.me.auth = push_string(&msg, "psk"); + msg.add_conn.other.auth = push_string(&msg, "psk"); + if (conn->policy & POLICY_XAUTH_SERVER) + { + msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + } + else + { + msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + } + } + } return send_stroke_msg(&msg); } |