diff options
Diffstat (limited to 'src/starter')
| -rw-r--r-- | src/starter/confread.c | 29 | ||||
| -rw-r--r-- | src/starter/confread.h | 3 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5 | 16 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 3 |
4 files changed, 39 insertions, 12 deletions
diff --git a/src/starter/confread.c b/src/starter/confread.c index b758ffdf2..5dfcf93d6 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -509,29 +509,46 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) } break; case KW_EAP: - /* TODO: a gperf function for all EAP types */ + { + char *sep; + + /* check for vendor-type format */ + sep = strchr(kw->value, '-'); + if (sep) + { + *(sep++) = '\0'; + conn->eap_type = atoi(kw->value); + conn->eap_vendor = atoi(sep); + if (conn->eap_type == 0 || conn->eap_vendor == 0) + { + plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value); + cfg->err++; + } + break; + } if (streq(kw->value, "aka")) { - conn->eap = 23; + conn->eap_type = 23; } else if (streq(kw->value, "sim")) { - conn->eap = 18; + conn->eap_type = 18; } else if (streq(kw->value, "md5")) { - conn->eap = 4; + conn->eap_type = 4; } else { - conn->eap = atoi(kw->value); - if (conn->eap == 0) + conn->eap_type = atoi(kw->value); + if (conn->eap_type == 0) { plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value); cfg->err++; } } break; + } case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index 11ca29d86..3f1884048 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -106,7 +106,8 @@ struct starter_conn { starter_state_t state; keyexchange_t keyexchange; - int eap; + u_int32_t eap_type; + u_int32_t eap_vendor; lset_t policy; time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index 4327b5531..56032c766 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -350,13 +350,21 @@ in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers. .TP .B eap -defines the EAP type to be used if +defines the EAP type to propose as server if the client has .B authby=eap -is selected. Acceptable values are +selected. Acceptable values are .B aka -for EAP-AKA and +for EAP-AKA, .B sim -for EAP-SIM. +for EAP-SIM and +.B md5 +for EAP-MD5. +Additionally, IANA assigned EAP method numbers are accepted, or a definition +in the form +.B eap=type-vendor +(e.g. +.B eap=7-12345 +) can be used to specify vendor specific EAP types. .TP .B esp ESP encryption/authentication algorithm to be used diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index c94669115..67e0cadcc 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -197,7 +197,8 @@ int starter_stroke_add_conn(starter_conn_t *conn) { msg.add_conn.auth_method = AUTH_EAP; } - msg.add_conn.eap_type = conn->eap; + msg.add_conn.eap_type = conn->eap_type; + msg.add_conn.eap_vendor = conn->eap_vendor; if (conn->policy & POLICY_TUNNEL) { |