8 files changed, 48 insertions, 25 deletions

diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 77d58e79b..7d5a4b69a 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -6,7 +6,7 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
 exec.h invokecharon.h lex.yy.c
 
 INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DDEBUG
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
 starter_LDADD = loglite.o defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
 dist_man_MANS = ipsec.conf.5
diff --git a/src/starter/args.c b/src/starter/args.c
index d689a40fd..009622c89 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -165,6 +165,7 @@ static const token_info_t token_info[] =
     { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool          },
     { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL                 },
     { ARG_STR,  offsetof(starter_config_t, setup.virtual_private), NULL            },
+    { ARG_STR,  offsetof(starter_config_t, setup.eapdir), NULL                     },
     { ARG_STR,  offsetof(starter_config_t, setup.pkcs11module), NULL               },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool        },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool            },
@@ -184,6 +185,7 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_COMPRESS */                                         },
     { ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
     { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
+    { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
     { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
     { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
     { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 03b223878..66f70e5f9 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -63,6 +63,7 @@ static void default_values(starter_config_t *cfg)
 	cfg->setup.interfaces  = new_list("%defaultroute");
 	cfg->setup.charonstart = TRUE;
 	cfg->setup.plutostart  = TRUE;
+	cfg->setup.eapdir      = IPSEC_EAPDIR;
 
 	cfg->conn_default.seen    = LEMPTY;
 	cfg->conn_default.startup = STARTUP_NO;
@@ -414,7 +415,7 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 		case KW_AUTHBY:
 			conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
 
-			if (strcmp(kw->value, "never") != 0)
+			if (!(streq(kw->value, "never") || streq(kw->value, "eap")))
 			{
 				char *value = kw->value;
 				char *second = strchr(kw->value, '|');
@@ -446,6 +447,20 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 				}
 			}
 			break;
+		case KW_EAP:
+			/* TODO: a gperf function for all EAP types */
+			if (streq(kw->value, "aka"))
+				conn->eap = 23;
+			else
+			{
+				conn->eap = atoi(kw->value);
+				if (conn->eap == 0)
+				{
+					plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
+					cfg->err++;
+				}
+			}
+			break;
 		case KW_REKEY:
 			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
 			break;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 24b048965..0b303c5bf 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -95,6 +95,7 @@ struct starter_conn {
 	starter_state_t	state;
 
 	keyexchange_t	keyexchange;
+	int			eap;
 	lset_t 		policy;
 	time_t 		sa_ike_life_seconds;
 	time_t		sa_ipsec_life_seconds;
@@ -167,6 +168,7 @@ struct starter_config {
 		bool	nat_traversal;
 		u_int	keep_alive;
 		char	*virtual_private;
+		char	*eapdir;
 		char	*pkcs11module;
 		bool	pkcs11keepstate;
 		bool	pkcs11proxy;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 02239daf1..29b241234 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -116,6 +116,8 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     {
 	arg[argc++] = "--strictcrlpolicy";
     }
+    arg[argc++] = "--eapdir";
+    arg[argc++] = cfg->setup.eapdir;
 
     {   /* parse debug string */
     	char *pos, *level, *buf_pos, type[4], buffer[512];
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 66f86679e..2f677e367 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -39,6 +39,7 @@ typedef enum {
     KW_NAT_TRAVERSAL,
     KW_KEEP_ALIVE,
     KW_VIRTUAL_PRIVATE,
+    KW_EAPDIR,
     KW_PKCS11MODULE,
     KW_PKCS11KEEPSTATE,
     KW_PKCS11PROXY,
@@ -67,6 +68,7 @@ typedef enum {
     KW_COMPRESS,
     KW_AUTH,
     KW_AUTHBY,
+    KW_EAP,
     KW_IKELIFETIME,
     KW_KEYLIFE,
     KW_REKEYMARGIN,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index e8e489fea..bf9422b9e 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -47,6 +47,8 @@ nocrsend,          KW_NOCRSEND
 nat_traversal,     KW_NAT_TRAVERSAL
 keep_alive,        KW_KEEP_ALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
+eap,               KW_EAP
+eapdir,            KW_EAPDIR
 pkcs11module,      KW_PKCS11MODULE
 pkcs11keepstate,   KW_PKCS11KEEPSTATE
 pkcs11proxy,       KW_PKCS11PROXY
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9d4e0a13a..47e7348e4 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -37,29 +37,13 @@
 #include "files.h"
 
 /**
- * AUTH Method to use.
- * 
- * @ingroup config
+ * Authentication mehtods, must be the same values as in charon
  */
 enum auth_method_t {
-	/**
-	 * Computed as specified in section 2.15 of RFC using 
-	 * an RSA private key over a PKCS#1 padded hash.
-	 */
-	RSA_DIGITAL_SIGNATURE = 1,
-	
-	/** 
-	 * Computed as specified in section 2.15 of RFC using the 
-	 * shared key associated with the identity in the ID payload 
-	 * and the negotiated prf function
-	 */
-	SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2,
-	
-	/**
-	 * Computed as specified in section 2.15 of RFC using a 
-	 * DSS private key over a SHA-1 hash.
-	 */
-	DSS_DIGITAL_SIGNATURE = 3,
+	AUTH_RSA = 1,
+	AUTH_PSK = 2,
+	AUTH_DSS = 3,
+	AUTH_EAP = 201,
 };
 
 static char* push_string(stroke_msg_t *msg, char *string)
@@ -192,8 +176,22 @@ int starter_stroke_add_conn(starter_conn_t *conn)
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
-	msg.add_conn.auth_method = (conn->policy & POLICY_PSK)?
-		SHARED_KEY_MESSAGE_INTEGRITY_CODE : RSA_DIGITAL_SIGNATURE;
+	
+	/* RSA is preferred before PSK and EAP */
+	if (conn->policy & POLICY_RSASIG)
+	{
+		msg.add_conn.auth_method = AUTH_RSA;
+	}
+	else if (conn->policy & POLICY_PSK)
+	{
+		msg.add_conn.auth_method = AUTH_PSK;
+	}
+	else
+	{
+		msg.add_conn.auth_method = AUTH_EAP;
+	}
+	msg.add_conn.eap_type = conn->eap;
+	
 	if (conn->policy & POLICY_TUNNEL)
 	{
 		msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */