From 0e44999867d746123329a132ceea7e25942ce3d8 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 21 Oct 2014 18:28:24 +0200 Subject: android: Use %any as AAA identity, but disable EAP-only authentication Without verification of the identity we can't prevent a malicious user with a valid certificate from impersonating the AAA server and thus the VPN gateway. So unless we make the AAA identity configurable we have to prevent EAP-only authentication. --- .../android/jni/libandroidbridge/backend/android_service.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'src/frontends/android') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 41df5fba9..960edbee5 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -657,6 +657,8 @@ static bool add_auth_cfg_cert(private_android_service_t *this, { auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS); + id = identification_create_from_string("%any"); + auth->add(auth, AUTH_RULE_AAA_IDENTITY, id); } else { @@ -729,11 +731,7 @@ static job_requeue_t initiate(private_android_service_t *this) gateway = identification_create_from_string(this->gateway); auth->add(auth, AUTH_RULE_IDENTITY, gateway); auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE); - /* for EAP-TLS we don't add an auth class to allow pubkey and EAP-only */ - if (!streq("ikev2-eap-tls", this->type)) - { - auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); - } + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, -- cgit v1.2.3