Indicate and dected support for EAP-only authentication

diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 122e23810bc27b29f8f38579ba5cfe1c6e4d126c..4dce1937caf2ac2f1f267bb11b4d792e5874e28d 100644 (file)
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -91,6 +91,11 @@ enum ike_extension_t {
         * peer uses strongSwan, accept private use extensions
         */
        EXT_STRONGSWAN = (1<<4),
+
+       /**
+        * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
+        */
+       EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
 };
 
 /**

diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 7714b28ce91e8ab071c0ba097e6c1b4cca942d87..0e81d2bea9744e810d249f0d26887bf9712d5c3c 100644 (file)
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -347,10 +347,16 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
                this->peer_cfg->get_ref(this->peer_cfg);
        }
 
-       if (message->get_message_id(message) == 1 &&
-               this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
-       {       /* in the first IKE_AUTH, indicate support for multiple authentication */
-               message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty);
+       if (message->get_message_id(message) == 1)
+       {       /* in the first IKE_AUTH ... */
+               if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+               {       /* indicate support for multiple authentication */
+                       message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+                                                               chunk_empty);
+               }
+               /* indicate support for EAP-only authentication */
+               message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
+                                                       chunk_empty);
        }
 
        if (!this->do_another_auth && !this->my_auth)
@@ -468,9 +474,19 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
        {
                return NEED_MORE;
        }
-       if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
-       {
-               this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+
+       if (message->get_message_id(message) == 1)
+       {       /* check for extensions in the first IKE_AUTH */
+               if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
+               {
+                       this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+               }
+               if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+                       message->get_notify(message, EAP_ONLY_AUTHENTICATION))
+               {       /* EAP-only has no official notify, accept only from strongSwan */
+                       this->ike_sa->enable_extension(this->ike_sa,
+                                                                                  EXT_EAP_ONLY_AUTHENTICATION);
+               }
        }
 
        if (this->other_auth == NULL)