eap-authenticator: Assume IKE identity as EAP-Identity if client doesn't send one

Apparently, some clients (e.g. native Android) just send an empty
EAP-Identity response.  We silently ignored that previously and then
used the IKE identity for the actual EAP method.  This change tries to
do something similar (i.e. don't fail if the response is empty), but by
assuming the IKE identity as EAP-Identity, we match that and possibly
can switch configs.

Fixes: 2f2e4abe3c52 ("ikev2: Add support to switch peer configs based on EAP-Identities")

diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index a70351827aa52ddc7aa94aba4eb132b661097680..e34cb123a5c7be3d8e1c8c195c62b14b4b36a4d8 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -237,7 +237,6 @@ static bool apply_eap_identity(private_eap_authenticator_t *this,
        auth_cfg_t *cfg;
        bool match;
 
-       DBG1(DBG_IKE, "received EAP identity '%Y'", eap_identity);
        this->eap_identity = eap_identity;
 
        cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
@@ -300,20 +299,25 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
                case SUCCESS:
                        if (!vendor && type == EAP_IDENTITY)
                        {
+                               identification_t *id;
                                chunk_t data;
 
-                               if (this->method->get_msk(this->method, &data) != SUCCESS)
+                               if (this->method->get_msk(this->method, &data) == SUCCESS)
                                {
-                                       DBG1(DBG_IKE, "client did not send an EAP-Identity, "
-                                                "sending %N", eap_code_names, EAP_FAILURE);
-                                       return eap_payload_create_code(EAP_FAILURE,
-                                                                                                  in->get_identifier(in));
+                                       id = identification_create_from_data(data);
+                                       DBG1(DBG_IKE, "received EAP identity '%Y'", id);
                                }
-                               /* apply the received EAP identity and match it against config,
-                                * return NULL if it doesn't match to possibly switch to a
-                                * different config */
-                               if (!apply_eap_identity(this,
-                                                                               identification_create_from_data(data)))
+                               else
+                               {
+                                       id = this->ike_sa->get_other_id(this->ike_sa);
+                                       id = id->clone(id);
+                                       DBG1(DBG_IKE, "client did not send an EAP-Identity, assume "
+                                                "IKE identity '%Y'", id);
+                               }
+                               /* apply the received or assumed EAP identity and match it
+                                * against config, return NULL if it doesn't match to possibly
+                                * switch to a different config */
+                               if (!apply_eap_identity(this, id))
                                {
                                        this->method->destroy(this->method);
                                        this->method = NULL;