From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 10 Sep 2014 09:35:04 +0000 (+0200)
Subject: android: Handle EAP-TLS in Android service
X-Git-Tag: 5.2.2dr1~41^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34ca3795c80c19c0dab4f27933be1ca66b0558bc;p=thirdparty%2Fstrongswan.git

android: Handle EAP-TLS in Android service
---

diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
index 881ff00f15..41df5fba9c 100644
--- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
@@ -617,8 +617,8 @@ METHOD(listener_t, ike_reestablish_post, bool,
 	return TRUE;
 }
 
-static void add_auth_cfg_eap(private_android_service_t *this,
-							 peer_cfg_t *peer_cfg, bool byod)
+static void add_auth_cfg_pw(private_android_service_t *this,
+							peer_cfg_t *peer_cfg, bool byod)
 {
 	identification_t *user;
 	auth_cfg_t *auth;
@@ -653,7 +653,15 @@ static bool add_auth_cfg_cert(private_android_service_t *this,
 	}
 
 	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	if (strpfx("ikev2-eap-tls", this->type))
+	{
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+		auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
+	}
+	else
+	{
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	}
 	auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
 
 	id = cert->get_subject(cert);
@@ -698,7 +706,8 @@ static job_requeue_t initiate(private_android_service_t *this)
 
 	/* local auth config */
 	if (streq("ikev2-cert", this->type) ||
-		streq("ikev2-cert-eap", this->type))
+		streq("ikev2-cert-eap", this->type) ||
+		streq("ikev2-eap-tls", this->type))
 	{
 		if (!add_auth_cfg_cert(this, peer_cfg))
 		{
@@ -712,15 +721,19 @@ static job_requeue_t initiate(private_android_service_t *this)
 		streq("ikev2-cert-eap", this->type) ||
 		streq("ikev2-byod-eap", this->type))
 	{
-		add_auth_cfg_eap(this, peer_cfg, strpfx(this->type, "ikev2-byod"));
+		add_auth_cfg_pw(this, peer_cfg, strpfx(this->type, "ikev2-byod"));
 	}
 
 	/* remote auth config */
 	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	gateway = identification_create_from_string(this->gateway);
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
 	auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+	/* for EAP-TLS we don't add an auth class to allow pubkey and EAP-only */
+	if (!streq("ikev2-eap-tls", this->type))
+	{
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	}
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
 	child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,