From: Tobias Brunner Date: Mon, 14 Jul 2025 16:13:04 +0000 (+0200) Subject: eap-authenticator: Assume IKE identity as EAP-Identity if client doesn't send one X-Git-Tag: 6.0.3dr1~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea05033319759227121092ca57a7b667183cf599;p=thirdparty%2Fstrongswan.git eap-authenticator: Assume IKE identity as EAP-Identity if client doesn't send one Apparently, some clients (e.g. native Android) just send an empty EAP-Identity response. We silently ignored that previously and then used the IKE identity for the actual EAP method. This change tries to do something similar (i.e. don't fail if the response is empty), but by assuming the IKE identity as EAP-Identity, we match that and possibly can switch configs. Closes strongswan/strongswan#2833 Fixes: 2f2e4abe3c52 ("ikev2: Add support to switch peer configs based on EAP-Identities") --- diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index a70351827a..2b548cfdce 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -237,7 +237,6 @@ static bool apply_eap_identity(private_eap_authenticator_t *this, auth_cfg_t *cfg; bool match; - DBG1(DBG_IKE, "received EAP identity '%Y'", eap_identity); this->eap_identity = eap_identity; cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); @@ -300,20 +299,25 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, case SUCCESS: if (!vendor && type == EAP_IDENTITY) { + identification_t *id; chunk_t data; - if (this->method->get_msk(this->method, &data) != SUCCESS) + if (this->method->get_msk(this->method, &data) == SUCCESS) { - DBG1(DBG_IKE, "client did not send an EAP-Identity, " - "sending %N", eap_code_names, EAP_FAILURE); - return eap_payload_create_code(EAP_FAILURE, - in->get_identifier(in)); + id = identification_create_from_data(data); + DBG1(DBG_IKE, "received EAP identity '%Y'", id); } - /* apply the received EAP identity and match it against config, - * return NULL if it doesn't match to possibly switch to a - * different config */ - if (!apply_eap_identity(this, - identification_create_from_data(data))) + else + { + id = this->ike_sa->get_other_id(this->ike_sa); + id = id->clone(id); + DBG1(DBG_IKE, "client did not send an EAP identity, assume " + "IKE identity '%Y'", id); + } + /* apply the received or assumed EAP identity and match it + * against config. return NULL if it doesn't match to possibly + * switch to a different config */ + if (!apply_eap_identity(this, id)) { this->method->destroy(this->method); this->method = NULL;