char *auth, *id, *cert, *ca;
stroke_end_t *end, *other_end;
auth_cfg_t *cfg;
- char eap_buf[32];
/* select strings */
if (local)
{
if (primary)
{
- if (local)
- { /* "leftauth" not defined, fall back to deprecated "authby" */
- switch (msg->add_conn.auth_method)
- {
- default:
- case AUTH_CLASS_PUBKEY:
- auth = "pubkey";
- break;
- case AUTH_CLASS_PSK:
- auth = "psk";
- break;
- case AUTH_CLASS_EAP:
- auth = "eap";
- break;
- case AUTH_CLASS_ANY:
- auth = "any";
- break;
- }
- }
- else
- { /* "rightauth" not defined, fall back to deprecated "eap" */
- if (msg->add_conn.eap_type)
- {
- if (msg->add_conn.eap_vendor)
- {
- snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d",
- msg->add_conn.eap_type,
- msg->add_conn.eap_vendor);
- }
- else
- {
- snprintf(eap_buf, sizeof(eap_buf), "eap-%d",
- msg->add_conn.eap_type);
- }
- auth = eap_buf;
- }
- else
- { /* not EAP => no constraints for this peer */
- auth = "any";
- }
- }
+ auth = "pubkey";
}
else
{ /* no second authentication round, fine. But load certificates
msg.length = offsetof(stroke_msg_t, buffer);
msg.add_conn.version = conn->keyexchange;
msg.add_conn.name = push_string(&msg, connection_name(conn));
-
- /* PUBKEY is preferred to PSK and EAP */
- if (conn->policy & POLICY_PUBKEY)
- {
- msg.add_conn.auth_method = AUTH_CLASS_PUBKEY;
- }
- else if (conn->policy & POLICY_PSK)
- {
- msg.add_conn.auth_method = AUTH_CLASS_PSK;
- }
- else if (conn->policy & POLICY_XAUTH_PSK)
- {
- msg.add_conn.auth_method = AUTH_CLASS_EAP;
- }
- else
- {
- msg.add_conn.auth_method = AUTH_CLASS_ANY;
- }
- msg.add_conn.eap_type = conn->eap_type;
- msg.add_conn.eap_vendor = conn->eap_vendor;
msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
+ if (!msg.add_conn.me.auth && !msg.add_conn.other.auth)
+ { /* leftauth/rightauth not set, use legacy options */
+ if (conn->policy & POLICY_PUBKEY)
+ {
+ msg.add_conn.me.auth = push_string(&msg, "pubkey");
+ msg.add_conn.other.auth = push_string(&msg, "pubkey");
+ }
+ else if (conn->policy & POLICY_PSK)
+ {
+ msg.add_conn.me.auth = push_string(&msg, "psk");
+ msg.add_conn.other.auth = push_string(&msg, "psk");
+ }
+ else if (conn->policy & POLICY_XAUTH_RSASIG)
+ {
+ msg.add_conn.me.auth = push_string(&msg, "pubkey");
+ msg.add_conn.other.auth = push_string(&msg, "pubkey");
+ if (conn->policy & POLICY_XAUTH_SERVER)
+ {
+ msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+ }
+ else
+ {
+ msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+ }
+ }
+ else if (conn->policy & POLICY_XAUTH_PSK)
+ {
+ msg.add_conn.me.auth = push_string(&msg, "psk");
+ msg.add_conn.other.auth = push_string(&msg, "psk");
+ if (conn->policy & POLICY_XAUTH_SERVER)
+ {
+ msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+ }
+ else
+ {
+ msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+ }
+ }
+ }
return send_stroke_msg(&msg);
}
projects / thirdparty / strongswan.git / commitdiff
