android: Use %any as AAA identity, but disable EAP-only authentication

Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway.  So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.

diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
index 41df5fba9caf89cc081cebc587966a36f3e9c219..960edbee55ac656298231d7d9de5d243047fc9ee 100644 (file)
--- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
@@ -657,6 +657,8 @@ static bool add_auth_cfg_cert(private_android_service_t *this,
        {
                auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
                auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
+               id = identification_create_from_string("%any");
+               auth->add(auth, AUTH_RULE_AAA_IDENTITY, id);
        }
        else
        {
@@ -729,11 +731,7 @@ static job_requeue_t initiate(private_android_service_t *this)
        gateway = identification_create_from_string(this->gateway);
        auth->add(auth, AUTH_RULE_IDENTITY, gateway);
        auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
-       /* for EAP-TLS we don't add an auth class to allow pubkey and EAP-only */
-       if (!streq("ikev2-eap-tls", this->type))
-       {
-               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-       }
+       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,