WIP

Without this the xauth-eap plugin, or rather the instantiated EAP method is
not able to access the CA certificates in other credential sets as only an
exclusive local set is loaded (in order to not affect the eap method
which runs in the same thread).

Another problem is that the server identity is not stored in the
auth_cfg object that results from the XAuth exchange (add_auth_cfg()
function in xauth.c), so the aaa_identity constraint check will
eventually fail.

diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.c b/src/libcharon/plugins/xauth_eap/xauth_eap.c
index f21d02697ca17a666b55d9397b4d9431ff2def90..40c485b4f9125ab22fc4f2af52ce7edd5dc29876 100644 (file)
--- a/src/libcharon/plugins/xauth_eap/xauth_eap.c
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap.c
@@ -133,7 +133,7 @@ static bool verify_eap(private_xauth_eap_t *this, eap_method_t *backend)
        while (TRUE)
        {
                /* credential set is active in frontend only, but not in backend */
-               lib->credmgr->add_local_set(lib->credmgr, &this->cred->set, TRUE);
+               lib->credmgr->add_local_set(lib->credmgr, &this->cred->set, FALSE);
                status = frontend->process(frontend, request, &response);
                lib->credmgr->remove_local_set(lib->credmgr, &this->cred->set);
                request->destroy(request);