sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

eap-authenticator: Assume IKE identity as EAP-Identity if client doesn't send one

Browse Source 
Apparently, some clients (e.g. native Android) just send an empty
EAP-Identity response.  We silently ignored that previously and then
used the IKE identity for the actual EAP method.  This change tries to
do something similar (i.e. don't fail if the response is empty), but by
assuming the IKE identity as EAP-Identity, we match that and possibly
can switch configs.

Closes strongswan/strongswan#2833
Fixes: 2f2e4abe3c52 ("ikev2: Add support to switch peer configs based on EAP-Identities")
This commit is contained in:
Tobias Brunner 2025-07-14 18:13:04 +02:00
parent 2560146204
commit ea05033319
1 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
View File

@ -237,7 +237,6 @@ static bool apply_eap_identity(private_eap_authenticator_t *this,
auth_cfg_t *cfg;
bool match;
DBG1(DBG_IKE, "received EAP identity '%Y'", eap_identity);
this->eap_identity = eap_identity;
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
@ -300,20 +299,25 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
case SUCCESS:
if (!vendor && type == EAP_IDENTITY)
{
identification_t *id;
chunk_t data;
if (this->method->get_msk(this->method, &data) != SUCCESS)
if (this->method->get_msk(this->method, &data) == SUCCESS)
{
DBG1(DBG_IKE, "client did not send an EAP-Identity, "
"sending %N", eap_code_names, EAP_FAILURE);
return eap_payload_create_code(EAP_FAILURE,
in->get_identifier(in));
id = identification_create_from_data(data);
DBG1(DBG_IKE, "received EAP identity '%Y'", id);
}
/* apply the received EAP identity and match it against config,
* return NULL if it doesn't match to possibly switch to a
* different config */
if (!apply_eap_identity(this,
identification_create_from_data(data)))
else
{
id = this->ike_sa->get_other_id(this->ike_sa);
id = id->clone(id);
DBG1(DBG_IKE, "client did not send an EAP identity, assume "
"IKE identity '%Y'", id);
}
/* apply the received or assumed EAP identity and match it
* against config. return NULL if it doesn't match to possibly
* switch to a different config */
if (!apply_eap_identity(this, id))
{
this->method->destroy(this->method);
this->method = NULL;