android: Handle EAP-TLS in Android service
[strongswan.git] / src / frontends / android / jni / libandroidbridge / backend / android_service.c
index 881ff00..41df5fb 100644 (file)
@@ -617,8 +617,8 @@ METHOD(listener_t, ike_reestablish_post, bool,
        return TRUE;
 }
 
-static void add_auth_cfg_eap(private_android_service_t *this,
-                                                        peer_cfg_t *peer_cfg, bool byod)
+static void add_auth_cfg_pw(private_android_service_t *this,
+                                                       peer_cfg_t *peer_cfg, bool byod)
 {
        identification_t *user;
        auth_cfg_t *auth;
@@ -653,7 +653,15 @@ static bool add_auth_cfg_cert(private_android_service_t *this,
        }
 
        auth = auth_cfg_create();
-       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+       if (strpfx("ikev2-eap-tls", this->type))
+       {
+               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+               auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
+       }
+       else
+       {
+               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+       }
        auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
 
        id = cert->get_subject(cert);
@@ -698,7 +706,8 @@ static job_requeue_t initiate(private_android_service_t *this)
 
        /* local auth config */
        if (streq("ikev2-cert", this->type) ||
-               streq("ikev2-cert-eap", this->type))
+               streq("ikev2-cert-eap", this->type) ||
+               streq("ikev2-eap-tls", this->type))
        {
                if (!add_auth_cfg_cert(this, peer_cfg))
                {
@@ -712,15 +721,19 @@ static job_requeue_t initiate(private_android_service_t *this)
                streq("ikev2-cert-eap", this->type) ||
                streq("ikev2-byod-eap", this->type))
        {
-               add_auth_cfg_eap(this, peer_cfg, strpfx(this->type, "ikev2-byod"));
+               add_auth_cfg_pw(this, peer_cfg, strpfx(this->type, "ikev2-byod"));
        }
 
        /* remote auth config */
        auth = auth_cfg_create();
-       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
        gateway = identification_create_from_string(this->gateway);
        auth->add(auth, AUTH_RULE_IDENTITY, gateway);
        auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+       /* for EAP-TLS we don't add an auth class to allow pubkey and EAP-only */
+       if (!streq("ikev2-eap-tls", this->type))
+       {
+               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+       }
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,