NOTIFY error message types include 16383
[strongswan.git] / src / libcharon / sa / tasks / ike_auth.c
index a07f967..b440ec8 100644 (file)
@@ -481,9 +481,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
                {
                        this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
                }
-               if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
-                       message->get_notify(message, EAP_ONLY_AUTHENTICATION))
-               {       /* EAP-only has no official notify, accept only from strongSwan */
+               if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
+               {
                        this->ike_sa->enable_extension(this->ike_sa,
                                                                                   EXT_EAP_ONLY_AUTHENTICATION);
                }
@@ -518,6 +517,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
                                        (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
                                        (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
                        {       /* peer requested EAP, but current config does not match */
+                               DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
                                this->peer_cfg->destroy(this->peer_cfg);
                                this->peer_cfg = NULL;
                                if (!update_cfg_candidates(this, FALSE))
@@ -527,7 +527,21 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
                                }
                                cand = get_auth_cfg(this, FALSE);
                        }
-                       cfg->merge(cfg, cand, TRUE);
+                       /* copy over the EAP specific rules for authentication */
+                       cfg->add(cfg, AUTH_RULE_EAP_TYPE,
+                                        cand->get(cand, AUTH_RULE_EAP_TYPE));
+                       cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
+                                        cand->get(cand, AUTH_RULE_EAP_VENDOR));
+                       id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
+                       if (id)
+                       {
+                               cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
+                       }
+                       id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
+                       if (id)
+                       {
+                               cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
+                       }
                }
 
                /* verify authentication data */
@@ -811,7 +825,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
                                        break;
                                default:
                                {
-                                       if (type < 16383)
+                                       if (type <= 16383)
                                        {
                                                DBG1(DBG_IKE, "received %N notify error",
                                                         notify_type_names, type);