android: Use %any as AAA identity, but disable EAP-only authentication
authorTobias Brunner <tobias@strongswan.org>
Tue, 21 Oct 2014 16:28:24 +0000 (18:28 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 6 Nov 2014 15:28:40 +0000 (16:28 +0100)
Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway.  So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.

src/frontends/android/jni/libandroidbridge/backend/android_service.c

index 41df5fb..960edbe 100644 (file)
@@ -657,6 +657,8 @@ static bool add_auth_cfg_cert(private_android_service_t *this,
        {
                auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
                auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
        {
                auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
                auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
+               id = identification_create_from_string("%any");
+               auth->add(auth, AUTH_RULE_AAA_IDENTITY, id);
        }
        else
        {
        }
        else
        {
@@ -729,11 +731,7 @@ static job_requeue_t initiate(private_android_service_t *this)
        gateway = identification_create_from_string(this->gateway);
        auth->add(auth, AUTH_RULE_IDENTITY, gateway);
        auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
        gateway = identification_create_from_string(this->gateway);
        auth->add(auth, AUTH_RULE_IDENTITY, gateway);
        auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
-       /* for EAP-TLS we don't add an auth class to allow pubkey and EAP-only */
-       if (!streq("ikev2-eap-tls", this->type))
-       {
-               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-       }
+       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,