strongswan: Add support for EAP-TLS authentication

Support for configuring EAP-TLS authentication scheme is added.

Similar to EAP-MSCHAPv2, this one is usually asymmetric
in the way that server auth method (pubkey) is different from
the client auth method (eap-tls).
The code handles this asymmetry automatically.

Signed-off-by: Torbjorn Tyridal <torbjorn@tyridal.no>

diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index 43ef1270e3ed65899ae2ba0ad1da9d1b6daaae59..73cbcf632808a161828833e5f9a17ea689e3791b 100644 (file)
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
 PKG_VERSION:=6.0.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/

diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
index 86848f0679b1da7a2e7b2f09a3493a65f30ec991..8e217e9be481dd2089d9174b336569525f45efad 100644 (file)
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@@ -550,7 +550,9 @@ config_remote() {
        [ -n "$pools" ] && swanctl_xappend2 "pools = $pools"
 
        local local_auth_method="$auth_method"
-       [ "$auth_method" = "eap-mschapv2" ] && local_auth_method="pubkey"
+       if [ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ]; then
+               local_auth_method="pubkey"
+       fi
 
        swanctl_xappend2 "local {"
        swanctl_xappend3 "auth = $local_auth_method"
@@ -564,7 +566,9 @@ config_remote() {
        swanctl_xappend3 "auth = $auth_method"
        [ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
        [ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
-       [ "$auth_method" = eap-mschapv2 ] && swanctl_xappend3 "eap_id = $eap_id"
+       if [ "$auth_method" = "eap-mschapv2" ] || [ "$auth_method" = "eap-tls" ]; then
+               swanctl_xappend3 "eap_id = $eap_id"
+       fi
        swanctl_xappend2 "}"
 
        swanctl_xappend2 "children {"
@@ -638,6 +642,9 @@ config_remote() {
        elif [ "$auth_method" = eap-mschapv2 ]; then
                # EAP-MSCHAPv2 secrets are handled in config_mschapv2_secrets globally
                :  # empty command
+       elif [ "$auth_method" = eap-tls ]; then
+               # EAP-TLS approved client certs are restricted by remote_ca_certs option
+               :  # empty command
        else
                fatal "AuthenticationMode $auth_mode not supported"
        fi