[svn-upgrade] new version strongswan (4.4.1)

1 files changed, 11 insertions, 1 deletions

diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index a07f96767..a954782f2 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -518,6 +518,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
 					(uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
 			{	/* peer requested EAP, but current config does not match */
+				DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
 				this->peer_cfg->destroy(this->peer_cfg);
 				this->peer_cfg = NULL;
 				if (!update_cfg_candidates(this, FALSE))
@@ -527,7 +528,16 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 				}
 				cand = get_auth_cfg(this, FALSE);
 			}
-			cfg->merge(cfg, cand, TRUE);
+			/* copy over the EAP specific rules for authentication */
+			cfg->add(cfg, AUTH_RULE_EAP_TYPE,
+					 cand->get(cand, AUTH_RULE_EAP_TYPE));
+			cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
+					 cand->get(cand, AUTH_RULE_EAP_VENDOR));
+			id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
+			if (id)
+			{
+				cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
+			}
 		}
 
 		/* verify authentication data */