android: Add support for combined certificate and EAP authentication
authorTobias Brunner <tobias@strongswan.org>
Thu, 7 Mar 2013 12:50:29 +0000 (13:50 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 7 Mar 2013 13:14:34 +0000 (14:14 +0100)
This uses RFC 4739 multiple authentication rounds to first
authenticate the client with a certificate followed by an
EAP authentication round with username and password.

src/frontends/android/jni/libandroidbridge/backend/android_service.c
src/frontends/android/res/values-de/arrays.xml
src/frontends/android/res/values-pl/arrays.xml
src/frontends/android/res/values-ru/arrays.xml
src/frontends/android/res/values-ua/arrays.xml
src/frontends/android/res/values/arrays.xml
src/frontends/android/src/org/strongswan/android/data/VpnType.java

index c83f0b4..76c1398 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * Hochschule fuer Technik Rapperswil
@@ -456,9 +456,49 @@ METHOD(listener_t, ike_reestablish, bool,
        return TRUE;
 }
 
+static void add_auth_cfg_eap(private_android_service_t *this,
+                                                        peer_cfg_t *peer_cfg)
+{
+       identification_t *user;
+       auth_cfg_t *auth;
+
+       auth = auth_cfg_create();
+       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+       user = identification_create_from_string(this->username);
+       auth->add(auth, AUTH_RULE_IDENTITY, user);
+
+       this->creds->add_username_password(this->creds, this->username,
+                                                                          this->password);
+       memwipe(this->password, strlen(this->password));
+       peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+}
+
+static bool add_auth_cfg_cert(private_android_service_t *this,
+                                                         peer_cfg_t *peer_cfg)
+{
+       certificate_t *cert;
+       identification_t *id;
+       auth_cfg_t *auth;
+
+       cert = this->creds->load_user_certificate(this->creds);
+       if (!cert)
+       {
+               return FALSE;
+       }
+
+       auth = auth_cfg_create();
+       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+       auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+
+       id = cert->get_subject(cert);
+       auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
+       peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+       return TRUE;
+}
+
 static job_requeue_t initiate(private_android_service_t *this)
 {
-       identification_t *gateway, *user;
+       identification_t *gateway;
        ike_cfg_t *ike_cfg;
        peer_cfg_t *peer_cfg;
        child_cfg_t *child_cfg;
@@ -489,38 +529,21 @@ static job_requeue_t initiate(private_android_service_t *this)
        peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
 
        /* local auth config */
-       if (streq("ikev2-eap", this->type))
+       if (streq("ikev2-cert", this->type) ||
+               streq("ikev2-cert-eap", this->type))
        {
-               auth = auth_cfg_create();
-               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-               user = identification_create_from_string(this->username);
-               auth->add(auth, AUTH_RULE_IDENTITY, user);
-
-               this->creds->add_username_password(this->creds, this->username,
-                                                                                  this->password);
-               memwipe(this->password, strlen(this->password));
-               peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-       }
-       else if (streq("ikev2-cert", this->type))
-       {
-               certificate_t *cert;
-               identification_t *id;
-
-               cert = this->creds->load_user_certificate(this->creds);
-               if (!cert)
+               if (!add_auth_cfg_cert(this, peer_cfg))
                {
                        peer_cfg->destroy(peer_cfg);
                        charonservice->update_status(charonservice,
                                                                                 CHARONSERVICE_GENERIC_ERROR);
                        return JOB_REQUEUE_NONE;
-
                }
-               auth = auth_cfg_create();
-               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-               auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
-               id = cert->get_subject(cert);
-               auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
-               peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+       }
+       if (streq("ikev2-eap", this->type) ||
+               streq("ikev2-cert-eap", this->type))
+       {
+               add_auth_cfg_eap(this, peer_cfg);
        }
 
        /* remote auth config */
index efa4bcb..d0117b2 100644 (file)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Benutzername/Passwort)</item>
         <item>IKEv2 Zertifikat</item>
+        <item>IKEv2 Zertifikat + EAP (Benutzername/Passwort)</item>
     </string-array>
 </resources>
\ No newline at end of file
index 3e1af5f..1b74b2e 100644 (file)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (użytkownik/hasło)</item>
         <item>IKEv2 certyfikat</item>
+        <item>IKEv2 certyfikat + EAP (użytkownik/hasło)</item>
     </string-array>
 </resources>
\ No newline at end of file
index 48a7219..55144f2 100644 (file)
@@ -16,6 +16,7 @@
     <!-- the order here must match the enum entries in VpnType.java -->
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Логин/Пароль)</item>
-        <item>Сертификат IKEv2</item>
+        <item>IKEv2 Сертификат</item>
+        <item>IKEv2 Сертификат + EAP (Логин/Пароль)</item>
     </string-array>
 </resources>
index bd43664..490fea5 100644 (file)
@@ -16,6 +16,7 @@
     <!-- the order here must match the enum entries in VpnType.java -->
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Логін/Пароль)</item>
-        <item>Сертифікати IKEv2</item>
+        <item>IKEv2 Сертифікати</item>
+        <item>IKEv2 Сертифікати + EAP (Логін/Пароль)</item>
     </string-array>
 </resources>
index 21576f2..1ac4cc2 100644 (file)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Username/Password)</item>
         <item>IKEv2 Certificate</item>
+        <item>IKEv2 Certificate + EAP (Username/Password)</item>
     </string-array>
 </resources>
\ No newline at end of file
index 44a4fa6..47cc1cb 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,7 +19,8 @@ public enum VpnType
 {
        /* the order here must match the items in R.array.vpn_types */
        IKEV2_EAP("ikev2-eap", true, false),
-       IKEV2_CERT("ikev2-cert", false, true);
+       IKEV2_CERT("ikev2-cert", false, true),
+       IKEV2_CERT_EAP("ikev2-cert-eap", true, true);
 
        private String mIdentifier;
        private boolean mCertificate;