Merge branch 'android-client-cert'
authorTobias Brunner <tobias@strongswan.org>
Tue, 4 Sep 2012 11:57:05 +0000 (13:57 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 4 Sep 2012 11:58:49 +0000 (13:58 +0200)
Introduces IKEv2 client certificate authentication for the Android App.

1  2 
src/frontends/android/jni/libandroidbridge/backend/android_service.c

@@@ -442,14 -442,45 +457,45 @@@ static job_requeue_t initiate(private_a
                                                           600, 600, /* jitter, over 10min */
                                                           TRUE, FALSE, /* mobike, aggressive */
                                                           0, 0, /* DPD delay, timeout */
 -                                                         host_create_from_string("0.0.0.0", 0) /* virt */,
 -                                                         NULL, FALSE, NULL, NULL); /* pool, mediation */
 +                                                         FALSE, NULL, NULL); /* mediation */
 +      peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
  
-       auth = auth_cfg_create();
-       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-       user = identification_create_from_string(this->username);
-       auth->add(auth, AUTH_RULE_IDENTITY, user);
-       peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+       /* local auth config */
+       if (streq("ikev2-eap", this->type))
+       {
+               auth = auth_cfg_create();
+               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+               user = identification_create_from_string(this->username);
+               auth->add(auth, AUTH_RULE_IDENTITY, user);
+               this->creds->add_username_password(this->creds, this->username,
+                                                                                  this->password);
+               memwipe(this->password, strlen(this->password));
+               peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+       }
+       else if (streq("ikev2-cert", this->type))
+       {
+               certificate_t *cert;
+               identification_t *id;
+               cert = this->creds->load_user_certificate(this->creds);
+               if (!cert)
+               {
+                       peer_cfg->destroy(peer_cfg);
+                       charonservice->update_status(charonservice,
+                                                                                CHARONSERVICE_GENERIC_ERROR);
+                       return JOB_REQUEUE_NONE;
+               }
+               auth = auth_cfg_create();
+               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+               auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+               id = cert->get_subject(cert);
+               auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
+               peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+       }
+       /* remote auth config */
        auth = auth_cfg_create();
        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
        gateway = identification_create_from_string(this->gateway);