android: Native parts handle ikev2-cert VPN type

3 files changed, 71 insertions, 16 deletions

diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
index dfc0d2342..29b6d45af 100644
--- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
@@ -44,11 +44,21 @@ struct private_android_service_t {
 	android_service_t public;
 
 	/**
+	 * credential set
+	 */
+	android_creds_t *creds;
+
+	/**
 	 * current IKE_SA
 	 */
 	ike_sa_t *ike_sa;
 
 	/**
+	 * the type of VPN
+	 */
+	char *type;
+
+	/**
 	 * local ipv4 address
 	 */
 	char *local_address;
@@ -64,6 +74,11 @@ struct private_android_service_t {
 	char *username;
 
 	/**
+	 * password
+	 */
+	char *password;
+
+	/**
 	 * lock to safely access the TUN device fd
 	 */
 	rwlock_t *lock;
@@ -430,12 +445,42 @@ static job_requeue_t initiate(private_android_service_t *this)
 							   host_create_from_string("0.0.0.0", 0) /* virt */,
 							   NULL, FALSE, NULL, NULL); /* pool, mediation */
 
+	/* local auth config */
+	if (streq("ikev2-eap", this->type))
+	{
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+		user = identification_create_from_string(this->username);
+		auth->add(auth, AUTH_RULE_IDENTITY, user);
+
+		this->creds->add_username_password(this->creds, this->username,
+										   this->password);
+		memwipe(this->password, strlen(this->password));
+		peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	}
+	else if (streq("ikev2-cert", this->type))
+	{
+		certificate_t *cert;
+		identification_t *id;
 
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-	user = identification_create_from_string(this->username);
-	auth->add(auth, AUTH_RULE_IDENTITY, user);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+		cert = this->creds->load_user_certificate(this->creds);
+		if (!cert)
+		{
+			peer_cfg->destroy(peer_cfg);
+			charonservice->update_status(charonservice,
+										 CHARONSERVICE_GENERIC_ERROR);
+			return JOB_REQUEUE_NONE;
+
+		}
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+		auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+		id = cert->get_subject(cert);
+		auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
+		peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	}
+
+	/* remote auth config */
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	gateway = identification_create_from_string(this->gateway);
@@ -492,17 +537,24 @@ METHOD(android_service_t, destroy, void,
 	/* make sure the tun device is actually closed */
 	close_tun_device(this);
 	this->lock->destroy(this->lock);
+	free(this->type);
 	free(this->local_address);
-	free(this->username);
 	free(this->gateway);
+	free(this->username);
+	if (this->password)
+	{
+		memwipe(this->password, strlen(this->password));
+		free(this->password);
+	}
 	free(this);
 }
 
 /**
  * See header
  */
-android_service_t *android_service_create(char *local_address, char *gateway,
-										  char *username)
+android_service_t *android_service_create(android_creds_t *creds, char *type,
+										  char *local_address, char *gateway,
+										  char *username, char *password)
 {
 	private_android_service_t *this;
 
@@ -520,7 +572,10 @@ android_service_t *android_service_create(char *local_address, char *gateway,
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.local_address = local_address,
 		.username = username,
+		.password = password,
 		.gateway = gateway,
+		.creds = creds,
+		.type = type,
 		.tunfd = -1,
 	);
 
diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.h b/src/frontends/android/jni/libandroidbridge/backend/android_service.h
index a7bd8b059..52c3dc5c8 100644
--- a/src/frontends/android/jni/libandroidbridge/backend/android_service.h
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.h
@@ -51,11 +51,15 @@ struct android_service_t {
  * Create an Android service instance. Queues a job that starts initiation of a
  * new IKE SA.
  *
+ * @param creds					Android specific credential set
+ * @param type					VPN type (see VpnType.java)
  * @param local_address			local ip address
  * @param gateway				gateway address
  * @param username				user name (local identity)
+ * @param password				password (if any)
  */
-android_service_t *android_service_create(char *local_address, char *gateway,
-										  char *username);
+android_service_t *android_service_create(android_creds_t *creds, char *type,
+										  char *local_address, char *gateway,
+										  char *username, char *password);
 
 #endif /** ANDROID_SERVICE_H_ @}*/
diff --git a/src/frontends/android/jni/libandroidbridge/charonservice.c b/src/frontends/android/jni/libandroidbridge/charonservice.c
index 8d07dd5b6..59ec62fc7 100644
--- a/src/frontends/android/jni/libandroidbridge/charonservice.c
+++ b/src/frontends/android/jni/libandroidbridge/charonservice.c
@@ -310,13 +310,9 @@ static void initiate(char *type, char *local, char *gateway,
 	private_charonservice_t *this = (private_charonservice_t*)charonservice;
 
 	this->creds->clear(this->creds);
-	this->creds->add_username_password(this->creds, username, password);
-	memwipe(password, strlen(password));
-	free(password);
-
 	DESTROY_IF(this->service);
-	this->service = android_service_create(local, gateway, username);
-	free(type);
+	this->service = android_service_create(this->creds, type, local, gateway,
+										   username, password);
 }
 
 /**