Merge branch 'xauth-radius-multi'

Introduces multiple rounds in the eap-radius XAuth backend, concatenating
answers to a single password to verify using a RADIUS User-Password attribute.
This is known to work fine with iOS and OS X clients, allowing two-factor
authentication with proper dialogs.

Different XAuth "profiles" for each backend can be selected using a generic
colon sperated suffix for the XAuth string.

1 files changed, 16 insertions, 1 deletions

diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c
index 5709dc652..17eecc2c9 100644
--- a/src/libcharon/sa/xauth/xauth_manager.c
+++ b/src/libcharon/sa/xauth/xauth_manager.c
@@ -107,6 +107,17 @@ METHOD(xauth_manager_t, create_instance, xauth_method_t*,
 	enumerator_t *enumerator;
 	xauth_entry_t *entry;
 	xauth_method_t *method = NULL;
+	char *profile = NULL;
+
+	if (name)
+	{
+		profile = strchr(name, ':');
+		if (profile)
+		{
+			name = strndup(name, profile - name);
+			profile++;
+		}
+	}
 
 	this->lock->read_lock(this->lock);
 	enumerator = this->methods->create_enumerator(this->methods);
@@ -118,7 +129,7 @@ METHOD(xauth_manager_t, create_instance, xauth_method_t*,
 		}
 		if (role == entry->role && (!name || streq(name, entry->name)))
 		{
-			method = entry->constructor(server, peer);
+			method = entry->constructor(server, peer, profile);
 			if (method)
 			{
 				break;
@@ -127,6 +138,10 @@ METHOD(xauth_manager_t, create_instance, xauth_method_t*,
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
+	if (profile)
+	{
+		free(name);
+	}
 	return method;
 }