diff options
Diffstat (limited to 'src/frontends/android/jni')
4 files changed, 53 insertions, 27 deletions
diff --git a/src/frontends/android/jni/Android.mk b/src/frontends/android/jni/Android.mk index 2af0d2412..670e83de1 100644 --- a/src/frontends/android/jni/Android.mk +++ b/src/frontends/android/jni/Android.mk @@ -7,7 +7,7 @@ strongswan_USE_BYOD := true strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \ pkcs1 pkcs8 pem xcbc hmac socket-default kernel-netlink \ - eap-identity eap-mschapv2 eap-md5 eap-gtc + eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls ifneq ($(strongswan_USE_BYOD),) strongswan_BYOD_PLUGINS := eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_creds.c b/src/frontends/android/jni/libandroidbridge/backend/android_creds.c index e0f6e8e6f..ddc032638 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_creds.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_creds.c @@ -92,7 +92,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, { enumerator_t *enumerator; - if (!trusted || (cert != CERT_ANY && cert != CERT_X509)) + if (cert != CERT_ANY && cert != CERT_X509) { return NULL; } diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_private_key.c b/src/frontends/android/jni/libandroidbridge/backend/android_private_key.c index 1985f0e98..769ea3f31 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_private_key.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_private_key.c @@ -68,6 +68,9 @@ METHOD(private_key_t, sign, bool, case KEY_RSA: switch (scheme) { + case SIGN_RSA_EMSA_PKCS1_NULL: + method = "NONEwithRSA"; + break; case SIGN_RSA_EMSA_PKCS1_MD5: method = "MD5withRSA"; break; @@ -93,12 +96,18 @@ METHOD(private_key_t, sign, bool, case KEY_ECDSA: switch (scheme) { + case SIGN_ECDSA_WITH_SHA1_DER: + method = "SHA1withECDSA"; + break; + case SIGN_ECDSA_WITH_SHA256_DER: case SIGN_ECDSA_256: method = "SHA256withECDSA"; break; + case SIGN_ECDSA_WITH_SHA384_DER: case SIGN_ECDSA_384: method = "SHA384withECDSA"; break; + case SIGN_ECDSA_WITH_SHA512_DER: case SIGN_ECDSA_521: method = "SHA512withECDSA"; break; @@ -189,30 +198,36 @@ METHOD(private_key_t, sign, bool, default: break; } - - /* we get an ASN.1 encoded sequence of integers r and s */ - parse = encoded = chunk_from_byte_array(env, jsigarray); - if (asn1_unwrap(&parse, &parse) != ASN1_SEQUENCE || - asn1_unwrap(&parse, &r) != ASN1_INTEGER || - asn1_unwrap(&parse, &s) != ASN1_INTEGER) + if (len) { + /* we get an ASN.1 encoded sequence of integers r and s */ + parse = encoded = chunk_from_byte_array(env, jsigarray); + if (asn1_unwrap(&parse, &parse) != ASN1_SEQUENCE || + asn1_unwrap(&parse, &r) != ASN1_INTEGER || + asn1_unwrap(&parse, &s) != ASN1_INTEGER) + { + chunk_free(&encoded); + goto failed; + } + r = chunk_skip_zero(r); + s = chunk_skip_zero(s); + if (r.len > len || s.len > len) + { + chunk_free(&encoded); + goto failed; + } + + /* concatenate r and s (forced to the defined length) */ + *signature = chunk_alloc(2*len); + memset(signature->ptr, 0, signature->len); + memcpy(signature->ptr + (len - r.len), r.ptr, r.len); + memcpy(signature->ptr + len + (len - s.len), s.ptr, s.len); chunk_free(&encoded); - goto failed; } - r = chunk_skip_zero(r); - s = chunk_skip_zero(s); - if (r.len > len || s.len > len) + else { - chunk_free(&encoded); - goto failed; + *signature = chunk_from_byte_array(env, jsigarray); } - - /* concatenate r and s (forced to the defined length) */ - *signature = chunk_alloc(2*len); - memset(signature->ptr, 0, signature->len); - memcpy(signature->ptr + (len - r.len), r.ptr, r.len); - memcpy(signature->ptr + len + (len - s.len), s.ptr, s.len); - chunk_free(&encoded); } else { diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 881ff00f1..960edbee5 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -617,8 +617,8 @@ METHOD(listener_t, ike_reestablish_post, bool, return TRUE; } -static void add_auth_cfg_eap(private_android_service_t *this, - peer_cfg_t *peer_cfg, bool byod) +static void add_auth_cfg_pw(private_android_service_t *this, + peer_cfg_t *peer_cfg, bool byod) { identification_t *user; auth_cfg_t *auth; @@ -653,7 +653,17 @@ static bool add_auth_cfg_cert(private_android_service_t *this, } auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + if (strpfx("ikev2-eap-tls", this->type)) + { + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS); + id = identification_create_from_string("%any"); + auth->add(auth, AUTH_RULE_AAA_IDENTITY, id); + } + else + { + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + } auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert); id = cert->get_subject(cert); @@ -698,7 +708,8 @@ static job_requeue_t initiate(private_android_service_t *this) /* local auth config */ if (streq("ikev2-cert", this->type) || - streq("ikev2-cert-eap", this->type)) + streq("ikev2-cert-eap", this->type) || + streq("ikev2-eap-tls", this->type)) { if (!add_auth_cfg_cert(this, peer_cfg)) { @@ -712,15 +723,15 @@ static job_requeue_t initiate(private_android_service_t *this) streq("ikev2-cert-eap", this->type) || streq("ikev2-byod-eap", this->type)) { - add_auth_cfg_eap(this, peer_cfg, strpfx(this->type, "ikev2-byod")); + add_auth_cfg_pw(this, peer_cfg, strpfx(this->type, "ikev2-byod")); } /* remote auth config */ auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); gateway = identification_create_from_string(this->gateway); auth->add(auth, AUTH_RULE_IDENTITY, gateway); auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, |