From 76de964617b3d3799917e917e6bed176b0f78291 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 7 Mar 2013 13:50:29 +0100
Subject: android: Add support for combined certificate and EAP authentication

This uses RFC 4739 multiple authentication rounds to first
authenticate the client with a certificate followed by an
EAP authentication round with username and password.
---
 .../jni/libandroidbridge/backend/android_service.c | 77 ++++++++++++++--------
 src/frontends/android/res/values-de/arrays.xml     |  3 +-
 src/frontends/android/res/values-pl/arrays.xml     |  3 +-
 src/frontends/android/res/values-ru/arrays.xml     |  3 +-
 src/frontends/android/res/values-ua/arrays.xml     |  3 +-
 src/frontends/android/res/values/arrays.xml        |  3 +-
 .../src/org/strongswan/android/data/VpnType.java   |  5 +-
 7 files changed, 63 insertions(+), 34 deletions(-)

diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
index c83f0b4dc..76c139881 100644
--- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * Hochschule fuer Technik Rapperswil
@@ -456,9 +456,49 @@ METHOD(listener_t, ike_reestablish, bool,
 	return TRUE;
 }
 
+static void add_auth_cfg_eap(private_android_service_t *this,
+							 peer_cfg_t *peer_cfg)
+{
+	identification_t *user;
+	auth_cfg_t *auth;
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+	user = identification_create_from_string(this->username);
+	auth->add(auth, AUTH_RULE_IDENTITY, user);
+
+	this->creds->add_username_password(this->creds, this->username,
+									   this->password);
+	memwipe(this->password, strlen(this->password));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+}
+
+static bool add_auth_cfg_cert(private_android_service_t *this,
+							  peer_cfg_t *peer_cfg)
+{
+	certificate_t *cert;
+	identification_t *id;
+	auth_cfg_t *auth;
+
+	cert = this->creds->load_user_certificate(this->creds);
+	if (!cert)
+	{
+		return FALSE;
+	}
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+
+	id = cert->get_subject(cert);
+	auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	return TRUE;
+}
+
 static job_requeue_t initiate(private_android_service_t *this)
 {
-	identification_t *gateway, *user;
+	identification_t *gateway;
 	ike_cfg_t *ike_cfg;
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
@@ -489,38 +529,21 @@ static job_requeue_t initiate(private_android_service_t *this)
 	peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
 
 	/* local auth config */
-	if (streq("ikev2-eap", this->type))
+	if (streq("ikev2-cert", this->type) ||
+		streq("ikev2-cert-eap", this->type))
 	{
-		auth = auth_cfg_create();
-		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-		user = identification_create_from_string(this->username);
-		auth->add(auth, AUTH_RULE_IDENTITY, user);
-
-		this->creds->add_username_password(this->creds, this->username,
-										   this->password);
-		memwipe(this->password, strlen(this->password));
-		peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-	}
-	else if (streq("ikev2-cert", this->type))
-	{
-		certificate_t *cert;
-		identification_t *id;
-
-		cert = this->creds->load_user_certificate(this->creds);
-		if (!cert)
+		if (!add_auth_cfg_cert(this, peer_cfg))
 		{
 			peer_cfg->destroy(peer_cfg);
 			charonservice->update_status(charonservice,
 										 CHARONSERVICE_GENERIC_ERROR);
 			return JOB_REQUEUE_NONE;
-
 		}
-		auth = auth_cfg_create();
-		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-		auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
-		id = cert->get_subject(cert);
-		auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
-		peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	}
+	if (streq("ikev2-eap", this->type) ||
+		streq("ikev2-cert-eap", this->type))
+	{
+		add_auth_cfg_eap(this, peer_cfg);
 	}
 
 	/* remote auth config */
diff --git a/src/frontends/android/res/values-de/arrays.xml b/src/frontends/android/res/values-de/arrays.xml
index efa4bcb03..d0117b202 100644
--- a/src/frontends/android/res/values-de/arrays.xml
+++ b/src/frontends/android/res/values-de/arrays.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Benutzername/Passwort)</item>
         <item>IKEv2 Zertifikat</item>
+        <item>IKEv2 Zertifikat + EAP (Benutzername/Passwort)</item>
     </string-array>
 </resources>
\ No newline at end of file
diff --git a/src/frontends/android/res/values-pl/arrays.xml b/src/frontends/android/res/values-pl/arrays.xml
index 3e1af5f82..1b74b2e57 100644
--- a/src/frontends/android/res/values-pl/arrays.xml
+++ b/src/frontends/android/res/values-pl/arrays.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (użytkownik/hasło)</item>
         <item>IKEv2 certyfikat</item>
+        <item>IKEv2 certyfikat + EAP (użytkownik/hasło)</item>
     </string-array>
 </resources>
\ No newline at end of file
diff --git a/src/frontends/android/res/values-ru/arrays.xml b/src/frontends/android/res/values-ru/arrays.xml
index 48a7219cc..55144f294 100644
--- a/src/frontends/android/res/values-ru/arrays.xml
+++ b/src/frontends/android/res/values-ru/arrays.xml
@@ -16,6 +16,7 @@
     <!-- the order here must match the enum entries in VpnType.java -->
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Логин/Пароль)</item>
-        <item>Сертификат IKEv2</item>
+        <item>IKEv2 Сертификат</item>
+        <item>IKEv2 Сертификат + EAP (Логин/Пароль)</item>
     </string-array>
 </resources>
diff --git a/src/frontends/android/res/values-ua/arrays.xml b/src/frontends/android/res/values-ua/arrays.xml
index bd4366405..490fea5e1 100644
--- a/src/frontends/android/res/values-ua/arrays.xml
+++ b/src/frontends/android/res/values-ua/arrays.xml
@@ -16,6 +16,7 @@
     <!-- the order here must match the enum entries in VpnType.java -->
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Логін/Пароль)</item>
-        <item>Сертифікати IKEv2</item>
+        <item>IKEv2 Сертифікати</item>
+        <item>IKEv2 Сертифікати + EAP (Логін/Пароль)</item>
     </string-array>
 </resources>
diff --git a/src/frontends/android/res/values/arrays.xml b/src/frontends/android/res/values/arrays.xml
index 21576f22c..1ac4cc21d 100644
--- a/src/frontends/android/res/values/arrays.xml
+++ b/src/frontends/android/res/values/arrays.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Username/Password)</item>
         <item>IKEv2 Certificate</item>
+        <item>IKEv2 Certificate + EAP (Username/Password)</item>
     </string-array>
 </resources>
\ No newline at end of file
diff --git a/src/frontends/android/src/org/strongswan/android/data/VpnType.java b/src/frontends/android/src/org/strongswan/android/data/VpnType.java
index 44a4fa6b4..47cc1cb02 100644
--- a/src/frontends/android/src/org/strongswan/android/data/VpnType.java
+++ b/src/frontends/android/src/org/strongswan/android/data/VpnType.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,7 +19,8 @@ public enum VpnType
 {
 	/* the order here must match the items in R.array.vpn_types */
 	IKEV2_EAP("ikev2-eap", true, false),
-	IKEV2_CERT("ikev2-cert", false, true);
+	IKEV2_CERT("ikev2-cert", false, true),
+	IKEV2_CERT_EAP("ikev2-cert-eap", true, true);
 
 	private String mIdentifier;
 	private boolean mCertificate;
-- 
cgit v1.2.3