android: Add support for combined certificate and EAP authentication
This uses RFC 4739 multiple authentication rounds to first authenticate the client with a certificate followed by an EAP authentication round with username and password.
This commit is contained in:
parent
7d70a14779
commit
76de964617
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2010-2012 Tobias Brunner
|
||||
* Copyright (C) 2010-2013 Tobias Brunner
|
||||
* Copyright (C) 2012 Giuliano Grassi
|
||||
* Copyright (C) 2012 Ralf Sager
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
|
@ -456,9 +456,49 @@ METHOD(listener_t, ike_reestablish, bool,
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
static void add_auth_cfg_eap(private_android_service_t *this,
|
||||
peer_cfg_t *peer_cfg)
|
||||
{
|
||||
identification_t *user;
|
||||
auth_cfg_t *auth;
|
||||
|
||||
auth = auth_cfg_create();
|
||||
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
|
||||
user = identification_create_from_string(this->username);
|
||||
auth->add(auth, AUTH_RULE_IDENTITY, user);
|
||||
|
||||
this->creds->add_username_password(this->creds, this->username,
|
||||
this->password);
|
||||
memwipe(this->password, strlen(this->password));
|
||||
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
|
||||
}
|
||||
|
||||
static bool add_auth_cfg_cert(private_android_service_t *this,
|
||||
peer_cfg_t *peer_cfg)
|
||||
{
|
||||
certificate_t *cert;
|
||||
identification_t *id;
|
||||
auth_cfg_t *auth;
|
||||
|
||||
cert = this->creds->load_user_certificate(this->creds);
|
||||
if (!cert)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
auth = auth_cfg_create();
|
||||
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
|
||||
auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
|
||||
|
||||
id = cert->get_subject(cert);
|
||||
auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
|
||||
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static job_requeue_t initiate(private_android_service_t *this)
|
||||
{
|
||||
identification_t *gateway, *user;
|
||||
identification_t *gateway;
|
||||
ike_cfg_t *ike_cfg;
|
||||
peer_cfg_t *peer_cfg;
|
||||
child_cfg_t *child_cfg;
|
||||
|
@ -489,38 +529,21 @@ static job_requeue_t initiate(private_android_service_t *this)
|
|||
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
|
||||
|
||||
/* local auth config */
|
||||
if (streq("ikev2-eap", this->type))
|
||||
if (streq("ikev2-cert", this->type) ||
|
||||
streq("ikev2-cert-eap", this->type))
|
||||
{
|
||||
auth = auth_cfg_create();
|
||||
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
|
||||
user = identification_create_from_string(this->username);
|
||||
auth->add(auth, AUTH_RULE_IDENTITY, user);
|
||||
|
||||
this->creds->add_username_password(this->creds, this->username,
|
||||
this->password);
|
||||
memwipe(this->password, strlen(this->password));
|
||||
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
|
||||
}
|
||||
else if (streq("ikev2-cert", this->type))
|
||||
{
|
||||
certificate_t *cert;
|
||||
identification_t *id;
|
||||
|
||||
cert = this->creds->load_user_certificate(this->creds);
|
||||
if (!cert)
|
||||
if (!add_auth_cfg_cert(this, peer_cfg))
|
||||
{
|
||||
peer_cfg->destroy(peer_cfg);
|
||||
charonservice->update_status(charonservice,
|
||||
CHARONSERVICE_GENERIC_ERROR);
|
||||
return JOB_REQUEUE_NONE;
|
||||
|
||||
}
|
||||
auth = auth_cfg_create();
|
||||
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
|
||||
auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
|
||||
id = cert->get_subject(cert);
|
||||
auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
|
||||
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
|
||||
}
|
||||
if (streq("ikev2-eap", this->type) ||
|
||||
streq("ikev2-cert-eap", this->type))
|
||||
{
|
||||
add_auth_cfg_eap(this, peer_cfg);
|
||||
}
|
||||
|
||||
/* remote auth config */
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!--
|
||||
Copyright (C) 2012 Tobias Brunner
|
||||
Copyright (C) 2012-2013 Tobias Brunner
|
||||
Hochschule fuer Technik Rapperswil
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it
|
||||
|
@ -18,5 +18,6 @@
|
|||
<string-array name="vpn_types">
|
||||
<item>IKEv2 EAP (Benutzername/Passwort)</item>
|
||||
<item>IKEv2 Zertifikat</item>
|
||||
<item>IKEv2 Zertifikat + EAP (Benutzername/Passwort)</item>
|
||||
</string-array>
|
||||
</resources>
|
|
@ -1,6 +1,6 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!--
|
||||
Copyright (C) 2012 Tobias Brunner
|
||||
Copyright (C) 2012-2013 Tobias Brunner
|
||||
Hochschule fuer Technik Rapperswil
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it
|
||||
|
@ -18,5 +18,6 @@
|
|||
<string-array name="vpn_types">
|
||||
<item>IKEv2 EAP (użytkownik/hasło)</item>
|
||||
<item>IKEv2 certyfikat</item>
|
||||
<item>IKEv2 certyfikat + EAP (użytkownik/hasło)</item>
|
||||
</string-array>
|
||||
</resources>
|
|
@ -16,6 +16,7 @@
|
|||
<!-- the order here must match the enum entries in VpnType.java -->
|
||||
<string-array name="vpn_types">
|
||||
<item>IKEv2 EAP (Логин/Пароль)</item>
|
||||
<item>Сертификат IKEv2</item>
|
||||
<item>IKEv2 Сертификат</item>
|
||||
<item>IKEv2 Сертификат + EAP (Логин/Пароль)</item>
|
||||
</string-array>
|
||||
</resources>
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
<!-- the order here must match the enum entries in VpnType.java -->
|
||||
<string-array name="vpn_types">
|
||||
<item>IKEv2 EAP (Логін/Пароль)</item>
|
||||
<item>Сертифікати IKEv2</item>
|
||||
<item>IKEv2 Сертифікати</item>
|
||||
<item>IKEv2 Сертифікати + EAP (Логін/Пароль)</item>
|
||||
</string-array>
|
||||
</resources>
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!--
|
||||
Copyright (C) 2012 Tobias Brunner
|
||||
Copyright (C) 2012-2013 Tobias Brunner
|
||||
Hochschule fuer Technik Rapperswil
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it
|
||||
|
@ -18,5 +18,6 @@
|
|||
<string-array name="vpn_types">
|
||||
<item>IKEv2 EAP (Username/Password)</item>
|
||||
<item>IKEv2 Certificate</item>
|
||||
<item>IKEv2 Certificate + EAP (Username/Password)</item>
|
||||
</string-array>
|
||||
</resources>
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2012 Tobias Brunner
|
||||
* Copyright (C) 2012-2013 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
|
@ -19,7 +19,8 @@ public enum VpnType
|
|||
{
|
||||
/* the order here must match the items in R.array.vpn_types */
|
||||
IKEV2_EAP("ikev2-eap", true, false),
|
||||
IKEV2_CERT("ikev2-cert", false, true);
|
||||
IKEV2_CERT("ikev2-cert", false, true),
|
||||
IKEV2_CERT_EAP("ikev2-cert-eap", true, true);
|
||||
|
||||
private String mIdentifier;
|
||||
private boolean mCertificate;
|
||||
|
|
Loading…
Reference in New Issue