[strongSwan-dev] [PATCH] XAUTH username im updown environment

Heiko Hund hhund at astaro.com
Tue Jun 8 08:50:31 CEST 2010


Hallo Andreas,

dieser Patch fuegt den XAUTH usernamen als Umgebungsvariable fuer das
updown Skript hinzu. Könnte auch für die Allgemeinheit interessant sein
und wuerde gut zum 4.4.1 changset passen. Wurde mich freuen wenn er
aufgenommen wird.

Gruesse
Heiko

Signed-off-by: Heiko Hund <hhund at astaro.com>

---
 src/pluto/ipsec_doi.c |   23 ++++++++++++++++++++++-
 src/pluto/kernel.c    |   13 ++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 38e19db..b23b3fb 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -1951,11 +1951,11 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 
 	bool send_natoa = FALSE;
 	u_int8_t np = ISAKMP_NEXT_NONE;
+	connection_t *ph1_c = isakmp_sa->st_connection;
 
 	if (c->spd.this.modecfg && !c->spd.this.has_client &&
 		c->spd.this.host_srcip->is_anyaddr(c->spd.this.host_srcip))
 	{
-		connection_t *ph1_c = isakmp_sa->st_connection;
 		host_t * ph1_srcip = ph1_c->spd.this.host_srcip;
 
 		if (ph1_c->spd.this.modecfg && !ph1_srcip->is_anyaddr(ph1_srcip))
@@ -1968,6 +1968,16 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 		}
 	}
 
+	if (ph1_c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
+		ph1_c->xauth_identity)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("inheriting XAUTH identity %Y", ph1_c->xauth_identity)
+		)
+		DESTROY_IF(c->xauth_identity);
+		c->xauth_identity = ph1_c->xauth_identity->clone(ph1_c->xauth_identity);
+	}
+
 	st->st_whack_sock = whack_sock;
 	st->st_connection = c;
 	set_cur_state(st);  /* we must reset before exit */
@@ -4947,6 +4957,17 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 						p->spd.that.client = c->spd.that.client;
 						p->spd.that.has_client = TRUE;
 					}
+
+					identification_t *xauth_id = c->xauth_identity;
+					if (c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
+						xauth_id)
+					{
+						DBG(DBG_CONTROL,
+							DBG_log("inheriting XAUTH identity %Y", xauth_id)
+						)
+						DESTROY_IF(p->xauth_identity);
+						p->xauth_identity = xauth_id->clone(xauth_id);
+					}
 				}
 			}
 #ifdef DEBUG
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 6a290ee..f962f03 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -467,7 +467,8 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			peerca_str[BUF_LEN],
 			secure_myid_str[BUF_LEN] = "",
 			secure_peerid_str[BUF_LEN] = "",
-			secure_peerca_str[BUF_LEN] = "";
+			secure_peerca_str[BUF_LEN] = "",
+			xauth_user_str[BUF_LEN] = "";
 		ip_address ta;
 		pubkey_list_t *p;
 
@@ -495,6 +496,14 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			strncat(srcip_str, "' ", sizeof(srcip_str));
 		}
 
+		if (c->xauth_identity &&
+			c->xauth_identity->get_type(c->xauth_identity) != ID_ANY)
+		{
+			static char u[BUF_LEN];
+			snprintf(u, sizeof(u), "PLUTO_XAUTH_USER='%Y' ", c->xauth_identity);
+			escape_metachar(u, xauth_user_str, sizeof(xauth_user_str));
+		}
+
 		addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
 		snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
 		escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
@@ -561,6 +570,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			"PLUTO_PEER_PROTOCOL='%u' "
 			"PLUTO_PEER_CA='%s' "
 			"%s"        /* optional PLUTO_MY_SRCIP */
+			"%s"        /* optional PLUTO_XAUTH_USER */
 			"%s"        /* actual script */
 			, verb, verb_suffix
 			, c->name
@@ -584,6 +594,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			, sr->that.protocol
 			, secure_peerca_str
 			, srcip_str
+			, xauth_user_str
 			, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
 		{
 			loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
-- 
tg: (6c304b3..) t/xauth_username_in_updown_env (depends on: t/cope_with_iphone_local_subnet_proposal)




More information about the Dev mailing list