[strongSwan] Using client cert to identify user when authby=xauthrsasig

Tue Sep 24 00:08:32 CEST 2013

Apologies but reposting to the correct mailing list.

I'm trying to follow discussion in the below thread:

https://lists.strongswan.org/pipermail/users/2012-October/008357.html

I too face similar issue and want to identify the user based on client certificate instead of XAUTH username.  I've used the below patch that's a combination of reverting change# http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0fbfcf2a (as described in above thread).  I also had to do similar change for mempool based IP allocation.  The patch below is against 5.1.0.  Could anyone provide me some confirmation if I'm on the right track.

Thanks,
Piyush

----------------

--- strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.h.orig2013-09-18 14:28:32.606439759 -0700
+++ strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.h2013-09-18 14:28:55.094157048 -0700
@@ -172,8 +172,6 @@ struct ike_sa_manager_t {
 /**
  * Create an enumerator over ike_sa_id_t*, matching peer identities.
  *
- * The remote peer is identified by its XAuth or EAP identity, if available.
- *
  * @param melocal peer identity to match
  * @param otherremote peer identity to match
  * @param familyaddress family to match, 0 for any
--- strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.c.orig2013-09-18 11:29:11.330233469 -0700
+++ strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.c2013-09-19 09:36:30.792472820 -0700
@@ -1553,7 +1553,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 
 ike_sa_id = ike_sa->get_id(ike_sa);
 my_id = ike_sa->get_my_id(ike_sa);
-other_id = ike_sa->get_other_eap_id(ike_sa);
+other_id = ike_sa->get_other_id(ike_sa);
 other = ike_sa->get_other_host(ike_sa);
 
 DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
@@ -1782,7 +1782,7 @@ METHOD(ike_sa_manager_t, check_uniquenes
 return FALSE;
 }
 me = ike_sa->get_my_id(ike_sa);
-other = ike_sa->get_other_eap_id(ike_sa);
+other = ike_sa->get_other_id(ike_sa);
 other_host = ike_sa->get_other_host(ike_sa);
 
 enumerator = create_id_enumerator(this, me, other,
--- strongswan-5.1.0/src/libcharon/sa/ikev1/tasks/mode_config.c.orig2013-09-18 11:31:31.586565089 -0700
+++ strongswan-5.1.0/src/libcharon/sa/ikev1/tasks/mode_config.c2013-09-18 11:30:52.487516386 -0700
@@ -322,7 +322,7 @@ METHOD(task_t, build_r, status_t,
 
 cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
 
-id = this->ike_sa->get_other_eap_id(this->ike_sa);
+id = this->ike_sa->get_other_id(this->ike_sa);
 config = this->ike_sa->get_peer_cfg(this->ike_sa);
 
vips = linked_list_create();
 pools = linked_list_create_from_enumerator(
--- strongswan-5.1.0/src/libcharon/sa/ikev2/tasks/ike_config.c.orig2013-09-18 14:24:55.321171406 -0700
+++ strongswan-5.1.0/src/libcharon/sa/ikev2/tasks/ike_config.c2013-09-18 14:25:11.272970865 -0700
@@ -339,7 +339,7 @@ METHOD(task_t, build_r, status_t,
 linked_list_t *vips, *pools;
 host_t *requested;
 
-id = this->ike_sa->get_other_eap_id(this->ike_sa);
+id = this->ike_sa->get_other_id(this->ike_sa);
 config = this->ike_sa->get_peer_cfg(this->ike_sa);
 vips = linked_list_create();
 pools = linked_list_create_from_enumerator(
--- strongswan-5.1.0/src/libcharon/sa/ike_sa.c.orig2013-09-18 11:25:41.996247839 -0700
+++ strongswan-5.1.0/src/libcharon/sa/ike_sa.c2013-09-18 11:26:13.263480953 -0700
@@ -2163,7 +2163,7 @@ METHOD(ike_sa_t, destroy, void,
 linked_list_t *pools;
 
identification_t *id;
 
-id = get_other_eap_id(this);
+id = get_other_id(this);
 pools = linked_list_create_from_enumerator(
 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
 hydra->attributes->release_address(hydra->attributes, pools, vip, id);
--- strongswan-5.1.0/src/libcharon/processing/jobs/adopt_children_job.c.orig2013-09-18 11:26:52.534613495 -0700
+++ strongswan-5.1.0/src/libcharon/processing/jobs/adopt_children_job.c2013-09-19 10:41:23.070404979 -0700
@@ -77,7 +77,7 @@ METHOD(job_t, execute, job_requeue_t,
 /* find old SA to adopt children from */
 children = linked_list_create();
 enumerator = charon->ike_sa_manager->create_id_enumerator(
-charon->ike_sa_manager, my_id, xauth,
+charon->ike_sa_manager, my_id, other_id,
 other->get_family(other));
 
while (enumerator->enumerate(enumerator, &id))
 {
@@ -92,7 +92,7 @@ METHOD(job_t, execute, job_requeue_t,
  ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
 me->equals(me, ike_sa->get_my_host(ike_sa)) &&
 other->equals(other, ike_sa->get_other_host(ike_sa)) &&
-other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&
+xauth->equals(xauth, ike_sa->get_other_eap_id(ike_sa)) &&
 cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
 {
 childenum = ike_sa->create_child_sa_enumerator(ike_sa);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130923/c730be4d/attachment.html>
