Add an ipsec.conf leftgroups2 parameter for the second authentication round
authorMartin Willi <martin@revosec.ch>
Thu, 26 Jul 2012 09:49:46 +0000 (11:49 +0200)
committerMartin Willi <martin@revosec.ch>
Thu, 26 Jul 2012 09:51:58 +0000 (11:51 +0200)
man/ipsec.conf.5.in
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/stroke/stroke_socket.c
src/starter/args.c
src/starter/confread.h
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke_msg.h

index a51ae40..1f88761 100644 (file)
@@ -622,6 +622,12 @@ a comma separated list of group names. If the
 parameter is present then the peer must be a member of at least one
 of the groups defined by the parameter.
 .TP
+.BR leftgroups2 " = <group list>"
+Same as
+.B leftgroups,
+but for the second authentication round defined with
+.B leftauth2.
+.TP
 .BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
 \fBipsec _updown\fR script, thus allowing access to the host itself
index da0d2a7..8657c3b 100644 (file)
@@ -365,7 +365,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 {
        identification_t *identity;
        certificate_t *certificate;
-       char *auth, *id, *pubkey, *cert, *ca;
+       char *auth, *id, *pubkey, *cert, *ca, *groups;
        stroke_end_t *end, *other_end;
        auth_cfg_t *cfg;
 
@@ -491,12 +491,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
        }
 
        /* groups */
-       if (end->groups)
+       groups = primary ? end->groups : end->groups2;
+       if (groups)
        {
                enumerator_t *enumerator;
                char *group;
 
-               enumerator = enumerator_create_token(end->groups, ",", " ");
+               enumerator = enumerator_create_token(groups, ",", " ");
                while (enumerator->enumerate(enumerator, &group))
                {
                        cfg->add(cfg, AUTH_RULE_GROUP,
index 698c45e..6bf65cc 100644 (file)
@@ -181,6 +181,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
        pop_string(msg, &end->ca);
        pop_string(msg, &end->ca2);
        pop_string(msg, &end->groups);
+       pop_string(msg, &end->groups2);
        pop_string(msg, &end->cert_policy);
        pop_string(msg, &end->updown);
 
@@ -197,6 +198,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
        DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
        DBG2(DBG_CFG, "  %sca2=%s", label, end->ca2);
        DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
+       DBG2(DBG_CFG, "  %sgroups2=%s", label, end->groups2);
        DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
 }
 
index 96b5e80..640cc43 100644 (file)
@@ -203,6 +203,7 @@ static const token_info_t token_info[] =
        { ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
        { ARG_STR,  offsetof(starter_end_t, ca2), NULL                                 },
        { ARG_STR,  offsetof(starter_end_t, groups), NULL                              },
+       { ARG_STR,  offsetof(starter_end_t, groups2), NULL                             },
        { ARG_MISC, 0, NULL  /* KW_END_DEPRECATED */                                   },
 };
 
index ea59d44..0c28422 100644 (file)
@@ -97,6 +97,7 @@ struct starter_end {
                char            *ca;
                char            *ca2;
                char            *groups;
+               char            *groups2;
                char            *cert_policy;
                char            *host;
                u_int           ikeport;
index 9dac6a8..bd9affe 100644 (file)
@@ -114,6 +114,7 @@ typedef enum {
        KW_CA,
        KW_CA2,
        KW_GROUPS,
+       KW_GROUPS2,
        KW_END_DEPRECATED,
 
 #define KW_END_FIRST    KW_HOST
@@ -142,6 +143,7 @@ typedef enum {
        KW_LEFTCA,
        KW_LEFTCA2,
        KW_LEFTGROUPS,
+       KW_LEFTGROUPS2,
        KW_LEFT_DEPRECATED,
 
 #define KW_LEFT_FIRST   KW_LEFT
@@ -170,6 +172,7 @@ typedef enum {
        KW_RIGHTCA,
        KW_RIGHTCA2,
        KW_RIGHTGROUPS,
+       KW_RIGHTGROUPS2,
        KW_RIGHT_DEPRECATED,
 
 #define KW_RIGHT_FIRST  KW_RIGHT
index 2716f21..30d89f9 100644 (file)
@@ -102,6 +102,7 @@ leftsendcert,      KW_LEFTSENDCERT
 leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
 leftgroups,        KW_LEFTGROUPS
+leftgroups2,       KW_LEFTGROUPS2
 right,             KW_RIGHT
 rightikeport,      KW_RIGHTIKEPORT
 rightsubnet,       KW_RIGHTSUBNET
@@ -125,6 +126,7 @@ rightsendcert,     KW_RIGHTSENDCERT
 rightca,           KW_RIGHTCA
 rightca2,          KW_RIGHTCA2
 rightgroups,       KW_RIGHTGROUPS
+rightgroups2,      KW_RIGHTGROUPS2
 also,              KW_ALSO
 auto,              KW_AUTO
 # deprecated/removed keywords
index 26ac5da..0fbc5d2 100644 (file)
@@ -127,6 +127,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
        msg_end->ca = push_string(msg, conn_end->ca);
        msg_end->ca2 = push_string(msg, conn_end->ca2);
        msg_end->groups = push_string(msg, conn_end->groups);
+       msg_end->groups2 = push_string(msg, conn_end->groups2);
        msg_end->updown = push_string(msg, conn_end->updown);
        if (conn_end->host)
        {
index cc0819f..95de7d6 100644 (file)
@@ -152,6 +152,7 @@ struct stroke_end_t {
        char *ca;
        char *ca2;
        char *groups;
+       char *groups2;
        char *cert_policy;
        char *updown;
        char *address;