make an optional XAUTH user ID available in the updown script
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 8 Jun 2010 15:50:22 +0000 (17:50 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 8 Jun 2010 15:50:22 +0000 (17:50 +0200)
src/_updown/_updown.in
src/_updown_espmark/_updown_espmark
src/pluto/kernel.c

index 2cc3116..b3c0b83 100644 (file)
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
+#              PLUTO_XAUTH_USER
+#                              is an optional user ID employed by the XAUTH protocol
+#
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
index 74de072..163ef55 100644 (file)
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
+#              PLUTO_XAUTH_USER
+#                              is an optional user ID employed by the XAUTH protocol
 
 # logging of VPN connections
 #
 
 # logging of VPN connections
 #
index 79ba3aa..d17489d 100644 (file)
@@ -464,9 +464,11 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                        peerclientnet_str[ADDRTOT_BUF],
                        peerclientmask_str[ADDRTOT_BUF],
                        peerca_str[BUF_LEN],
                        peerclientnet_str[ADDRTOT_BUF],
                        peerclientmask_str[ADDRTOT_BUF],
                        peerca_str[BUF_LEN],
+                       xauth_user_str[BUF_LEN] = "",
                        secure_myid_str[BUF_LEN] = "",
                        secure_peerid_str[BUF_LEN] = "",
                        secure_myid_str[BUF_LEN] = "",
                        secure_peerid_str[BUF_LEN] = "",
-                       secure_peerca_str[BUF_LEN] = "";
+                       secure_peerca_str[BUF_LEN] = "",
+                       secure_xauth_user_str[BUF_LEN] = "";
                ip_address ta;
                pubkey_list_t *p;
 
                ip_address ta;
                pubkey_list_t *p;
 
@@ -503,6 +505,15 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                maskof(&sr->this.client, &ta);
                addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
 
                maskof(&sr->this.client, &ta);
                addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
 
+               if (c->xauth_identity &&
+                       c->xauth_identity->get_type(c->xauth_identity) != ID_ANY)
+               {
+                       snprintf(xauth_user_str, sizeof(xauth_user_str),
+                                        "PLUTO_XAUTH_USER='%Y' ", c->xauth_identity);
+                       escape_metachar(xauth_user_str, secure_xauth_user_str,
+                                        sizeof(secure_xauth_user_str));
+               }
+
                addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
                snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id);
                escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
                addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
                snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id);
                escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
@@ -560,6 +571,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                        "PLUTO_PEER_PROTOCOL='%u' "
                        "PLUTO_PEER_CA='%s' "
                        "%s"        /* optional PLUTO_MY_SRCIP */
                        "PLUTO_PEER_PROTOCOL='%u' "
                        "PLUTO_PEER_CA='%s' "
                        "%s"        /* optional PLUTO_MY_SRCIP */
+                       "%s"        /* optional PLUTO_XAUTH_USER */
                        "%s"        /* actual script */
                        , verb, verb_suffix
                        , c->name
                        "%s"        /* actual script */
                        , verb, verb_suffix
                        , c->name
@@ -583,6 +595,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                        , sr->that.protocol
                        , secure_peerca_str
                        , srcip_str
                        , sr->that.protocol
                        , secure_peerca_str
                        , srcip_str
+                       , secure_xauth_user_str
                        , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
                {
                        loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
                        , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
                {
                        loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);