Added support for the ipsec.conf aaa_identity keyword

author Martin Willi <martin@revosec.ch>

Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)

committer Martin Willi <martin@revosec.ch>

Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)
author Martin Willi <martin@revosec.ch>
Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)
committer Martin Willi <martin@revosec.ch>
Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c

index 617069432bc11470e458406dca6a53c27f4f8c89..b35bbbfe195da4541ca44b63ba46a20bcbcb4747 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -502,6 +502,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
                         }
                         cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
                 }
+               if (msg->add_conn.aaa_identity)
+               {
+                       cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
+                               identification_create_from_string(msg->add_conn.aaa_identity));
+               }
         }
         else
         {
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c

index 974dbd5d8406640df1add9802ca15b46269ecdad..06a636a7dc1580e61955880d7011149641c77f80 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -180,11 +180,13 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
         pop_end(msg, "left", &msg->add_conn.me);
         pop_end(msg, "right", &msg->add_conn.other);
         pop_string(msg, &msg->add_conn.eap_identity);
+       pop_string(msg, &msg->add_conn.aaa_identity);
         pop_string(msg, &msg->add_conn.algorithms.ike);
         pop_string(msg, &msg->add_conn.algorithms.esp);
         pop_string(msg, &msg->add_conn.ikeme.mediated_by);
         pop_string(msg, &msg->add_conn.ikeme.peerid);
         DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
+       DBG2(DBG_CFG, "  aaa_identity=%s", msg->add_conn.aaa_identity);
         DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
         DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
         DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
diff --git a/src/starter/args.c b/src/starter/args.c

index ab6b605096600dffb6037e72bda8bcd9d56c2664..37d60028363ba6e5f1191f75c9f240d80d4419d5 100644 (file)
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -208,6 +208,7 @@ static const token_info_t token_info[] =
         { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
         { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
         { ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
+       { ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
         { ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
         { ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
         { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
diff --git a/src/starter/confread.h b/src/starter/confread.h

index 5e4356ea3fd6a34b052b5e4fc40377c9875fed2f..3bbff64664a1e8f3e1029d4176410ad1f4b921ba 100644 (file)
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -117,6 +117,7 @@ struct starter_conn {
                 u_int32_t       eap_type;
                 u_int32_t       eap_vendor;
                 char            *eap_identity;
+               char            *aaa_identity;
                 char            *xauth_identity;
                 lset_t          policy;
                 time_t          sa_ike_life_seconds;
diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in

index 0f87f6b219eab9325f6e96e26413cb12cdbd736a..de19cec29c0865db5d38f5bc400b8fa734b6ec10 100644 (file)
--- a/src/starter/ipsec.conf.5.in
+++ b/src/starter/ipsec.conf.5.in
@@ -228,6 +228,11 @@ Unless otherwise noted, for a connection to work,
  in general it is necessary for the two ends to agree exactly
  on the values of these parameters.
  .TP 14
+.B aaa_identity
+defines the identity of the AAA backend used during IKEv2 EAP authentication.
+This is required if the EAP client uses a method that verifies the server
+identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
+.TP
  .B ah
  AH authentication algorithm to be used
  for the connection, e.g.
diff --git a/src/starter/keywords.h b/src/starter/keywords.h

index 25d2ce4b9c2176fa52157f3a1d3565cc68da7a07..0c78b8c4b1e9fd10985d77c47d286bbccfd61192 100644 (file)
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -71,6 +71,7 @@ typedef enum {
         KW_AUTHBY,
         KW_EAP,
         KW_EAP_IDENTITY,
+       KW_AAA_IDENTITY,
         KW_MOBIKE,
         KW_FORCEENCAPS,
         KW_IKELIFETIME,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt

index fcdc60cffc35149df3c4a3a9e8a62185d21b3ad6..06705635adcc99249d4a8ea656dcb25e1b9b9525 100644 (file)
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -49,6 +49,7 @@ force_keepalive,   KW_FORCE_KEEPALIVE
  virtual_private,   KW_VIRTUAL_PRIVATE
  eap,               KW_EAP
  eap_identity,      KW_EAP_IDENTITY
+aaa_identity,      KW_AAA_IDENTITY
  mobike,                   KW_MOBIKE
  forceencaps,       KW_FORCEENCAPS
  pkcs11module,      KW_PKCS11MODULE
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c

index 9c69ab9e5b20dc9ac640c334e99ba442dbf81086..32b373b2d26e722be88c8cb2e3aa73f12320ee39 100644 (file)
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -223,6 +223,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
         msg.add_conn.eap_type = conn->eap_type;
         msg.add_conn.eap_vendor = conn->eap_vendor;
         msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
+       msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
  
         if (conn->policy & POLICY_TUNNEL)
         {
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h

index 9e2300d05dc88dbf68648e26b64b8fe40dd5cca2..9466cf0b0ebe806ab67c5d0023b861929cbc46ba 100644 (file)
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -232,6 +232,7 @@ struct stroke_msg_t {
                         u_int32_t eap_type;
                         u_int32_t eap_vendor;
                         char *eap_identity;
+                       char *aaa_identity;
                         int mode;
                         int mobike;
                         int force_encap;
author	Martin Willi <martin@revosec.ch>
	Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)
committer	Martin Willi <martin@revosec.ch>
	Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)
src/libcharon/plugins/stroke/stroke_config.c		patch \| blob \| blame \| history
src/libcharon/plugins/stroke/stroke_socket.c		patch \| blob \| blame \| history
src/starter/args.c		patch \| blob \| blame \| history
src/starter/confread.h		patch \| blob \| blame \| history
src/starter/ipsec.conf.5.in		patch \| blob \| blame \| history
src/starter/keywords.h		patch \| blob \| blame \| history
src/starter/keywords.txt		patch \| blob \| blame \| history
src/starter/starterstroke.c		patch \| blob \| blame \| history
src/stroke/stroke_msg.h		patch \| blob \| blame \| history