make an optional XAUTH user ID available in the updown script

diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 2cc311665101edeec74be9b25669161a35113db0..b3c0b83abe396395addb16b7299db72bf4c9a9e8 100644 (file)
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -115,6 +115,9 @@
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
+#              PLUTO_XAUTH_USER
+#                              is an optional user ID employed by the XAUTH protocol
+#
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"

diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
index 74de0722d2ec0991d62b69278d08af05891b6bcb..163ef557b313c48eb538969688b626124fb2ccd8 100644 (file)
--- a/src/_updown_espmark/_updown_espmark
+++ b/src/_updown_espmark/_updown_espmark
@@ -115,6 +115,8 @@
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
 #              restricted on the peer side.
 #
+#              PLUTO_XAUTH_USER
+#                              is an optional user ID employed by the XAUTH protocol
 
 # logging of VPN connections
 #

diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 79ba3aa579885e41841f187c43b172744cef1716..d17489d9aaac21fe44dfff1b8b20decf3c3ddb02 100644 (file)
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -464,9 +464,11 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                        peerclientnet_str[ADDRTOT_BUF],
                        peerclientmask_str[ADDRTOT_BUF],
                        peerca_str[BUF_LEN],
+                       xauth_user_str[BUF_LEN] = "",
                        secure_myid_str[BUF_LEN] = "",
                        secure_peerid_str[BUF_LEN] = "",
-                       secure_peerca_str[BUF_LEN] = "";
+                       secure_peerca_str[BUF_LEN] = "",
+                       secure_xauth_user_str[BUF_LEN] = "";
                ip_address ta;
                pubkey_list_t *p;
 
@@ -503,6 +505,15 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                maskof(&sr->this.client, &ta);
                addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
 
+               if (c->xauth_identity &&
+                       c->xauth_identity->get_type(c->xauth_identity) != ID_ANY)
+               {
+                       snprintf(xauth_user_str, sizeof(xauth_user_str),
+                                        "PLUTO_XAUTH_USER='%Y' ", c->xauth_identity);
+                       escape_metachar(xauth_user_str, secure_xauth_user_str,
+                                        sizeof(secure_xauth_user_str));
+               }
+
                addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
                snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id);
                escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
@@ -560,6 +571,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                        "PLUTO_PEER_PROTOCOL='%u' "
                        "PLUTO_PEER_CA='%s' "
                        "%s"        /* optional PLUTO_MY_SRCIP */
+                       "%s"        /* optional PLUTO_XAUTH_USER */
                        "%s"        /* actual script */
                        , verb, verb_suffix
                        , c->name
@@ -583,6 +595,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
                        , sr->that.protocol
                        , secure_peerca_str
                        , srcip_str
+                       , secure_xauth_user_str
                        , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
                {
                        loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);