From: Martin Willi Date: Thu, 26 Jul 2012 09:49:46 +0000 (+0200) Subject: Add an ipsec.conf leftgroups2 parameter for the second authentication round X-Git-Tag: 5.0.1~255 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46df61dff7b21b2c3bbe49f352dcb1e1f3c29a72;p=thirdparty%2Fstrongswan.git Add an ipsec.conf leftgroups2 parameter for the second authentication round --- diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index a51ae40cfc..1f88761bec 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -622,6 +622,12 @@ a comma separated list of group names. If the parameter is present then the peer must be a member of at least one of the groups defined by the parameter. .TP +.BR leftgroups2 " = " +Same as +.B leftgroups, +but for the second authentication round defined with +.B leftauth2. +.TP .BR lefthostaccess " = yes | " no inserts a pair of INPUT and OUTPUT iptables rules using the default \fBipsec _updown\fR script, thus allowing access to the host itself diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index da0d2a74dc..8657c3b263 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -365,7 +365,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, { identification_t *identity; certificate_t *certificate; - char *auth, *id, *pubkey, *cert, *ca; + char *auth, *id, *pubkey, *cert, *ca, *groups; stroke_end_t *end, *other_end; auth_cfg_t *cfg; @@ -491,12 +491,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } /* groups */ - if (end->groups) + groups = primary ? end->groups : end->groups2; + if (groups) { enumerator_t *enumerator; char *group; - enumerator = enumerator_create_token(end->groups, ",", " "); + enumerator = enumerator_create_token(groups, ",", " "); while (enumerator->enumerate(enumerator, &group)) { cfg->add(cfg, AUTH_RULE_GROUP, diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 698c45ed87..6bf65cc7e6 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -181,6 +181,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) pop_string(msg, &end->ca); pop_string(msg, &end->ca2); pop_string(msg, &end->groups); + pop_string(msg, &end->groups2); pop_string(msg, &end->cert_policy); pop_string(msg, &end->updown); @@ -197,6 +198,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) DBG2(DBG_CFG, " %sca=%s", label, end->ca); DBG2(DBG_CFG, " %sca2=%s", label, end->ca2); DBG2(DBG_CFG, " %sgroups=%s", label, end->groups); + DBG2(DBG_CFG, " %sgroups2=%s", label, end->groups2); DBG2(DBG_CFG, " %supdown=%s", label, end->updown); } diff --git a/src/starter/args.c b/src/starter/args.c index 96b5e803dd..640cc43d6c 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -203,6 +203,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, ca), NULL }, { ARG_STR, offsetof(starter_end_t, ca2), NULL }, { ARG_STR, offsetof(starter_end_t, groups), NULL }, + { ARG_STR, offsetof(starter_end_t, groups2), NULL }, { ARG_MISC, 0, NULL /* KW_END_DEPRECATED */ }, }; diff --git a/src/starter/confread.h b/src/starter/confread.h index ea59d44b52..0c284229ba 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -97,6 +97,7 @@ struct starter_end { char *ca; char *ca2; char *groups; + char *groups2; char *cert_policy; char *host; u_int ikeport; diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 9dac6a8208..bd9affe6c3 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -114,6 +114,7 @@ typedef enum { KW_CA, KW_CA2, KW_GROUPS, + KW_GROUPS2, KW_END_DEPRECATED, #define KW_END_FIRST KW_HOST @@ -142,6 +143,7 @@ typedef enum { KW_LEFTCA, KW_LEFTCA2, KW_LEFTGROUPS, + KW_LEFTGROUPS2, KW_LEFT_DEPRECATED, #define KW_LEFT_FIRST KW_LEFT @@ -170,6 +172,7 @@ typedef enum { KW_RIGHTCA, KW_RIGHTCA2, KW_RIGHTGROUPS, + KW_RIGHTGROUPS2, KW_RIGHT_DEPRECATED, #define KW_RIGHT_FIRST KW_RIGHT diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 2716f21f14..30d89f9247 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -102,6 +102,7 @@ leftsendcert, KW_LEFTSENDCERT leftca, KW_LEFTCA leftca2, KW_LEFTCA2 leftgroups, KW_LEFTGROUPS +leftgroups2, KW_LEFTGROUPS2 right, KW_RIGHT rightikeport, KW_RIGHTIKEPORT rightsubnet, KW_RIGHTSUBNET @@ -125,6 +126,7 @@ rightsendcert, KW_RIGHTSENDCERT rightca, KW_RIGHTCA rightca2, KW_RIGHTCA2 rightgroups, KW_RIGHTGROUPS +rightgroups2, KW_RIGHTGROUPS2 also, KW_ALSO auto, KW_AUTO # deprecated/removed keywords diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 26ac5dafc9..0fbc5d2456 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -127,6 +127,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->ca = push_string(msg, conn_end->ca); msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); + msg_end->groups2 = push_string(msg, conn_end->groups2); msg_end->updown = push_string(msg, conn_end->updown); if (conn_end->host) { diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index cc0819fdab..95de7d69b9 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -152,6 +152,7 @@ struct stroke_end_t { char *ca; char *ca2; char *groups; + char *groups2; char *cert_policy; char *updown; char *address;