From: Heiko Hund <hhund@astaro.com>
Date: Tue, 8 Jun 2010 10:15:42 +0000 (+0200)
Subject: inherit XAUTH identities in Phase 2
X-Git-Tag: 4.4.1~170
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=52ee8131561e2fb2c1ea4ea9e8e55a291a7d4c0c;p=thirdparty%2Fstrongswan.git

inherit XAUTH identities in Phase 2
---

diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index e506d71bce..e796ef7980 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -1944,14 +1944,13 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 	bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
 					  c->spd.this.protocol || c->spd.that.protocol ||
 					  c->spd.this.port || c->spd.that.port;
-
 	bool send_natoa = FALSE;
 	u_int8_t np = ISAKMP_NEXT_NONE;
+	connection_t *ph1_c = isakmp_sa->st_connection;
 
 	if (c->spd.this.modecfg && !c->spd.this.has_client &&
 		c->spd.this.host_srcip->is_anyaddr(c->spd.this.host_srcip))
 	{
-		connection_t *ph1_c = isakmp_sa->st_connection;
 		host_t * ph1_srcip = ph1_c->spd.this.host_srcip;
 
 		if (ph1_c->spd.this.modecfg && !ph1_srcip->is_anyaddr(ph1_srcip))
@@ -1964,6 +1963,16 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
 		}
 	}
 
+	if (ph1_c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
+		ph1_c->xauth_identity)
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("inheriting XAUTH identity %Y", ph1_c->xauth_identity)
+		)
+		DESTROY_IF(c->xauth_identity);
+		c->xauth_identity = ph1_c->xauth_identity->clone(ph1_c->xauth_identity);
+	}
+
 	st->st_whack_sock = whack_sock;
 	st->st_connection = c;
 	set_cur_state(st);  /* we must reset before exit */
@@ -4888,6 +4897,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 					 * instantiate, carrying over authenticated peer ID
 					 */
 					host_t *vip = c->spd.that.host_srcip;
+					identification_t *xauth_id = c->xauth_identity;
 
 					p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
 								, his_net, c->spd.that.id);
@@ -4904,6 +4914,16 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 						p->spd.that.client = c->spd.that.client;
 						p->spd.that.has_client = TRUE;
 					}
+
+					if (c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
+						xauth_id)
+					{
+						DBG(DBG_CONTROL,
+							DBG_log("inheriting XAUTH identity %Y", xauth_id)
+						)
+						DESTROY_IF(p->xauth_identity);
+						p->xauth_identity = xauth_id->clone(xauth_id);
+					}
 				}
 			}
 #ifdef DEBUG