Add an ipsec.conf leftgroups2 parameter for the second authentication round

9 files changed, 21 insertions, 3 deletions

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index a51ae40cf..1f88761be 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -622,6 +622,12 @@ a comma separated list of group names. If the
 parameter is present then the peer must be a member of at least one
 of the groups defined by the parameter.
 .TP
+.BR leftgroups2 " = <group list>"
+Same as
+.B leftgroups,
+but for the second authentication round defined with
+.B leftauth2.
+.TP
 .BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
 \fBipsec _updown\fR script, thus allowing access to the host itself
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index da0d2a74d..8657c3b26 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -365,7 +365,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 {
 	identification_t *identity;
 	certificate_t *certificate;
-	char *auth, *id, *pubkey, *cert, *ca;
+	char *auth, *id, *pubkey, *cert, *ca, *groups;
 	stroke_end_t *end, *other_end;
 	auth_cfg_t *cfg;
 
@@ -491,12 +491,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 
 	/* groups */
-	if (end->groups)
+	groups = primary ? end->groups : end->groups2;
+	if (groups)
 	{
 		enumerator_t *enumerator;
 		char *group;
 
-		enumerator = enumerator_create_token(end->groups, ",", " ");
+		enumerator = enumerator_create_token(groups, ",", " ");
 		while (enumerator->enumerate(enumerator, &group))
 		{
 			cfg->add(cfg, AUTH_RULE_GROUP,
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 698c45ed8..6bf65cc7e 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -181,6 +181,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->ca);
 	pop_string(msg, &end->ca2);
 	pop_string(msg, &end->groups);
+	pop_string(msg, &end->groups2);
 	pop_string(msg, &end->cert_policy);
 	pop_string(msg, &end->updown);
 
@@ -197,6 +198,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
 	DBG2(DBG_CFG, "  %sca2=%s", label, end->ca2);
 	DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
+	DBG2(DBG_CFG, "  %sgroups2=%s", label, end->groups2);
 	DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
 }
 
diff --git a/src/starter/args.c b/src/starter/args.c
index 96b5e803d..640cc43d6 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -203,6 +203,7 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
 	{ ARG_STR,  offsetof(starter_end_t, ca2), NULL                                 },
 	{ ARG_STR,  offsetof(starter_end_t, groups), NULL                              },
+	{ ARG_STR,  offsetof(starter_end_t, groups2), NULL                             },
 	{ ARG_MISC, 0, NULL  /* KW_END_DEPRECATED */                                   },
 };
 
diff --git a/src/starter/confread.h b/src/starter/confread.h
index ea59d44b5..0c284229b 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -97,6 +97,7 @@ struct starter_end {
 		char            *ca;
 		char            *ca2;
 		char            *groups;
+		char            *groups2;
 		char            *cert_policy;
 		char            *host;
 		u_int           ikeport;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 9dac6a820..bd9affe6c 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -114,6 +114,7 @@ typedef enum {
 	KW_CA,
 	KW_CA2,
 	KW_GROUPS,
+	KW_GROUPS2,
 	KW_END_DEPRECATED,
 
 #define KW_END_FIRST    KW_HOST
@@ -142,6 +143,7 @@ typedef enum {
 	KW_LEFTCA,
 	KW_LEFTCA2,
 	KW_LEFTGROUPS,
+	KW_LEFTGROUPS2,
 	KW_LEFT_DEPRECATED,
 
 #define KW_LEFT_FIRST   KW_LEFT
@@ -170,6 +172,7 @@ typedef enum {
 	KW_RIGHTCA,
 	KW_RIGHTCA2,
 	KW_RIGHTGROUPS,
+	KW_RIGHTGROUPS2,
 	KW_RIGHT_DEPRECATED,
 
 #define KW_RIGHT_FIRST  KW_RIGHT
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 2716f21f1..30d89f924 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -102,6 +102,7 @@ leftsendcert,      KW_LEFTSENDCERT
 leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
 leftgroups,        KW_LEFTGROUPS
+leftgroups2,       KW_LEFTGROUPS2
 right,             KW_RIGHT
 rightikeport,      KW_RIGHTIKEPORT
 rightsubnet,       KW_RIGHTSUBNET
@@ -125,6 +126,7 @@ rightsendcert,     KW_RIGHTSENDCERT
 rightca,           KW_RIGHTCA
 rightca2,          KW_RIGHTCA2
 rightgroups,       KW_RIGHTGROUPS
+rightgroups2,      KW_RIGHTGROUPS2
 also,              KW_ALSO
 auto,              KW_AUTO
 # deprecated/removed keywords
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 26ac5dafc..0fbc5d245 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -127,6 +127,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->ca = push_string(msg, conn_end->ca);
 	msg_end->ca2 = push_string(msg, conn_end->ca2);
 	msg_end->groups = push_string(msg, conn_end->groups);
+	msg_end->groups2 = push_string(msg, conn_end->groups2);
 	msg_end->updown = push_string(msg, conn_end->updown);
 	if (conn_end->host)
 	{
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index cc0819fda..95de7d69b 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -152,6 +152,7 @@ struct stroke_end_t {
 	char *ca;
 	char *ca2;
 	char *groups;
+	char *groups2;
 	char *cert_policy;
 	char *updown;
 	char *address;