implemented reauthentication using the new reauth=yes|no parameter

6 files changed, 19 insertions, 2 deletions

diff --git a/src/starter/args.c b/src/starter/args.c
index a784ac032..d689a40fd 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -190,6 +190,7 @@ static const token_info_t token_info[] =
     { ARG_ULNG, offsetof(starter_conn_t, sa_keying_tries), NULL                    },
     { ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL                      },
     { ARG_MISC, 0, NULL  /* KW_REKEY */                                            },
+    { ARG_MISC, 0, NULL  /* KW_REAUTH */                                           },
     { ARG_STR,  offsetof(starter_conn_t, ike), NULL                                },
     { ARG_STR,  offsetof(starter_conn_t, esp), NULL                                },
     { ARG_STR,  offsetof(starter_conn_t, pfsgroup), LST_pfsgroup                   },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 6041d697f..a7db61625 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -67,7 +67,8 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.seen    = LEMPTY;
 	cfg->conn_default.startup = STARTUP_NO;
 	cfg->conn_default.state   = STATE_IGNORE;
-	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | POLICY_PFS;
+	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG |
+									POLICY_PFS | POLICY_REAUTH;
 
 	cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
 	cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
@@ -447,6 +448,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 		case KW_REKEY:
 			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
 			break;
+		case KW_REAUTH:
+			KW_POLICY_FLAG("yes", "no", POLICY_REAUTH)
+			break;
 		case KW_MODECONFIG:
 			KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
 			break;
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 324b041ad..bea2a6371 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -733,12 +733,21 @@ and
 The two ends need not agree,
 but while a value of
 .B no
-prevents Pluto from requesting renegotiation,
+prevents Pluto/Charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
 so
 .B no
 will be largely ineffective unless both ends agree on it.
 .TP
+.B reauth
+whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
+reauthentication is always done. In IKEv2, a value of
+.B no
+rekeys without uninstalling the IPsec SAs, a value of
+.B yes
+(the default) creates a new IKE_SA from scratch and tries to recreate
+all IPsec SAs.
+.TP
 .B rekeyfuzz
 maximum percentage by which
 .B rekeymargin
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index eac737567..66f86679e 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -73,6 +73,7 @@ typedef enum {
     KW_KEYINGTRIES,
     KW_REKEYFUZZ,
     KW_REKEY,
+    KW_REAUTH,
     KW_IKE,
     KW_ESP,
     KW_PFSGROUP,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 6e700f175..e8e489fea 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -62,6 +62,7 @@ ikelifetime,       KW_IKELIFETIME
 keyingtries,       KW_KEYINGTRIES
 rekeyfuzz,         KW_REKEYFUZZ
 rekey,             KW_REKEY
+reauth,            KW_REAUTH
 esp,               KW_ESP
 ike,               KW_IKE
 pfsgroup,          KW_PFSGROUP
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 87cf07ce5..eff157add 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -205,6 +205,7 @@ int starter_stroke_add_conn(starter_conn_t *conn)
 	}
 	else
 	{
+		msg.add_conn.rekey.reauth = (conn->policy & POLICY_REAUTH);	
 		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
 		msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
 		msg.add_conn.rekey.margin = conn->sa_rekey_margin;