diff options
author | Tobias Brunner <tobias@strongswan.org> | 2015-04-28 18:33:31 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2016-03-04 16:02:59 +0100 |
commit | bef4518de7a5aed45bbb182abb169c16c63274dc (patch) | |
tree | 846bd5a1fb7bfc2b06ea4cb6ce6477775b3c6bbf /src | |
parent | e92364db66bb8f09888252fb609b35fd8bf94fc8 (diff) | |
download | strongswan-bef4518de7a5aed45bbb182abb169c16c63274dc.tar.bz2 strongswan-bef4518de7a5aed45bbb182abb169c16c63274dc.tar.xz |
vici: Match identity with wildcards against remote ID in redirect command
Diffstat (limited to 'src')
-rw-r--r-- | src/libcharon/plugins/vici/README.md | 3 | ||||
-rw-r--r-- | src/libcharon/plugins/vici/vici_control.c | 11 | ||||
-rw-r--r-- | src/swanctl/commands/redirect.c | 2 |
3 files changed, 10 insertions, 6 deletions
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index d08488310..54291b8bb 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -298,7 +298,8 @@ supported by the peer. ike = <redirect an IKE_SA by configuration name> ike-id = <redirect an IKE_SA by its unique id> peer-ip = <redirect an IKE_SA with matching peer IP> - peer-id = <redirect an IKE_SA with matching peer identity> + peer-id = <redirect an IKE_SA with matching peer identity, may contain + wildcards> } => { success = <yes or no> errmsg = <error string on failure> diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c index 7bcab0e86..a63caf0e1 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -366,7 +366,7 @@ CALLBACK(redirect, vici_message_t*, enumerator_t *sas; char *ike, *peer_ip, *peer_id, *gw, *errmsg = NULL; u_int ike_id, current, found = 0; - identification_t *gateway, *identity = NULL; + identification_t *gateway, *identity = NULL, *other_id; host_t *address = NULL; ike_sa_t *ike_sa; vici_builder_t *builder; @@ -445,10 +445,13 @@ CALLBACK(redirect, vici_message_t*, { continue; } - if (identity && - !identity->equals(identity, ike_sa->get_other_eap_id(ike_sa))) + if (identity) { - continue; + other_id = ike_sa->get_other_eap_id(ike_sa); + if (!other_id->matches(other_id, identity)) + { + continue; + } } lib->processor->queue_job(lib->processor, (job_t*)redirect_job_create(ike_sa->get_id(ike_sa), gateway)); diff --git a/src/swanctl/commands/redirect.c b/src/swanctl/commands/redirect.c index 0afe96a1b..295689bd3 100644 --- a/src/swanctl/commands/redirect.c +++ b/src/swanctl/commands/redirect.c @@ -117,7 +117,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { redirect, 'd', "redirect", "redirect an IKE_SA", {"--ike <name> | --ike-id <id> | --peer-ip <ip>", - "--peer-id <id> | --gateway <ip|fqdn> [--raw|--pretty]"}, + "--peer-id <id|wildcards> | --gateway <ip|fqdn> [--raw|--pretty]"}, { {"help", 'h', 0, "show usage information"}, {"ike", 'i', 1, "redirect by IKE_SA name"}, |