aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2015-04-28 18:33:31 +0200
committerTobias Brunner <tobias@strongswan.org>2016-03-04 16:02:59 +0100
commitbef4518de7a5aed45bbb182abb169c16c63274dc (patch)
tree846bd5a1fb7bfc2b06ea4cb6ce6477775b3c6bbf /src
parente92364db66bb8f09888252fb609b35fd8bf94fc8 (diff)
downloadstrongswan-bef4518de7a5aed45bbb182abb169c16c63274dc.tar.bz2
strongswan-bef4518de7a5aed45bbb182abb169c16c63274dc.tar.xz
vici: Match identity with wildcards against remote ID in redirect command
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/plugins/vici/README.md3
-rw-r--r--src/libcharon/plugins/vici/vici_control.c11
-rw-r--r--src/swanctl/commands/redirect.c2
3 files changed, 10 insertions, 6 deletions
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index d08488310..54291b8bb 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -298,7 +298,8 @@ supported by the peer.
ike = <redirect an IKE_SA by configuration name>
ike-id = <redirect an IKE_SA by its unique id>
peer-ip = <redirect an IKE_SA with matching peer IP>
- peer-id = <redirect an IKE_SA with matching peer identity>
+ peer-id = <redirect an IKE_SA with matching peer identity, may contain
+ wildcards>
} => {
success = <yes or no>
errmsg = <error string on failure>
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 7bcab0e86..a63caf0e1 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -366,7 +366,7 @@ CALLBACK(redirect, vici_message_t*,
enumerator_t *sas;
char *ike, *peer_ip, *peer_id, *gw, *errmsg = NULL;
u_int ike_id, current, found = 0;
- identification_t *gateway, *identity = NULL;
+ identification_t *gateway, *identity = NULL, *other_id;
host_t *address = NULL;
ike_sa_t *ike_sa;
vici_builder_t *builder;
@@ -445,10 +445,13 @@ CALLBACK(redirect, vici_message_t*,
{
continue;
}
- if (identity &&
- !identity->equals(identity, ike_sa->get_other_eap_id(ike_sa)))
+ if (identity)
{
- continue;
+ other_id = ike_sa->get_other_eap_id(ike_sa);
+ if (!other_id->matches(other_id, identity))
+ {
+ continue;
+ }
}
lib->processor->queue_job(lib->processor,
(job_t*)redirect_job_create(ike_sa->get_id(ike_sa), gateway));
diff --git a/src/swanctl/commands/redirect.c b/src/swanctl/commands/redirect.c
index 0afe96a1b..295689bd3 100644
--- a/src/swanctl/commands/redirect.c
+++ b/src/swanctl/commands/redirect.c
@@ -117,7 +117,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
redirect, 'd', "redirect", "redirect an IKE_SA",
{"--ike <name> | --ike-id <id> | --peer-ip <ip>",
- "--peer-id <id> | --gateway <ip|fqdn> [--raw|--pretty]"},
+ "--peer-id <id|wildcards> | --gateway <ip|fqdn> [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
{"ike", 'i', 1, "redirect by IKE_SA name"},