From 8b2a2c17a202cdf8f8e51f1253d5a523b617310a Mon Sep 17 00:00:00 2001 From: sthen Date: Thu, 1 Jun 2017 15:23:43 +0000 Subject: [PATCH] Expand $eapid in iked tags, allowing PF rules to be written based on EAP identity (username). OK mikeb@ --- sbin/iked/iked.conf.5 | 6 ++++-- sbin/iked/ikev2.c | 10 +++++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5 index f72f345fe22..8c77f24d603 100644 --- a/sbin/iked/iked.conf.5 +++ b/sbin/iked/iked.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: iked.conf.5,v 1.49 2017/03/27 15:45:19 jmc Exp $ +.\" $OpenBSD: iked.conf.5,v 1.50 2017/06/01 15:23:43 sthen Exp $ .\" .\" Copyright (c) 2010 - 2014 Reyk Floeter .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 27 2017 $ +.Dd $Mdocdate: June 1 2017 $ .Dt IKED.CONF 5 .Os .Sh NAME @@ -572,6 +572,8 @@ from ASN1_DN IDs, for example .Ar ASN1_ID//C=DE/../CN=10.1.1.1/.. will be expanded to .Ar 10.1.1.1 . +.It Ar $eapid +For a connection using EAP, the identity (username) used by the remote peer. .It Ar $domain Extract the domain from IDs of type FQDN, UFQDN or ASN1_DN. .It Ar $name diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 7c4904b4cbd..045e499aaed 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.154 2017/04/26 10:42:38 henning Exp $ */ +/* $OpenBSD: ikev2.c,v 1.155 2017/06/01 15:23:43 sthen Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -4560,6 +4560,14 @@ ikev2_sa_tag(struct iked_sa *sa, struct iked_id *id) } } + if (strstr(format, "$eapid") != NULL && sa->sa_eapid != NULL) { + if (expand_string(sa->sa_tag, len, "$eapid", + sa->sa_eapid) != 0) { + log_debug("%s: failed to expand tag", __func__); + goto fail; + } + } + if (strstr(format, "$name") != NULL) { if (expand_string(sa->sa_tag, len, "$name", sa->sa_policy->pol_name) != 0) { -- 2.20.1