1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 0ca45a1..64155a0 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -515,6 +515,7 @@ METHOD(auth_cfg_t, complies, bool,
{
enumerator_t *e1, *e2;
bool success = TRUE, group_match = FALSE, cert_match = FALSE;
+ bool require_ca = FALSE, ca_match = FALSE;
identification_t *require_group = NULL;
certificate_t *require_cert = NULL;
signature_scheme_t scheme = SIGN_UNKNOWN;
@@ -535,22 +536,17 @@ METHOD(auth_cfg_t, complies, bool,
c1 = (certificate_t*)value;
- success = FALSE;
+ require_ca = TRUE;
e2 = create_enumerator(this);
while (e2->enumerate(e2, &t2, &c2))
{
if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
c1->equals(c1, c2))
{
- success = TRUE;
+ ca_match = TRUE;
}
}
e2->destroy(e2);
- if (!success && log_error)
- {
- DBG1(DBG_CFG, "constraint check failed: peer not "
- "authenticated by CA '%Y'.", c1->get_subject(c1));
- }
break;
}
case AUTH_RULE_SUBJECT_CERT:
@@ -844,6 +840,15 @@ METHOD(auth_cfg_t, complies, bool,
e2->destroy(e2);
}
+ if (require_ca && !ca_match)
+ {
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: no matching CA found");
+ }
+ return FALSE;
+ }
+
if (require_group && !group_match)
{
if (log_error)
|
