diff options
| author | Reto Guadagnini <rguadagn@hsr.ch> | 2012-07-05 12:17:49 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2013-02-19 12:25:00 +0100 |
| commit | 95650c0836beac729b159259c83c03750d3e6a62 (patch) | |
| tree | 3b5f2df99d2af09490c5c920d9abd273bc5f5140 | |
| parent | 932717fbde194bba61a0cbea304fb7c0ded0368d (diff) | |
| download | strongswan-95650c0836beac729b159259c83c03750d3e6a62.tar.bz2 strongswan-95650c0836beac729b159259c83c03750d3e6a62.tar.xz | |
ipseckey: Report IPSECKEYs with invalid DNSSEC security state
| -rw-r--r-- | src/libcharon/plugins/ipseckey/ipseckey_cred.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c index 9c4bc5950..53f30fedf 100644 --- a/src/libcharon/plugins/ipseckey/ipseckey_cred.c +++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c @@ -172,8 +172,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, } if (!response->has_data(response) || - !response->query_name_exist(response) || - !(response->get_security_state(response) == SECURE) ) + !response->query_name_exist(response)) { DBG1(DBG_CFG, "ipseckey_cred: Unable to retrieve IPSECKEY RRs " "for the domain %s from the DNS", fqdn); @@ -181,6 +180,17 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, free(fqdn); return enumerator_create_empty(); } + + if (!(response->get_security_state(response) == SECURE)) + { + DBG1(DBG_CFG, "ipseckey_cred: DNSSEC security state of the " + "IPSECKEY RRs of the domain %s is not SECURE " + "as required", fqdn); + response->destroy(response); + free(fqdn); + return enumerator_create_empty(); + } + free(fqdn); /** Determine the validity period of the retrieved IPSECKEYs |