preparations to include certreqs in policy decisions

5 files changed, 47 insertions, 25 deletions

diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c
index a4b53c5c8..32b0154e6 100644
--- a/src/charon/config/policies/local_policy_store.c
+++ b/src/charon/config/policies/local_policy_store.c
@@ -92,7 +92,8 @@ static bool contains_traffic_selectors(policy_t *policy, bool mine,
 static policy_t *get_policy(private_local_policy_store_t *this, 
 							identification_t *my_id, identification_t *other_id,
 						    linked_list_t *my_ts, linked_list_t *other_ts,
-						    host_t *my_host, host_t *other_host)
+						    host_t *my_host, host_t *other_host,
+							linked_list_t *requested_ca_keyids)
 {
 	typedef enum {
 		PRIO_UNDEFINED = 	0x00,
@@ -253,12 +254,13 @@ local_policy_store_t *local_policy_store_create(void)
 {
 	private_local_policy_store_t *this = malloc_thing(private_local_policy_store_t);
 	
-	this->public.policy_store.add_policy = (void(*)(policy_store_t*,policy_t*))add_policy;
-	this->public.policy_store.get_policy = (policy_t*(*)(policy_store_t*,identification_t*,identification_t*,linked_list_t*,linked_list_t*,host_t*,host_t*))get_policy;
-	this->public.policy_store.get_policy_by_name = (policy_t*(*)(policy_store_t*,char*))get_policy_by_name;
-	this->public.policy_store.delete_policy = (status_t(*)(policy_store_t*,char*))delete_policy;
-	this->public.policy_store.create_iterator = (iterator_t*(*)(policy_store_t*))create_iterator;
-	this->public.policy_store.destroy = (void(*)(policy_store_t*))destroy;
+	this->public.policy_store.add_policy = (void (*) (policy_store_t*,policy_t*))add_policy;
+	this->public.policy_store.get_policy = (policy_t* (*) (policy_store_t*,identification_t*,identification_t*,
+											linked_list_t*,linked_list_t*,host_t*,host_t*,linked_list_t*))get_policy;
+	this->public.policy_store.get_policy_by_name = (policy_t* (*) (policy_store_t*,char*))get_policy_by_name;
+	this->public.policy_store.delete_policy = (status_t (*) (policy_store_t*,char*))delete_policy;
+	this->public.policy_store.create_iterator = (iterator_t* (*) (policy_store_t*))create_iterator;
+	this->public.policy_store.destroy = (void (*) (policy_store_t*))destroy;
 	
 	/* private variables */
 	this->policies = linked_list_create();
diff --git a/src/charon/config/policies/policy_store.h b/src/charon/config/policies/policy_store.h
index 47969087e..b89bbab77 100755
--- a/src/charon/config/policies/policy_store.h
+++ b/src/charon/config/policies/policy_store.h
@@ -49,13 +49,14 @@ struct policy_store_t {
 	 * other_id must be fully qualified. my_id may be %any, as the
 	 * other peer may not include an IDr Request.
 	 *
-	 * @param this			calling object
-	 * @param my_id			own ID of the policy
-	 * @param other_id		others ID of the policy
-	 * @param my_ts			traffic selectors requested for local host
-	 * @param other_ts		traffic selectors requested for remote host
-	 * @param my_host		host to use for wilcards in TS compare
-	 * @param other_host	host to use for wildcards in TS compare
+	 * @param this					calling object
+	 * @param my_id					own ID of the policy
+	 * @param other_id				others ID of the policy
+	 * @param my_ts					traffic selectors requested for local host
+	 * @param other_ts				traffic selectors requested for remote host
+	 * @param my_host				host to use for wilcards in TS compare
+	 * @param other_host			host to use for wildcards in TS compare
+	 * @param requested_ca_keyids	list of requested CA keyids
 	 * @return
 	 *						- matching policy_t, if found
 	 *						- NULL otherwise
@@ -63,7 +64,8 @@ struct policy_store_t {
 	policy_t *(*get_policy) (policy_store_t *this, 
 							 identification_t *my_id, identification_t *other_id,
 							 linked_list_t *my_ts, linked_list_t *other_ts,
-							 host_t *my_host, host_t* other_host);
+							 host_t *my_host, host_t* other_host,
+							 linked_list_t *requested_ca_keyids);
 
 	/**
 	 * @brief Returns a policy identified by a connection name.
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index def5ecb3f..2ac59b2c2 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -450,7 +450,8 @@ static void dpd_detected(private_ike_sa_t *this)
 		policy = charon->policies->get_policy(charon->policies,
 											  this->my_id, this->other_id,
 											  my_ts, other_ts,
-											  this->my_host, this->other_host);
+											  this->my_host, this->other_host,
+											  NULL);
 		if (policy == NULL)
 		{
 			DBG1(DBG_IKE, "no policy for CHILD to handle DPD");
@@ -993,7 +994,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 	policy = charon->policies->get_policy(charon->policies, 
 										  this->my_id, this->other_id, 
 										  my_ts, other_ts, 
-										  this->my_host, this->other_host);
+										  this->my_host, this->other_host,
+										  NULL);
 	if (policy == NULL)
 	{
 		SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid);
diff --git a/src/charon/sa/transactions/create_child_sa.c b/src/charon/sa/transactions/create_child_sa.c
index c04fd1102..60d316fff 100644
--- a/src/charon/sa/transactions/create_child_sa.c
+++ b/src/charon/sa/transactions/create_child_sa.c
@@ -261,7 +261,8 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
 			this->policy = charon->policies->get_policy(charon->policies,
 														my_id, other_id,
 														my_ts, other_ts,
-													    me, other);
+													    me, other,
+														NULL);
 			
 			this->reqid = this->rekeyed_sa->get_reqid(this->rekeyed_sa);
 			
@@ -635,7 +636,8 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
 		this->policy = charon->policies->get_policy(charon->policies,
 													my_id, other_id,
 													my_ts, other_ts,
-												    me, other);
+												    me, other,
+													NULL);
 		if (this->policy)
 		{
 			this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
diff --git a/src/charon/sa/transactions/ike_auth.c b/src/charon/sa/transactions/ike_auth.c
index b09b7038d..5fd64e77d 100644
--- a/src/charon/sa/transactions/ike_auth.c
+++ b/src/charon/sa/transactions/ike_auth.c
@@ -421,9 +421,11 @@ static void build_notify(notify_type_t type, message_t *message, bool flush_mess
 /**
  * Import certificate requests from a certreq payload
  */
-static void import_certificate_request(certreq_payload_t *certreq_payload)
+static void add_certificate_request(certreq_payload_t *certreq_payload,
+									linked_list_t *requested_ca_keyids)
 {
 	chunk_t keyids;
+
 	cert_encoding_t encoding = certreq_payload->get_cert_encoding(certreq_payload);
 
 	if (encoding != CERT_X509_SIGNATURE)
@@ -441,9 +443,14 @@ static void import_certificate_request(certreq_payload_t *certreq_payload)
 		x509_t *cacert = charon->credentials->get_ca_certificate_by_keyid(charon->credentials, keyid);
 
 		if (cacert)
+		{
 			DBG2(DBG_IKE, "request for certificate issued by ca '%D'", cacert->get_subject(cacert));
+			requested_ca_keyids->insert_last(requested_ca_keyids, (void *)&keyid);
+		}
 		else
+		{
 			DBG2(DBG_IKE, "request for certificate issued by unknown ca");
+		}
 		DBG2(DBG_IKE, "  with keyid %#B", &keyid);
 
 		keyids.ptr += HASH_SIZE_SHA1;
@@ -550,6 +557,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 {
 	host_t *me, *other;
 	identification_t *my_id, *other_id;
+	linked_list_t *requested_ca_keyids;
 	message_t *response;
 	status_t status;
 	iterator_t *payloads;
@@ -596,6 +604,9 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 		return DESTROY_ME;
 	}
 	
+	/* initialize list of requested ca keyids */
+	requested_ca_keyids = linked_list_create();
+
 	/* Iterate over all payloads. */
 	payloads = request->get_payload_iterator(request);
 	while (payloads->iterate(payloads, (void**)&payload))
@@ -613,6 +624,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 				break;
 			case CERTIFICATE_REQUEST:
 				certreq_request = (certreq_payload_t*)payload;
+				add_certificate_request(certreq_request, requested_ca_keyids);
 				break;
 			case CERTIFICATE:
 				cert_request = (cert_payload_t*)payload;
@@ -632,12 +644,14 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 				if (status == FAILED)
 				{
 					payloads->destroy(payloads);
+					requested_ca_keyids->destroy(requested_ca_keyids);
 					/* we return SUCCESS, returned FAILED means do next transaction */
 					return SUCCESS;
 				}
 				if (status == DESTROY_ME)
 				{
 					payloads->destroy(payloads);
+					requested_ca_keyids->destroy(requested_ca_keyids);
 					SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
 					return DESTROY_ME;
 				}
@@ -659,6 +673,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 		build_notify(INVALID_SYNTAX, response, TRUE);
 		SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA");
 		SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
+		requested_ca_keyids->destroy(requested_ca_keyids);
 		return DESTROY_ME;
 	}
 	
@@ -674,10 +689,6 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 		}
 	}
 	
-	if (certreq_request)
-	{	/* process certificate request payload */
-		import_certificate_request(certreq_request);
-	}
 
 	{	/* get a policy and process traffic selectors */
 		linked_list_t *my_ts, *other_ts;
@@ -688,7 +699,10 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 		this->policy = charon->policies->get_policy(charon->policies,
 													my_id, other_id,
 													my_ts, other_ts,
-												    me, other);
+												    me, other,
+													requested_ca_keyids);
+		requested_ca_keyids->destroy(requested_ca_keyids);
+
 		if (this->policy)
 		{
 			this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);