diff options
| -rw-r--r-- | src/charon/config/policies/local_policy_store.c | 32 | ||||
| -rw-r--r-- | src/charon/sa/transactions/ike_auth.c | 18 |
2 files changed, 19 insertions, 31 deletions
diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c index 8ba65d24e..2054b9df5 100644 --- a/src/charon/config/policies/local_policy_store.c +++ b/src/charon/config/policies/local_policy_store.c @@ -72,10 +72,9 @@ static void add_policy(private_local_policy_store_t *this, policy_t *policy) static policy_t *get_policy_by_ids(private_local_policy_store_t *this, identification_t *my_id, identification_t *other_id) { typedef enum { - PRIO_UNDEFINED = 0x00, + PRIO_UNDEFINED = 0x00, PRIO_ID_ANY = 0x01, - PRIO_ID_WILDCARD = 0x02, - PRIO_ID_MATCH = 0x04, + PRIO_ID_MATCH = PRIO_ID_ANY + MAX_WILDCARDS, } prio_t; prio_t best_prio = PRIO_UNDEFINED; @@ -89,36 +88,28 @@ static policy_t *get_policy_by_ids(private_local_policy_store_t *this, identific pthread_mutex_lock(&(this->mutex)); iterator = this->policies->create_iterator(this->policies, TRUE); + /* determine closest matching policy */ while (iterator->has_next(iterator)) { identification_t *candidate_my_id; identification_t *candidate_other_id; + int wildcards; iterator->current(iterator, (void**)&candidate); candidate_my_id = candidate->get_my_id(candidate); candidate_other_id = candidate->get_other_id(candidate); - /* my_id must match, or may be %any */ - if (candidate_my_id->belongs_to(candidate_my_id, my_id)) + /* my_id is either %any or if set must match exactly */ + if (candidate_my_id->matches(candidate_my_id, my_id, &wildcards)) { prio_t prio = PRIO_UNDEFINED; - /* exact match of id? */ - if (other_id->equals(other_id, candidate_other_id)) - { - prio = PRIO_ID_MATCH; - } - /* match against any? */ - else if (candidate_other_id->get_type(candidate_other_id) == ID_ANY) + /* wildcard match for other_id */ + if (other_id->matches(other_id, candidate_other_id, &wildcards)) { - prio = PRIO_ID_ANY; - } - /* wildcard match? */ - else if (other_id->belongs_to(other_id, candidate_other_id)) - { - prio = PRIO_ID_WILDCARD; + prio = PRIO_ID_MATCH - wildcards; } this->logger->log(this->logger, CONTROL|LEVEL2, @@ -133,11 +124,6 @@ static policy_t *get_policy_by_ids(private_local_policy_store_t *this, identific found = candidate; best_prio = prio; } - if (prio == PRIO_ID_MATCH) - { - /* won't get better, stop searching */ - break; - } } } iterator->destroy(iterator); diff --git a/src/charon/sa/transactions/ike_auth.c b/src/charon/sa/transactions/ike_auth.c index 7a18adc25..a4812e6d7 100644 --- a/src/charon/sa/transactions/ike_auth.c +++ b/src/charon/sa/transactions/ike_auth.c @@ -224,7 +224,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) else { this->logger->log(this->logger, ERROR, - "could not find my certificate, certificate payload ommited"); + "could not find my certificate, certificate payload omitted"); } } @@ -299,9 +299,9 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) } /** - * Handle all kind of notifys + * Handle all kind of notifies */ -static status_t process_notifys(private_ike_auth_t *this, notify_payload_t *notify_payload) +static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *notify_payload) { notify_type_t notify_type = notify_payload->get_notify_type(notify_payload); @@ -310,7 +310,7 @@ static status_t process_notifys(private_ike_auth_t *this, notify_payload_t *noti switch (notify_type) { - /* these notifys are not critical. no child_sa is built, but IKE stays alive */ + /* these notifies are not critical. no child_sa is built, but IKE stays alive */ case SINGLE_PAIR_REQUIRED: { this->logger->log(this->logger, AUDIT, @@ -471,6 +471,7 @@ static void destroy_ts_list(linked_list_t *list) if (list) { traffic_selector_t *ts; + while (list->remove_last(list, (void**)&ts) == SUCCESS) { ts->destroy(ts); @@ -560,7 +561,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, break; case NOTIFY: { - status = process_notifys(this, (notify_payload_t*)payload); + status = process_notifies(this, (notify_payload_t*)payload); if (status == FAILED) { payloads->destroy(payloads); @@ -641,7 +642,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, if (cert == NULL) { this->logger->log(this->logger, ERROR, - "could not find my certificate, cert payload ommited"); + "could not find my certificate, cert payload omitted"); } cert_payload = cert_payload_create_from_x509(cert); response->add_payload(response, (payload_t *)cert_payload); @@ -822,7 +823,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, break; case NOTIFY: { - status = process_notifys(this, (notify_payload_t*)payload); + status = process_notifies(this, (notify_payload_t*)payload); if (status == FAILED) { payloads->destroy(payloads); @@ -855,11 +856,12 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, { /* process idr payload */ identification_t *configured_other_id; + int wildcards; other_id = idr_payload->get_identification(idr_payload); configured_other_id = this->policy->get_other_id(this->policy); - if (!other_id->belongs_to(other_id, configured_other_id)) + if (!other_id->matches(other_id, configured_other_id, &wildcards)) { other_id->destroy(other_id); this->logger->log(this->logger, AUDIT, |