aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon')
-rw-r--r--src/charon/config/policies/local_policy_store.c16
-rwxr-xr-xsrc/charon/config/policies/policy_store.h18
-rw-r--r--src/charon/sa/ike_sa.c6
-rw-r--r--src/charon/sa/transactions/create_child_sa.c6
-rw-r--r--src/charon/sa/transactions/ike_auth.c26
5 files changed, 47 insertions, 25 deletions
diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c
index a4b53c5c8..32b0154e6 100644
--- a/src/charon/config/policies/local_policy_store.c
+++ b/src/charon/config/policies/local_policy_store.c
@@ -92,7 +92,8 @@ static bool contains_traffic_selectors(policy_t *policy, bool mine,
static policy_t *get_policy(private_local_policy_store_t *this,
identification_t *my_id, identification_t *other_id,
linked_list_t *my_ts, linked_list_t *other_ts,
- host_t *my_host, host_t *other_host)
+ host_t *my_host, host_t *other_host,
+ linked_list_t *requested_ca_keyids)
{
typedef enum {
PRIO_UNDEFINED = 0x00,
@@ -253,12 +254,13 @@ local_policy_store_t *local_policy_store_create(void)
{
private_local_policy_store_t *this = malloc_thing(private_local_policy_store_t);
- this->public.policy_store.add_policy = (void(*)(policy_store_t*,policy_t*))add_policy;
- this->public.policy_store.get_policy = (policy_t*(*)(policy_store_t*,identification_t*,identification_t*,linked_list_t*,linked_list_t*,host_t*,host_t*))get_policy;
- this->public.policy_store.get_policy_by_name = (policy_t*(*)(policy_store_t*,char*))get_policy_by_name;
- this->public.policy_store.delete_policy = (status_t(*)(policy_store_t*,char*))delete_policy;
- this->public.policy_store.create_iterator = (iterator_t*(*)(policy_store_t*))create_iterator;
- this->public.policy_store.destroy = (void(*)(policy_store_t*))destroy;
+ this->public.policy_store.add_policy = (void (*) (policy_store_t*,policy_t*))add_policy;
+ this->public.policy_store.get_policy = (policy_t* (*) (policy_store_t*,identification_t*,identification_t*,
+ linked_list_t*,linked_list_t*,host_t*,host_t*,linked_list_t*))get_policy;
+ this->public.policy_store.get_policy_by_name = (policy_t* (*) (policy_store_t*,char*))get_policy_by_name;
+ this->public.policy_store.delete_policy = (status_t (*) (policy_store_t*,char*))delete_policy;
+ this->public.policy_store.create_iterator = (iterator_t* (*) (policy_store_t*))create_iterator;
+ this->public.policy_store.destroy = (void (*) (policy_store_t*))destroy;
/* private variables */
this->policies = linked_list_create();
diff --git a/src/charon/config/policies/policy_store.h b/src/charon/config/policies/policy_store.h
index 47969087e..b89bbab77 100755
--- a/src/charon/config/policies/policy_store.h
+++ b/src/charon/config/policies/policy_store.h
@@ -49,13 +49,14 @@ struct policy_store_t {
* other_id must be fully qualified. my_id may be %any, as the
* other peer may not include an IDr Request.
*
- * @param this calling object
- * @param my_id own ID of the policy
- * @param other_id others ID of the policy
- * @param my_ts traffic selectors requested for local host
- * @param other_ts traffic selectors requested for remote host
- * @param my_host host to use for wilcards in TS compare
- * @param other_host host to use for wildcards in TS compare
+ * @param this calling object
+ * @param my_id own ID of the policy
+ * @param other_id others ID of the policy
+ * @param my_ts traffic selectors requested for local host
+ * @param other_ts traffic selectors requested for remote host
+ * @param my_host host to use for wilcards in TS compare
+ * @param other_host host to use for wildcards in TS compare
+ * @param requested_ca_keyids list of requested CA keyids
* @return
* - matching policy_t, if found
* - NULL otherwise
@@ -63,7 +64,8 @@ struct policy_store_t {
policy_t *(*get_policy) (policy_store_t *this,
identification_t *my_id, identification_t *other_id,
linked_list_t *my_ts, linked_list_t *other_ts,
- host_t *my_host, host_t* other_host);
+ host_t *my_host, host_t* other_host,
+ linked_list_t *requested_ca_keyids);
/**
* @brief Returns a policy identified by a connection name.
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index def5ecb3f..2ac59b2c2 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -450,7 +450,8 @@ static void dpd_detected(private_ike_sa_t *this)
policy = charon->policies->get_policy(charon->policies,
this->my_id, this->other_id,
my_ts, other_ts,
- this->my_host, this->other_host);
+ this->my_host, this->other_host,
+ NULL);
if (policy == NULL)
{
DBG1(DBG_IKE, "no policy for CHILD to handle DPD");
@@ -993,7 +994,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
policy = charon->policies->get_policy(charon->policies,
this->my_id, this->other_id,
my_ts, other_ts,
- this->my_host, this->other_host);
+ this->my_host, this->other_host,
+ NULL);
if (policy == NULL)
{
SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid);
diff --git a/src/charon/sa/transactions/create_child_sa.c b/src/charon/sa/transactions/create_child_sa.c
index c04fd1102..60d316fff 100644
--- a/src/charon/sa/transactions/create_child_sa.c
+++ b/src/charon/sa/transactions/create_child_sa.c
@@ -261,7 +261,8 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
this->policy = charon->policies->get_policy(charon->policies,
my_id, other_id,
my_ts, other_ts,
- me, other);
+ me, other,
+ NULL);
this->reqid = this->rekeyed_sa->get_reqid(this->rekeyed_sa);
@@ -635,7 +636,8 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
this->policy = charon->policies->get_policy(charon->policies,
my_id, other_id,
my_ts, other_ts,
- me, other);
+ me, other,
+ NULL);
if (this->policy)
{
this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
diff --git a/src/charon/sa/transactions/ike_auth.c b/src/charon/sa/transactions/ike_auth.c
index b09b7038d..5fd64e77d 100644
--- a/src/charon/sa/transactions/ike_auth.c
+++ b/src/charon/sa/transactions/ike_auth.c
@@ -421,9 +421,11 @@ static void build_notify(notify_type_t type, message_t *message, bool flush_mess
/**
* Import certificate requests from a certreq payload
*/
-static void import_certificate_request(certreq_payload_t *certreq_payload)
+static void add_certificate_request(certreq_payload_t *certreq_payload,
+ linked_list_t *requested_ca_keyids)
{
chunk_t keyids;
+
cert_encoding_t encoding = certreq_payload->get_cert_encoding(certreq_payload);
if (encoding != CERT_X509_SIGNATURE)
@@ -441,9 +443,14 @@ static void import_certificate_request(certreq_payload_t *certreq_payload)
x509_t *cacert = charon->credentials->get_ca_certificate_by_keyid(charon->credentials, keyid);
if (cacert)
+ {
DBG2(DBG_IKE, "request for certificate issued by ca '%D'", cacert->get_subject(cacert));
+ requested_ca_keyids->insert_last(requested_ca_keyids, (void *)&keyid);
+ }
else
+ {
DBG2(DBG_IKE, "request for certificate issued by unknown ca");
+ }
DBG2(DBG_IKE, " with keyid %#B", &keyid);
keyids.ptr += HASH_SIZE_SHA1;
@@ -550,6 +557,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
{
host_t *me, *other;
identification_t *my_id, *other_id;
+ linked_list_t *requested_ca_keyids;
message_t *response;
status_t status;
iterator_t *payloads;
@@ -596,6 +604,9 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
return DESTROY_ME;
}
+ /* initialize list of requested ca keyids */
+ requested_ca_keyids = linked_list_create();
+
/* Iterate over all payloads. */
payloads = request->get_payload_iterator(request);
while (payloads->iterate(payloads, (void**)&payload))
@@ -613,6 +624,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
break;
case CERTIFICATE_REQUEST:
certreq_request = (certreq_payload_t*)payload;
+ add_certificate_request(certreq_request, requested_ca_keyids);
break;
case CERTIFICATE:
cert_request = (cert_payload_t*)payload;
@@ -632,12 +644,14 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
if (status == FAILED)
{
payloads->destroy(payloads);
+ requested_ca_keyids->destroy(requested_ca_keyids);
/* we return SUCCESS, returned FAILED means do next transaction */
return SUCCESS;
}
if (status == DESTROY_ME)
{
payloads->destroy(payloads);
+ requested_ca_keyids->destroy(requested_ca_keyids);
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@@ -659,6 +673,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
build_notify(INVALID_SYNTAX, response, TRUE);
SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
+ requested_ca_keyids->destroy(requested_ca_keyids);
return DESTROY_ME;
}
@@ -674,10 +689,6 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
}
}
- if (certreq_request)
- { /* process certificate request payload */
- import_certificate_request(certreq_request);
- }
{ /* get a policy and process traffic selectors */
linked_list_t *my_ts, *other_ts;
@@ -688,7 +699,10 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
this->policy = charon->policies->get_policy(charon->policies,
my_id, other_id,
my_ts, other_ts,
- me, other);
+ me, other,
+ requested_ca_keyids);
+ requested_ca_keyids->destroy(requested_ca_keyids);
+
if (this->policy)
{
this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-25 21:33:45 +0000