diff options
Diffstat (limited to 'src/charon/sa/tasks/ike_cert_post.c')
| -rw-r--r-- | src/charon/sa/tasks/ike_cert_post.c | 122 |
1 files changed, 60 insertions, 62 deletions
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c index cb533236e..70e87c2e7 100644 --- a/src/charon/sa/tasks/ike_cert_post.c +++ b/src/charon/sa/tasks/ike_cert_post.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2006-2008 Martin Willi + * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: ike_cert_post.c 4276 2008-08-22 10:44:51Z martin $ */ #include "ike_cert_post.h" @@ -22,6 +20,7 @@ #include <sa/ike_sa.h> #include <encoding/payloads/cert_payload.h> #include <encoding/payloads/certreq_payload.h> +#include <encoding/payloads/auth_payload.h> #include <credentials/certificates/x509.h> @@ -98,70 +97,71 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certifi } /** - * from ike_auth.c - */ -auth_class_t get_auth_class(peer_cfg_t *config); - -/** * add certificates to message */ static void build_certs(private_ike_cert_post_t *this, message_t *message) { peer_cfg_t *peer_cfg; + auth_payload_t *payload; + payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (peer_cfg && get_auth_class(peer_cfg) == AUTH_CLASS_PUBKEY) + if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK) + { /* no CERT payload for EAP/PSK */ + return; + } + + switch (peer_cfg->get_cert_policy(peer_cfg)) { - switch (peer_cfg->get_cert_policy(peer_cfg)) + case CERT_NEVER_SEND: + break; + case CERT_SEND_IF_ASKED: + if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN)) + { + break; + } + /* FALL */ + case CERT_ALWAYS_SEND: { - case CERT_NEVER_SEND: + cert_payload_t *payload; + enumerator_t *enumerator; + certificate_t *cert; + auth_rule_t type; + auth_cfg_t *auth; + + auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + + /* get subject cert first, then issuing certificates */ + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (!cert) + { break; - case CERT_SEND_IF_ASKED: - if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN)) - { - break; - } - /* FALL */ - case CERT_ALWAYS_SEND: + } + payload = build_cert_payload(this, cert); + if (!payload) { - cert_payload_t *payload; - enumerator_t *enumerator; - certificate_t *cert; - auth_info_t *auth; - auth_item_t item; - - auth = this->ike_sa->get_my_auth(this->ike_sa); - /* get subject cert first, then issuing certificates */ - if (!auth->get_item(auth, AUTHZ_SUBJECT_CERT, (void**)&cert)) - { - break; - } - payload = build_cert_payload(this, cert); - if (!payload) - { - break; - } - DBG1(DBG_IKE, "sending end entity cert \"%D\"", - cert->get_subject(cert)); - message->add_payload(message, (payload_t*)payload); - - enumerator = auth->create_item_enumerator(auth); - while (enumerator->enumerate(enumerator, &item, &cert)) + break; + } + DBG1(DBG_IKE, "sending end entity cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &cert)) + { + if (type == AUTH_RULE_IM_CERT) { - if (item == AUTHZ_IM_CERT) + payload = cert_payload_create_from_cert(cert); + if (payload) { - payload = cert_payload_create_from_cert(cert); - if (payload) - { - DBG1(DBG_IKE, "sending issuer cert \"%D\"", - cert->get_subject(cert)); - message->add_payload(message, (payload_t*)payload); - } + DBG1(DBG_IKE, "sending issuer cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); } } - enumerator->destroy(enumerator); - } - } + } + enumerator->destroy(enumerator); + } } } @@ -170,12 +170,9 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) */ static status_t build_i(private_ike_cert_post_t *this, message_t *message) { - if (message->get_exchange_type(message) == IKE_SA_INIT) - { - return NEED_MORE; - } build_certs(this, message); - return SUCCESS; + + return NEED_MORE; } /** @@ -191,11 +188,12 @@ static status_t process_r(private_ike_cert_post_t *this, message_t *message) */ static status_t build_r(private_ike_cert_post_t *this, message_t *message) { - if (message->get_exchange_type(message) == IKE_SA_INIT) - { + build_certs(this, message); + + if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED) + { /* stay alive, we might have additional rounds with certs */ return NEED_MORE; } - build_certs(this, message); return SUCCESS; } @@ -204,8 +202,8 @@ static status_t build_r(private_ike_cert_post_t *this, message_t *message) */ static status_t process_i(private_ike_cert_post_t *this, message_t *message) { - if (message->get_exchange_type(message) == IKE_SA_INIT) - { + if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED) + { /* stay alive, we might have additional rounds with CERTS */ return NEED_MORE; } return SUCCESS; |