diff options
Diffstat (limited to 'src/libstrongswan/credentials/credential_manager.c')
| -rw-r--r-- | src/libstrongswan/credentials/credential_manager.c | 43 |
1 files changed, 27 insertions, 16 deletions
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 46c36c941..97e8d8887 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -157,8 +157,10 @@ static enumerator_t *create_sets_enumerator(private_credential_manager_t *this) linked_list_t *local; INIT(enumerator, - .public.enumerate = (void*)_sets_enumerate, - .public.destroy = _sets_destroy, + .public = { + .enumerate = (void*)_sets_enumerate, + .destroy = _sets_destroy, + }, .global = this->sets->create_enumerator(this->sets), ); local = this->local_sets->get(this->local_sets); @@ -822,7 +824,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, } /** - * Check if a certificate's keyid is contained in the auth helper + * Check if an helper contains a certificate as trust anchor */ static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert) { @@ -854,17 +856,10 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, certificate_t *issuer, *current; auth_cfg_t *trustchain; int pathlen = 0; + bool has_anchor; trustchain = auth_cfg_create(); - - current = auth->get(auth, AUTH_RULE_CA_CERT); - if (!current) - { - /* no trust anchor specified, return this cert only */ - trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, - subject->get_ref(subject)); - return trustchain; - } + has_anchor = auth->get(auth, AUTH_RULE_CA_CERT) != NULL; current = subject->get_ref(subject); while (TRUE) { @@ -879,17 +874,33 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, } else { + if (!has_anchor && + this->cache->issued_by(this->cache, current, current)) + { /* If no trust anchor specified, accept any CA */ + trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); + return trustchain; + } trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); } + if (pathlen++ > MAX_TRUST_PATH_LEN) + { + break; + } issuer = get_issuer_cert(this, current, FALSE); - if (!issuer || issuer->equals(issuer, current) || - pathlen > MAX_TRUST_PATH_LEN) + if (!issuer) { - DESTROY_IF(issuer); + if (!has_anchor) + { /* If no trust anchor specified, accept incomplete chains */ + return trustchain; + } + break; + } + if (has_anchor && issuer->equals(issuer, current)) + { + issuer->destroy(issuer); break; } current = issuer; - pathlen++; } trustchain->destroy(trustchain); return NULL; |