preparations to include certreqs in policy decisions
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 31 Oct 2006 07:04:15 +0000 (07:04 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 31 Oct 2006 07:04:15 +0000 (07:04 -0000)
src/charon/config/policies/local_policy_store.c
src/charon/config/policies/policy_store.h
src/charon/sa/ike_sa.c
src/charon/sa/transactions/create_child_sa.c
src/charon/sa/transactions/ike_auth.c

index a4b53c5..32b0154 100644 (file)
@@ -92,7 +92,8 @@ static bool contains_traffic_selectors(policy_t *policy, bool mine,
 static policy_t *get_policy(private_local_policy_store_t *this, 
                                                        identification_t *my_id, identification_t *other_id,
                                                    linked_list_t *my_ts, linked_list_t *other_ts,
-                                                   host_t *my_host, host_t *other_host)
+                                                   host_t *my_host, host_t *other_host,
+                                                       linked_list_t *requested_ca_keyids)
 {
        typedef enum {
                PRIO_UNDEFINED =        0x00,
@@ -253,12 +254,13 @@ local_policy_store_t *local_policy_store_create(void)
 {
        private_local_policy_store_t *this = malloc_thing(private_local_policy_store_t);
        
-       this->public.policy_store.add_policy = (void(*)(policy_store_t*,policy_t*))add_policy;
-       this->public.policy_store.get_policy = (policy_t*(*)(policy_store_t*,identification_t*,identification_t*,linked_list_t*,linked_list_t*,host_t*,host_t*))get_policy;
-       this->public.policy_store.get_policy_by_name = (policy_t*(*)(policy_store_t*,char*))get_policy_by_name;
-       this->public.policy_store.delete_policy = (status_t(*)(policy_store_t*,char*))delete_policy;
-       this->public.policy_store.create_iterator = (iterator_t*(*)(policy_store_t*))create_iterator;
-       this->public.policy_store.destroy = (void(*)(policy_store_t*))destroy;
+       this->public.policy_store.add_policy = (void (*) (policy_store_t*,policy_t*))add_policy;
+       this->public.policy_store.get_policy = (policy_t* (*) (policy_store_t*,identification_t*,identification_t*,
+                                                                                       linked_list_t*,linked_list_t*,host_t*,host_t*,linked_list_t*))get_policy;
+       this->public.policy_store.get_policy_by_name = (policy_t* (*) (policy_store_t*,char*))get_policy_by_name;
+       this->public.policy_store.delete_policy = (status_t (*) (policy_store_t*,char*))delete_policy;
+       this->public.policy_store.create_iterator = (iterator_t* (*) (policy_store_t*))create_iterator;
+       this->public.policy_store.destroy = (void (*) (policy_store_t*))destroy;
        
        /* private variables */
        this->policies = linked_list_create();
index 4796908..b89bbab 100755 (executable)
@@ -49,13 +49,14 @@ struct policy_store_t {
         * other_id must be fully qualified. my_id may be %any, as the
         * other peer may not include an IDr Request.
         *
-        * @param this                  calling object
-        * @param my_id                 own ID of the policy
-        * @param other_id              others ID of the policy
-        * @param my_ts                 traffic selectors requested for local host
-        * @param other_ts              traffic selectors requested for remote host
-        * @param my_host               host to use for wilcards in TS compare
-        * @param other_host    host to use for wildcards in TS compare
+        * @param this                                  calling object
+        * @param my_id                                 own ID of the policy
+        * @param other_id                              others ID of the policy
+        * @param my_ts                                 traffic selectors requested for local host
+        * @param other_ts                              traffic selectors requested for remote host
+        * @param my_host                               host to use for wilcards in TS compare
+        * @param other_host                    host to use for wildcards in TS compare
+        * @param requested_ca_keyids   list of requested CA keyids
         * @return
         *                                              - matching policy_t, if found
         *                                              - NULL otherwise
@@ -63,7 +64,8 @@ struct policy_store_t {
        policy_t *(*get_policy) (policy_store_t *this, 
                                                         identification_t *my_id, identification_t *other_id,
                                                         linked_list_t *my_ts, linked_list_t *other_ts,
-                                                        host_t *my_host, host_t* other_host);
+                                                        host_t *my_host, host_t* other_host,
+                                                        linked_list_t *requested_ca_keyids);
 
        /**
         * @brief Returns a policy identified by a connection name.
index def5ecb..2ac59b2 100644 (file)
@@ -450,7 +450,8 @@ static void dpd_detected(private_ike_sa_t *this)
                policy = charon->policies->get_policy(charon->policies,
                                                                                          this->my_id, this->other_id,
                                                                                          my_ts, other_ts,
-                                                                                         this->my_host, this->other_host);
+                                                                                         this->my_host, this->other_host,
+                                                                                         NULL);
                if (policy == NULL)
                {
                        DBG1(DBG_IKE, "no policy for CHILD to handle DPD");
@@ -993,7 +994,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
        policy = charon->policies->get_policy(charon->policies, 
                                                                                  this->my_id, this->other_id, 
                                                                                  my_ts, other_ts, 
-                                                                                 this->my_host, this->other_host);
+                                                                                 this->my_host, this->other_host,
+                                                                                 NULL);
        if (policy == NULL)
        {
                SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid);
index c04fd11..60d316f 100644 (file)
@@ -261,7 +261,8 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
                        this->policy = charon->policies->get_policy(charon->policies,
                                                                                                                my_id, other_id,
                                                                                                                my_ts, other_ts,
-                                                                                                           me, other);
+                                                                                                           me, other,
+                                                                                                               NULL);
                        
                        this->reqid = this->rekeyed_sa->get_reqid(this->rekeyed_sa);
                        
@@ -635,7 +636,8 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
                this->policy = charon->policies->get_policy(charon->policies,
                                                                                                        my_id, other_id,
                                                                                                        my_ts, other_ts,
-                                                                                                   me, other);
+                                                                                                   me, other,
+                                                                                                       NULL);
                if (this->policy)
                {
                        this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
index b09b703..5fd64e7 100644 (file)
@@ -421,9 +421,11 @@ static void build_notify(notify_type_t type, message_t *message, bool flush_mess
 /**
  * Import certificate requests from a certreq payload
  */
-static void import_certificate_request(certreq_payload_t *certreq_payload)
+static void add_certificate_request(certreq_payload_t *certreq_payload,
+                                                                       linked_list_t *requested_ca_keyids)
 {
        chunk_t keyids;
+
        cert_encoding_t encoding = certreq_payload->get_cert_encoding(certreq_payload);
 
        if (encoding != CERT_X509_SIGNATURE)
@@ -441,9 +443,14 @@ static void import_certificate_request(certreq_payload_t *certreq_payload)
                x509_t *cacert = charon->credentials->get_ca_certificate_by_keyid(charon->credentials, keyid);
 
                if (cacert)
+               {
                        DBG2(DBG_IKE, "request for certificate issued by ca '%D'", cacert->get_subject(cacert));
+                       requested_ca_keyids->insert_last(requested_ca_keyids, (void *)&keyid);
+               }
                else
+               {
                        DBG2(DBG_IKE, "request for certificate issued by unknown ca");
+               }
                DBG2(DBG_IKE, "  with keyid %#B", &keyid);
 
                keyids.ptr += HASH_SIZE_SHA1;
@@ -550,6 +557,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
 {
        host_t *me, *other;
        identification_t *my_id, *other_id;
+       linked_list_t *requested_ca_keyids;
        message_t *response;
        status_t status;
        iterator_t *payloads;
@@ -596,6 +604,9 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
                return DESTROY_ME;
        }
        
+       /* initialize list of requested ca keyids */
+       requested_ca_keyids = linked_list_create();
+
        /* Iterate over all payloads. */
        payloads = request->get_payload_iterator(request);
        while (payloads->iterate(payloads, (void**)&payload))
@@ -613,6 +624,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
                                break;
                        case CERTIFICATE_REQUEST:
                                certreq_request = (certreq_payload_t*)payload;
+                               add_certificate_request(certreq_request, requested_ca_keyids);
                                break;
                        case CERTIFICATE:
                                cert_request = (cert_payload_t*)payload;
@@ -632,12 +644,14 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
                                if (status == FAILED)
                                {
                                        payloads->destroy(payloads);
+                                       requested_ca_keyids->destroy(requested_ca_keyids);
                                        /* we return SUCCESS, returned FAILED means do next transaction */
                                        return SUCCESS;
                                }
                                if (status == DESTROY_ME)
                                {
                                        payloads->destroy(payloads);
+                                       requested_ca_keyids->destroy(requested_ca_keyids);
                                        SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
                                        return DESTROY_ME;
                                }
@@ -659,6 +673,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
                build_notify(INVALID_SYNTAX, response, TRUE);
                SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA");
                SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
+               requested_ca_keyids->destroy(requested_ca_keyids);
                return DESTROY_ME;
        }
        
@@ -674,10 +689,6 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
                }
        }
        
-       if (certreq_request)
-       {       /* process certificate request payload */
-               import_certificate_request(certreq_request);
-       }
 
        {       /* get a policy and process traffic selectors */
                linked_list_t *my_ts, *other_ts;
@@ -688,7 +699,10 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
                this->policy = charon->policies->get_policy(charon->policies,
                                                                                                        my_id, other_id,
                                                                                                        my_ts, other_ts,
-                                                                                                   me, other);
+                                                                                                   me, other,
+                                                                                                       requested_ca_keyids);
+               requested_ca_keyids->destroy(requested_ca_keyids);
+
                if (this->policy)
                {
                        this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);