sql: Handle %any better when looking up shared secrets
authorTobias Brunner <tobias@strongswan.org>
Mon, 25 Feb 2019 09:30:59 +0000 (10:30 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 14 Mar 2019 12:55:58 +0000 (13:55 +0100)
This can be the case for IKEv1 since 419ae9a20a0b ("ikev1: Default remote
identity to %any for PSK lookup if not configured").

Closes strongswan/strongswan#128.

src/libcharon/plugins/sql/sql_cred.c

index 02608d1..f86252a 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2019 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -221,10 +221,10 @@ typedef struct {
        enumerator_t public;
        /** inner SQL enumerator */
        enumerator_t *inner;
-       /** own identity */
-       identification_t *me;
-       /** remote identity */
-       identification_t *other;
+       /** own identity is defined */
+       bool me_defined;
+       /** remote identity is defined */
+       bool other_defined;
        /** currently enumerated private key */
        shared_key_t *current;
 } shared_enumerator_t;
@@ -248,11 +248,11 @@ METHOD(enumerator_t, shared_enumerator_enumerate, bool,
                        *shared = this->current;
                        if (me)
                        {
-                               *me = this->me ? ID_MATCH_PERFECT : ID_MATCH_ANY;
+                               *me = this->me_defined ? ID_MATCH_PERFECT : ID_MATCH_ANY;
                        }
                        if (other)
                        {
-                               *other = this->other ? ID_MATCH_PERFECT : ID_MATCH_ANY;
+                               *other = this->other_defined ? ID_MATCH_PERFECT : ID_MATCH_ANY;
                        }
                        return TRUE;
                }
@@ -274,6 +274,10 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
           identification_t *me, identification_t *other)
 {
        shared_enumerator_t *e;
+       bool me_defined, other_defined;
+
+       me_defined = me && me->get_type(me) != ID_ANY;
+       other_defined = other && other->get_type(other) != ID_ANY;
 
        INIT(e,
                .public = {
@@ -281,10 +285,10 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
                        .venumerate = _shared_enumerator_enumerate,
                        .destroy = _shared_enumerator_destroy,
                },
-               .me = me,
-               .other = other,
+               .me_defined = me_defined,
+               .other_defined = other_defined,
        );
-       if (!me && !other)
+       if (!me_defined && !other_defined)
        {
                e->inner = this->db->query(this->db,
                                "SELECT s.type, s.data FROM shared_secrets AS s "
@@ -292,7 +296,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
                                DB_INT, type == SHARED_ANY, DB_INT, type,
                                DB_INT, DB_BLOB);
        }
-       else if (me && other)
+       else if (me_defined && other_defined)
        {
                e->inner = this->db->query(this->db,
                                "SELECT s.type, s.data FROM shared_secrets AS s "
@@ -309,7 +313,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
        }
        else
        {
-               identification_t *id = me ? me : other;
+               identification_t *id = me_defined ? me : other;
 
                e->inner = this->db->query(this->db,
                                "SELECT s.type, s.data FROM shared_secrets AS s "
@@ -469,4 +473,3 @@ sql_cred_t *sql_cred_create(database_t *db)
 
        return &this->public;
 }
-