Set ri_id to reqid when setting user certificate
authorAdrian-Ken Rueegsegger <ken@codelabs.ch>
Mon, 17 Dec 2012 17:27:03 +0000 (18:27 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 14:23:49 +0000 (15:23 +0100)
Pass the reqid (of the first child config of an IKE SA) as remote identity id
when calling cc_set_user_certificate. May lead to the usage of the wrong id in
case an IKE SA has multiple child configurations/reqids.

This must be replaced with a proper lookup once the configuration backend is
implemented and provides remote identity ids to charon-tkm.

src/charon-tkm/src/tkm/tkm_listener.c

index cab9b4e..1ec8e12 100644 (file)
@@ -41,6 +41,32 @@ struct private_tkm_listener_t {
 };
 
 /**
+ * Return id of remote identity.
+ *
+ * TODO: Replace this with the lookup for the remote identitiy id.
+ *
+ * Currently the reqid of the first child SA in peer config of IKE SA is
+ * returned. Might choose wrong reqid if IKE SA has multiple child configs
+ * with different reqids.
+ *
+ * @param peer_cfg     Remote peer config
+ * @return                     remote identity id if found, 0 otherwise
+ */
+static ri_id_type get_remote_identity_id(peer_cfg_t *peer)
+{
+       ri_id_type remote_id = 0;
+       child_cfg_t *child;
+       enumerator_t* children = peer->create_child_cfg_enumerator(peer);
+
+       /* pick the reqid of the first child, no need to enumerate all children. */
+       children->enumerate(children, &child);
+       remote_id = child->get_reqid(child);
+       children->destroy(children);
+
+       return remote_id;
+}
+
+/**
  * Build a TKM certificate chain context with given cc id.
  *
  * @param ike_sa       IKE SA containing auth config to build certificate chain from
@@ -57,7 +83,7 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
        certificate_t *cert;
        enumerator_t *rounds;
        rounds = ike_sa->create_auth_cfg_enumerator((ike_sa_t *)ike_sa, FALSE);
-       while(rounds->enumerate(rounds, &auth))
+       while (rounds->enumerate(rounds, &auth))
        {
                cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
                if (cert)
@@ -71,11 +97,12 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
                                return FALSE;
                        }
 
+                       ri_id_type ri_id = get_remote_identity_id(ike_sa->get_peer_cfg((ike_sa_t *)ike_sa));
                        certificate_type user_cert;
                        chunk_to_sequence(&enc_user_cert, &user_cert,
                                                          sizeof(certificate_type));
                        chunk_free(&enc_user_cert);
-                       if (ike_cc_set_user_certificate(cc_id, 1, 1, user_cert) != TKM_OK)
+                       if (ike_cc_set_user_certificate(cc_id, ri_id, 1, user_cert) != TKM_OK)
                        {
                                DBG1(DBG_IKE, "error setting user certificate of cert chain"
                                         " (cc_id: %llu)", cc_id);