static policy_t *get_policy_by_ids(private_local_policy_store_t *this, identification_t *my_id, identification_t *other_id)
{
typedef enum {
- PRIO_UNDEFINED = 0x00,
+ PRIO_UNDEFINED = 0x00,
PRIO_ID_ANY = 0x01,
- PRIO_ID_WILDCARD = 0x02,
- PRIO_ID_MATCH = 0x04,
+ PRIO_ID_MATCH = PRIO_ID_ANY + MAX_WILDCARDS,
} prio_t;
prio_t best_prio = PRIO_UNDEFINED;
pthread_mutex_lock(&(this->mutex));
iterator = this->policies->create_iterator(this->policies, TRUE);
+
/* determine closest matching policy */
while (iterator->has_next(iterator))
{
identification_t *candidate_my_id;
identification_t *candidate_other_id;
+ int wildcards;
iterator->current(iterator, (void**)&candidate);
candidate_my_id = candidate->get_my_id(candidate);
candidate_other_id = candidate->get_other_id(candidate);
- /* my_id must match, or may be %any */
- if (candidate_my_id->belongs_to(candidate_my_id, my_id))
+ /* my_id is either %any or if set must match exactly */
+ if (candidate_my_id->matches(candidate_my_id, my_id, &wildcards))
{
prio_t prio = PRIO_UNDEFINED;
- /* exact match of id? */
- if (other_id->equals(other_id, candidate_other_id))
- {
- prio = PRIO_ID_MATCH;
- }
- /* match against any? */
- else if (candidate_other_id->get_type(candidate_other_id) == ID_ANY)
+ /* wildcard match for other_id */
+ if (other_id->matches(other_id, candidate_other_id, &wildcards))
{
- prio = PRIO_ID_ANY;
- }
- /* wildcard match? */
- else if (other_id->belongs_to(other_id, candidate_other_id))
- {
- prio = PRIO_ID_WILDCARD;
+ prio = PRIO_ID_MATCH - wildcards;
}
this->logger->log(this->logger, CONTROL|LEVEL2,
found = candidate;
best_prio = prio;
}
- if (prio == PRIO_ID_MATCH)
- {
- /* won't get better, stop searching */
- break;
- }
}
}
iterator->destroy(iterator);
else
{
this->logger->log(this->logger, ERROR,
- "could not find my certificate, certificate payload ommited");
+ "could not find my certificate, certificate payload omitted");
}
}
}
/**
- * Handle all kind of notifys
+ * Handle all kind of notifies
*/
-static status_t process_notifys(private_ike_auth_t *this, notify_payload_t *notify_payload)
+static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *notify_payload)
{
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
switch (notify_type)
{
- /* these notifys are not critical. no child_sa is built, but IKE stays alive */
+ /* these notifies are not critical. no child_sa is built, but IKE stays alive */
case SINGLE_PAIR_REQUIRED:
{
this->logger->log(this->logger, AUDIT,
if (list)
{
traffic_selector_t *ts;
+
while (list->remove_last(list, (void**)&ts) == SUCCESS)
{
ts->destroy(ts);
break;
case NOTIFY:
{
- status = process_notifys(this, (notify_payload_t*)payload);
+ status = process_notifies(this, (notify_payload_t*)payload);
if (status == FAILED)
{
payloads->destroy(payloads);
if (cert == NULL)
{
this->logger->log(this->logger, ERROR,
- "could not find my certificate, cert payload ommited");
+ "could not find my certificate, cert payload omitted");
}
cert_payload = cert_payload_create_from_x509(cert);
response->add_payload(response, (payload_t *)cert_payload);
break;
case NOTIFY:
{
- status = process_notifys(this, (notify_payload_t*)payload);
+ status = process_notifies(this, (notify_payload_t*)payload);
if (status == FAILED)
{
payloads->destroy(payloads);
{ /* process idr payload */
identification_t *configured_other_id;
+ int wildcards;
other_id = idr_payload->get_identification(idr_payload);
configured_other_id = this->policy->get_other_id(this->policy);
- if (!other_id->belongs_to(other_id, configured_other_id))
+ if (!other_id->matches(other_id, configured_other_id, &wildcards))
{
other_id->destroy(other_id);
this->logger->log(this->logger, AUDIT,