if (rr->get_type(rr) != RR_TYPE_IPSECKEY)
{
- DBG1(DBG_CFG, "unable to create an ipseckey out of a RR "
+ DBG1(DBG_CFG, "unable to create an ipseckey out of an RR "
"whose type is not IPSECKEY");
free(this);
return NULL;
case IPSECKEY_GW_TP_IPV4:
if (!reader->read_data(reader, 4, &this->gateway))
{
- DBG1(DBG_CFG, "ipseckey gateway field does not contain an IPv4 "
- "address as expected");
+ DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+ "IPv4 address as expected");
reader->destroy(reader);
free(this);
return NULL;
case IPSECKEY_GW_TP_IPV6:
if (!reader->read_data(reader, 16, &this->gateway))
{
- DBG1(DBG_CFG, "ipseckey gateway field does not contain an IPv6 "
- "address as expected");
+ DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+ "IPv6 address as expected");
reader->destroy(reader);
free(this);
return NULL;
* TODO: Currently we ignore wire encoded domain names.
*
*/
- while(reader->read_uint8(reader, &label) && label != 0 &&
- label < 192)
+ while (reader->read_uint8(reader, &label) &&
+ label != 0 && label < 192)
{
- if(!reader->read_data(reader, label, &tmp))
+ if (!reader->read_data(reader, label, &tmp))
{
- DBG1(DBG_CFG, "ipseckey gateway field: Wire encoded "
- "domain name has the wrong format");
+ DBG1(DBG_CFG, "wrong wire encoded domain name format "
+ "in ipseckey gateway field");
reader->destroy(reader);
free(this);
return NULL;
break;
default:
- DBG1(DBG_CFG, "ipseckey gateway field: Unable to parse the "
- "ipseckey gateway field. The gateway type field "
- "indicates an unknown gateway type");
+ DBG1(DBG_CFG, "unable to parse ipseckey gateway field");
reader->destroy(reader);
free(this);
return NULL;
if (!reader->read_data(reader, reader->remaining(reader),
&this->public_key))
{
- DBG1(DBG_CFG, "ipseckey public key field: Failure while reading "
- "the public key");
+ DBG1(DBG_CFG, "failed to read ipseckey public key field");
reader->destroy(reader);
chunk_free(&this->gateway);
free(this);
public_key_t * key = NULL;
bool supported_ipseckey_found = FALSE;
- DBG1(DBG_CFG, "ipseckey_cred: Enumerating over IPSECKEY certificates");
-
/* Get the next supported IPSECKEY using the inner enumerator. */
while (this->inner->enumerate(this->inner, &cur_rr) &&
!supported_ipseckey_found)
if (!cur_ipseckey)
{
- DBG1(DBG_CFG, "ipseckey_cred: Error while parsing an IPSECKEY. "
- "Skipping this key");
+ DBG1(DBG_CFG, "failed to parse ipseckey - skipping this key");
supported_ipseckey_found = FALSE;
}
if (cur_ipseckey &&
cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
{
- DBG1(DBG_CFG, "ipseckey_cred: Skipping an IPSECKEY which uses an "
- "unsupported algorithm");
+ DBG1(DBG_CFG, "unsupported ipseckey algorithm -skipping this key");
cur_ipseckey->destroy(cur_ipseckey);
supported_ipseckey_found = FALSE;
}
if (!key)
{
- DBG1(DBG_CFG, "ipseckey_cred: Failed to create a public key "
- "from the IPSECKEY");
+ DBG1(DBG_CFG, "failed to create public key from ipseckey");
cur_ipseckey->destroy(cur_ipseckey);
return FALSE;
}
if (0 >= asprintf(&fqdn, "%Y", id))
{
- DBG1(DBG_CFG, "ipseckey_cred: ID is empty");
+ DBG1(DBG_CFG, "empty FQDN string");
return enumerator_create_empty();
}
- DBG1(DBG_CFG, "ipseckey_cred: Performing a DNS query for the IPSECKEY "
- "RRs of the domain %s", fqdn);
-
+ DBG1(DBG_CFG, "performing a DNS query for IPSECKEY RRs of '%s'",
+ fqdn);
response = this->res->query(this->res, fqdn, RR_CLASS_IN,
RR_TYPE_IPSECKEY);
if (!response)
{
- DBG1(DBG_CFG, "ipseckey_cred: DNS query failed");
+ DBG1(DBG_CFG, " query for IPSECKEY RRs failed");
free(fqdn);
return enumerator_create_empty();
}
if (!response->has_data(response) ||
!response->query_name_exist(response))
{
- DBG1(DBG_CFG, "ipseckey_cred: Unable to retrieve IPSECKEY RRs "
- "for the domain %s from the DNS", fqdn);
+ DBG1(DBG_CFG, " unable to retrieve IPSECKEY RRs from the DNS");
response->destroy(response);
free(fqdn);
return enumerator_create_empty();
if (!(response->get_security_state(response) == SECURE))
{
- DBG1(DBG_CFG, "ipseckey_cred: DNSSEC security state of the "
- "IPSECKEY RRs of the domain %s is not SECURE "
- "as required", fqdn);
+ DBG1(DBG_CFG, " DNSSEC state of IPSECKEY RRs is not secure");
response->destroy(response);
free(fqdn);
return enumerator_create_empty();
/** Determine the validity period of the retrieved IPSECKEYs
*
* We use the "Signature Inception" and "Signature Expiration" field
- * of the RRSIG resource record to determine the validity period of the
- * IPSECKEY RRs.
+ * of the first RRSIG RR to determine the validity period of the
+ * IPSECKEY RRs. TODO: Take multiple RRSIGs into account.
*/
rrset = response->get_rr_set(response);
rrsig_enum = rrset->create_rrsig_enumerator(rrset);
- if (!rrsig_enum)
- {
- DBG1(DBG_CFG, "ipseckey_cred: Unable to determine the validity "
- "period of the RRs, because there are "
- "no RRSIGs present");
- response->destroy(response);
- return enumerator_create_empty();
- }
-
- /**
- * Currently we use the first RRSIG of the IPSECKEY RRset
- * to determine the validity period of the IPSECKEYs.
- * TODO: Take multiple RRSIGs into account.
- */
- if (!rrsig_enum->enumerate(rrsig_enum, &rrsig))
+ if (!rrsig_enum || !rrsig_enum->enumerate(rrsig_enum, &rrsig))
{
- DBG1(DBG_CFG, "ipseckey_cred: Unable to determine the validity "
- "period of the IPSECKEY RRs, because there are "
- "no RRSIGs present");
- rrsig_enum->destroy(rrsig_enum);
+ DBG1(DBG_CFG, " unable to determine the validity period of "
+ "IPSECKEY RRs because no RRSIGs are present");
+ DESTROY_IF(rrsig_enum);
response->destroy(response);
return enumerator_create_empty();
}
/**
- * Parse the RRSIG for its validity period.
- * For the format of a RRSIG see RFC 4034.
+ * Parse the RRSIG for its validity period (RFC 4034)
*/
reader = bio_reader_create(rrsig->get_rdata(rrsig));
reader->read_data(reader, 8, &ignore);
reader->read_uint32(reader, &nBefore);
reader->destroy(reader);
- /** Create and return an iterator over the retrieved IPSECKEYs */
+ /*Create and return an iterator over the retrieved IPSECKEYs */
INIT(e,
.public = {
.enumerate = (void*)_cert_enumerator_enumerate,
.destroy = _cert_enumerator_destroy,
},
.inner = response->get_rr_set(response)->create_rr_enumerator(
- response->get_rr_set(response)),
+ response->get_rr_set(response)),
.response = response,
.notBefore = nBefore,
.notAfter = nAfter,
projects / thirdparty / strongswan.git / commitdiff
