"RULE_EAP_VENDOR",
"RULE_XAUTH_BACKEND",
"RULE_XAUTH_IDENTITY",
+ "AUTH_RULE_CA_IDENTITY",
"RULE_CA_CERT",
"RULE_IM_CERT",
"RULE_SUBJECT_CERT",
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_GROUP:
case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_CERT_POLICY:
case AUTH_RULE_XAUTH_BACKEND:
case AUTH_RULE_XAUTH_IDENTITY:
case AUTH_RULE_GROUP:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
return c1->equals(c1, c2);
}
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_XAUTH_IDENTITY:
switch (entry->type)
{
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_GROUP:
entry->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_XAUTH_BACKEND:
case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
return (void*)FALSE;
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_XAUTH_BACKEND:
enumerator_t *e1, *e2;
bool success = TRUE, group_match = FALSE;
bool ca_match = FALSE, cert_match = FALSE;
- identification_t *require_group = NULL;
- certificate_t *require_ca = NULL, *require_cert = NULL;
+ identification_t *require_group = NULL, *require_ca = NULL;
+ certificate_t *require_cert = NULL;
signature_params_t *ike_scheme = NULL, *scheme = NULL;
u_int strength = 0;
auth_rule_t t1, t2;
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
{
- certificate_t *cert;
+ certificate_t *cert, *ca;
/* for CA certs, a match of a single cert is sufficient */
- require_ca = (certificate_t*)value;
+ ca = (certificate_t*)value;
+ require_ca = ca->get_subject(ca);
+
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &cert))
+ {
+ if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
+ cert->equals(cert, ca))
+ {
+ ca_match = TRUE;
+ }
+ }
+ e2->destroy(e2);
+ break;
+ }
+ case AUTH_RULE_CA_IDENTITY:
+ {
+ certificate_t *cert;
+
+ require_ca = (identification_t*)value;
e2 = create_enumerator(this);
while (e2->enumerate(e2, &t2, &cert))
{
if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
- cert->equals(cert, require_ca))
+ cert->has_subject(cert, require_ca))
{
ca_match = TRUE;
}
if (log_error)
{
DBG1(DBG_CFG, "constraint check failed: peer not "
- "authenticated by CA '%Y'",
- require_ca->get_subject(require_ca));
+ "authenticated by CA '%Y'", require_ca);
}
return FALSE;
}
break;
}
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_GROUP:
switch (type)
{
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_CA_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_GROUP: