ikev2: Do not attempt to send a trust chain for CGA parameters

author Martin Willi <martin@revosec.ch>

Wed, 28 Jan 2015 16:28:57 +0000 (17:28 +0100)

committer Martin Willi <martin@revosec.ch>

Tue, 24 Feb 2015 16:13:57 +0000 (17:13 +0100)
author Martin Willi <martin@revosec.ch>
Wed, 28 Jan 2015 16:28:57 +0000 (17:28 +0100)
committer Martin Willi <martin@revosec.ch>
Tue, 24 Feb 2015 16:13:57 +0000 (17:13 +0100)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c

index 5a9e08de28a1a8a64725a440a09bf3f8fe71278c..d24679f0dad8ab8ac79f805323b9989eac905da6 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -126,7 +126,14 @@ static bool add_subject_cert(private_ike_cert_post_t *this, auth_cfg_t *auth,
         }
         DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert));
         message->add_payload(message, (payload_t*)payload);
-       return TRUE;
+       switch (cert->get_type(cert))
+       {
+               case CERT_CGA_PARAMS:
+                       /* do not send a trust chain */
+                       return FALSE;
+               default:
+                       return TRUE;
+       }
  }
  
  /**
author	Martin Willi <martin@revosec.ch>
	Wed, 28 Jan 2015 16:28:57 +0000 (17:28 +0100)
committer	Martin Willi <martin@revosec.ch>
	Tue, 24 Feb 2015 16:13:57 +0000 (17:13 +0100)