From: Martin Willi <martin@revosec.ch>
Date: Tue, 10 Jul 2012 15:15:28 +0000 (+0200)
Subject: Send cert request based on peers configured authentication class
X-Git-Tag: 5.0.1~448
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07836f559def3a2ee5d7678ed876b135bdfa16d3;p=thirdparty%2Fstrongswan.git

Send cert request based on peers configured authentication class
---

diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
index ea5da4ebc6..a40bdf176b 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
@@ -335,6 +335,34 @@ static bool use_certs(private_isakmp_cert_pre_t *this, message_t *message)
 	return use;
 }
 
+/**
+ * Check if we should send a certificate request
+ */
+static bool send_certreq(private_isakmp_cert_pre_t *this)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	auth_cfg_t *auth;
+	bool req = FALSE;
+	auth_class_t class;
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+		if (enumerator->enumerate(enumerator, &auth))
+		{
+			class = (intptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+			if (class == AUTH_CLASS_PUBKEY)
+			{
+				req = TRUE;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return req;
+}
+
 METHOD(task_t, build_i, status_t,
 	private_isakmp_cert_pre_t *this, message_t *message)
 {
@@ -349,11 +377,10 @@ METHOD(task_t, build_i, status_t,
 		case AGGRESSIVE:
 			if (this->state == CR_SA)
 			{
-				if (!use_certs(this, message))
+				if (send_certreq(this))
 				{
-					return SUCCESS;
+					build_certreqs(this, message);
 				}
-				build_certreqs(this, message);
 			}
 			return NEED_MORE;
 		default: