From: Reto Guadagnini <rguadagn@hsr.ch>
Date: Thu, 5 Jul 2012 10:17:49 +0000 (+0200)
Subject: ipseckey: Report IPSECKEYs with invalid DNSSEC security state
X-Git-Tag: 5.0.3dr2~2^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95650c0836beac729b159259c83c03750d3e6a62;p=thirdparty%2Fstrongswan.git

ipseckey: Report IPSECKEYs with invalid DNSSEC security state
---

diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
index 9c4bc59500..53f30fedfe 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_cred.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
@@ -172,8 +172,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 		}
 
 		if (!response->has_data(response) ||
-			!response->query_name_exist(response) ||
-			!(response->get_security_state(response) == SECURE) )
+			!response->query_name_exist(response))
 		{
 			DBG1(DBG_CFG, "ipseckey_cred: Unable to retrieve IPSECKEY RRs "
 						  "for the domain %s from the DNS", fqdn);
@@ -181,6 +180,17 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 			free(fqdn);
 			return enumerator_create_empty();
 		}
+
+		if (!(response->get_security_state(response) == SECURE))
+		{
+			DBG1(DBG_CFG, "ipseckey_cred: DNSSEC security state of the "
+						  "IPSECKEY RRs of the domain %s is not SECURE "
+						  "as required", fqdn);
+			response->destroy(response);
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
 		free(fqdn);
 
 		/** Determine the validity period of the retrieved IPSECKEYs