/* compare two struct id values, DNs can contain wildcards */
bool match_id(const struct id *a, const struct id *b, int *wildcards)
{
bool match;
if (b->kind == ID_NONE) {
*wildcards = MAX_WILDCARDS;
match = TRUE;
} else if (a->kind != b->kind) {
match = FALSE;
} else if (a->kind == ID_DER_ASN1_DN) {
match = match_dn(a->name, b->name, wildcards);
} else {
*wildcards = 0;
match = same_id(a, b);
}
DBG(DBG_CONTROLMORE, {
char abuf[IDTOA_BUF];
char bbuf[IDTOA_BUF];
idtoa(a, abuf, IDTOA_BUF);
idtoa(b, bbuf, IDTOA_BUF);
DBG_log(" match_id a=%s", abuf);
DBG_log(" b=%s", bbuf);
DBG_log(" results %s", match ? "matched" : "fail");
});
stf_status
ikev2_verify_rsa_sha1(struct state *st
, enum phase1_role role
, unsigned char *idhash
, const struct pubkey_list *keys_from_dns
, const struct gw_info *gateways_from_dns
, pb_stream *sig_pbs)
{
struct pubkey_list *p, **pp;
struct connection *c = st->st_connection;
int pathlen;
pp = &pluto_pubkeys;
{
DBG(DBG_CONTROL,
char buf[IDTOA_BUF];
dntoa_or_null(buf, IDTOA_BUF, c->spd.that.ca, "%any");
DBG_log("ikev2 verify required CA is '%s'", buf));
}
{
time_t n;
n = 1438262454; /* Thu Jul 30 09:21:01 EDT 2015 in seconds */
list_certs(n);
}
for (p = pluto_pubkeys; p != NULL; p = *pp)
{
char keyname[IDTOA_BUF];
struct pubkey *key = p->key;
pp = &p->next;
idtoa(&key->id, keyname, IDTOA_BUF);
DBG_log("checking alg=%d == %d, keyid=%s same_id=%u\n"
, key->alg, PUBKEY_ALG_RSA
, keyname
, same_id(&st->ikev2.st_peer_id, &key->id));
if (key->alg == PUBKEY_ALG_RSA
&& same_id(&st->ikev2.st_peer_id, &key->id)
&& trusted_ca(key->issuer, c->spd.that.ca, &pathlen))
{
time_t tnow;
DBG(DBG_CONTROL,
char buf[IDTOA_BUF];
dntoa_or_null(buf, IDTOA_BUF, key->issuer, "%any");
DBG_log("key issuer CA is '%s'", buf));
/* check if found public key has expired */
time(&tnow);
if (key->until_time != UNDEFINED_TIME && key->until_time < tnow)
{
loglog(RC_LOG_SERIOUS,
"cached RSA public key has expired and has been deleted");
*pp = free_public_keyentry(p);
continue; /* continue with next public key */
}
return STF_OK;
}
}