diff options
| author | Martin Willi <martin@revosec.ch> | 2010-07-05 09:36:30 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-07-13 10:26:06 +0200 |
| commit | 2ca7db1337f22d754955e6b2c4eafa1bd330991a (patch) | |
| tree | 46e88d0915919f05681f4168869c9520426adcf3 | |
| parent | 5db798c8e0534864412f6aa55b5ae6d2f82dcc7f (diff) | |
| download | strongswan-2ca7db1337f22d754955e6b2c4eafa1bd330991a.tar.bz2 strongswan-2ca7db1337f22d754955e6b2c4eafa1bd330991a.tar.xz | |
Move pathlen constraint checking to X509 specific checks
| -rw-r--r-- | src/libcharon/credentials/credential_manager.c | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c index 079af2da8..5714dc0b0 100644 --- a/src/libcharon/credentials/credential_manager.c +++ b/src/libcharon/credentials/credential_manager.c @@ -1009,7 +1009,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) */ static bool check_certificate(private_credential_manager_t *this, certificate_t *subject, certificate_t *issuer, - bool online, auth_cfg_t *auth) + bool online, int pathlen, auth_cfg_t *auth) { time_t not_before, not_after; @@ -1028,10 +1028,25 @@ static bool check_certificate(private_credential_manager_t *this, if (issuer->get_type(issuer) == CERT_X509 && subject->get_type(subject) == CERT_X509) { + int pathlen_constraint; + x509_t *x509; + if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer)) { return FALSE; } + + /* check path length constraint */ + x509 = (x509_t*)issuer; + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + if (online) { DBG1(DBG_CFG, "checking certificate status of \"%Y\"", @@ -1130,9 +1145,8 @@ static bool verify_trust_chain(private_credential_manager_t *this, bool trusted, bool online) { certificate_t *current, *issuer; - x509_t *x509; auth_cfg_t *auth; - int pathlen, pathlen_constraint; + int pathlen; auth = auth_cfg_create(); current = subject->get_ref(subject); @@ -1180,26 +1194,13 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } - if (!check_certificate(this, current, issuer, online, + if (!check_certificate(this, current, issuer, online, pathlen, current == subject ? auth : NULL)) { trusted = FALSE; issuer->destroy(issuer); break; } - - /* check path length constraint */ - x509 = (x509_t*)issuer; - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && - pathlen > pathlen_constraint) - { - DBG1(DBG_CFG, "path length of %d violates constraint of %d", - pathlen, pathlen_constraint); - trusted = FALSE; - issuer->destroy(issuer); - break; - } current->destroy(current); current = issuer; if (trusted) |