Use the group constraint in a more generic fashion, not only for attribute certificates

author: Martin Willi <martin@revosec.ch> 2010-06-28 15:46:13 +0200
committer: Martin Willi <martin@revosec.ch> 2010-07-05 09:41:04 +0200
commit: 4172574bfbb358a77374b61ffc78fac687eab963 (patch)
tree: a80a873c4bb0b8a1ef1724141b418a1b9a7f4c5c
parent: 53913d764ec312895b4e0b96d8605625f0892886 (diff)
download: strongswan-4172574bfbb358a77374b61ffc78fac687eab963.tar.bz2
strongswan-4172574bfbb358a77374b61ffc78fac687eab963.tar.xz
6 files changed, 27 insertions, 28 deletions
diff --git a/src/libcharon/config/auth_cfg.c b/src/libcharon/config/auth_cfg.c
index 94362c756..6f249e89d 100644
--- a/src/libcharon/config/auth_cfg.c
+++ b/src/libcharon/config/auth_cfg.c
@@ -32,7 +32,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
 	"RULE_SUBJECT_CERT",
 	"RULE_CRL_VALIDATION",
 	"RULE_OCSP_VALIDATION",
-	"RULE_AC_GROUP",
+	"RULE_GROUP",
 	"HELPER_IM_CERT",
 	"HELPER_SUBJECT_CERT",
 	"HELPER_IM_HASH_URL",
@@ -128,7 +128,7 @@ static void destroy_entry_value(entry_t *entry)
 	{
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
+		case AUTH_RULE_GROUP:
 		{
 			identification_t *id = (identification_t*)entry->value;
 			id->destroy(id);
@@ -185,7 +185,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 				break;
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
-			case AUTH_RULE_AC_GROUP:
+			case AUTH_RULE_GROUP:
 			case AUTH_RULE_CA_CERT:
 			case AUTH_RULE_IM_CERT:
 			case AUTH_RULE_SUBJECT_CERT:
@@ -250,7 +250,7 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 			return (void*)VALIDATION_FAILED;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
+		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
@@ -285,7 +285,7 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 			break;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
-		case AUTH_RULE_AC_GROUP:
+		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_SUBJECT_CERT:
@@ -459,13 +459,20 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 				}
 				break;
 			}
-			case AUTH_RULE_AC_GROUP:
+			case AUTH_RULE_GROUP:
 			{
-				success = FALSE;
-				if (log_error)
+				identification_t *id1, *id2;
+
+				id1 = (identification_t*)value;
+				id2 = get(this, t1);
+				if (!id2 || !id2->matches(id2, id1))
 				{
-					DBG1(DBG_CFG, "constraint check %N not implemented!",
-						 auth_rule_names, t1);
+					success = FALSE;
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "constraint check failed: membership to "
+							 "group '%Y' required", id1);
+					}
 				}
 				break;
 			}
@@ -527,7 +534,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				}
 				case AUTH_RULE_IDENTITY:
 				case AUTH_RULE_EAP_IDENTITY:
-				case AUTH_RULE_AC_GROUP:
+				case AUTH_RULE_GROUP:
 				{
 					identification_t *id = (identification_t*)value;
 
@@ -614,7 +621,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					}
 					case AUTH_RULE_IDENTITY:
 					case AUTH_RULE_EAP_IDENTITY:
-					case AUTH_RULE_AC_GROUP:
+					case AUTH_RULE_GROUP:
 					{
 						identification_t *id1, *id2;
 
@@ -698,7 +705,7 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 		{
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
-			case AUTH_RULE_AC_GROUP:
+			case AUTH_RULE_GROUP:
 			{
 				identification_t *id = (identification_t*)entry->value;
 				clone->add(clone, entry->type, id->clone(id));
diff --git a/src/libcharon/config/auth_cfg.h b/src/libcharon/config/auth_cfg.h
index 5e6215a4a..6bee5fc5e 100644
--- a/src/libcharon/config/auth_cfg.h
+++ b/src/libcharon/config/auth_cfg.h
@@ -62,8 +62,8 @@ enum auth_rule_t {
 	AUTH_RULE_CRL_VALIDATION,
 	/** result of a OCSP validation, cert_validation_t */
 	AUTH_RULE_OCSP_VALIDATION,
-	/** subject is in attribute certificate group, identification_t* */
-	AUTH_RULE_AC_GROUP,
+	/** subject is member of a group, identification_t* */
+	AUTH_RULE_GROUP,
 
 	/** intermediate certificate, certificate_t* */
 	AUTH_HELPER_IM_CERT,
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 41bf5d1a1..ded7ac4f5 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -413,7 +413,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		}
 	}
 
-	/* AC groups */
+	/* groups */
 	if (end->groups)
 	{
 		enumerator_t *enumerator;
@@ -422,9 +422,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		enumerator = enumerator_create_token(end->groups, ",", " ");
 		while (enumerator->enumerate(enumerator, &group))
 		{
-			identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
-											chunk_create(group, strlen(group)));
-			cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+			cfg->add(cfg, AUTH_RULE_GROUP,
+					 identification_create_from_string(group));
 		}
 		enumerator->destroy(enumerator);
 	}
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 153828ae8..9981d45fc 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -373,7 +373,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 		rules = auth->create_enumerator(auth);
 		while (rules->enumerate(rules, &rule, &id))
 		{
-			if (rule == AUTH_RULE_AC_GROUP)
+			if (rule == AUTH_RULE_GROUP)
 			{
 				fprintf(out, "%12s:    group: %Y\n", name, id);
 			}
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 6a3c3936c..3968b629b 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -50,8 +50,7 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID");
 ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
-	"ID_DER_ASN1_GN_URI"
-	"ID_IETF_ATTR_STRING"
+	"ID_DER_ASN1_GN_URI",
 	"ID_MYID");
 ENUM_END(id_type_names, ID_MYID);
 
@@ -761,7 +760,6 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
-		case ID_IETF_ATTR_STRING:
 			chunk_printable(this->encoded, &proper, '?');
 			snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
 			chunk_free(&proper);
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index fe5c7d0fd..c463b0274 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -131,11 +131,6 @@ enum id_type_t {
 	ID_DER_ASN1_GN_URI = 201,
 
 	/**
-	 * IETF Attribute Syntax String (RFC 3281)
-	 */
-	ID_IETF_ATTR_STRING = 202,
-
-	/**
 	 * Private ID used by the pluto daemon for opportunistic encryption
 	 */
 	ID_MYID = 203,
author	Martin Willi <martin@revosec.ch>	2010-06-28 15:46:13 +0200
committer	Martin Willi <martin@revosec.ch>	2010-07-05 09:41:04 +0200
commit	4172574bfbb358a77374b61ffc78fac687eab963 (patch)
tree	a80a873c4bb0b8a1ef1724141b418a1b9a7f4c5c
parent	53913d764ec312895b4e0b96d8605625f0892886 (diff)
download	strongswan-4172574bfbb358a77374b61ffc78fac687eab963.tar.bz2 strongswan-4172574bfbb358a77374b61ffc78fac687eab963.tar.xz