Added generic implementations for crl_is_newer/certificate_is_newer

8 files changed, 78 insertions, 11 deletions

diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c
index adea0b4be..f84c88bff 100644
--- a/src/libcharon/credentials/credential_manager.c
+++ b/src/libcharon/credentials/credential_manager.c
@@ -591,7 +591,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
 	}
 
 	/* select the better of the two responses */
-	if (best == NULL || cand->is_newer(cand, best))
+	if (best == NULL || certificate_is_newer(cand, best))
 	{
 		DESTROY_IF(best);
 		best = cand;
@@ -812,7 +812,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
 	enumerator->destroy(enumerator);
 
 	/* select the better of the two CRLs */
-	if (best == NULL || cand->is_newer(cand, best))
+	if (best == NULL || crl_is_newer(crl, (crl_t*)best))
 	{
 		DESTROY_IF(best);
 		best = cand;
@@ -959,7 +959,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
 
 	if (!subject_constraint && !issuer_constraint)
 	{
-		return TRUE;		
+		return TRUE;
 	}
 	if (!subject_constraint)
 	{
@@ -969,7 +969,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
 	if (!issuer_constraint)
 	{
 		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
-		return FALSE;		
+		return FALSE;
 	}
 	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
 	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
@@ -996,7 +996,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
 		}
 	}
 	subject_enumerator->destroy(subject_enumerator);
-	return contained;	
+	return contained;
 }
 
 /**
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index e0a5210a9..68703d128 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -378,7 +378,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 			}
 			if (found)
 			{
-				new = cert->is_newer(cert, current);
+				new = crl_is_newer(crl, crl_c);
 				if (new)
 				{
 					this->certs->remove_at(this->certs, enumerator);
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 156d12358..661b69e36 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,6 +15,7 @@
 
 #include "certificate.h"
 
+#include <debug.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
@@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
 	"REVOKED",
 );
 
+/**
+ * See header
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other)
+{
+	time_t this_update, that_update;
+	char *type = "certificate";
+	bool newer;
+
+	if (this->get_type(this) == CERT_X509_CRL)
+	{
+		type = "crl";
+	}
+	this->get_validity(this, NULL, &this_update, NULL);
+	other->get_validity(other, NULL, &that_update, NULL);
+	newer = this_update > that_update;
+	DBG1(DBG_LIB, "  %s from %T is %s - existing %s from %T %s",
+		 type, &this_update, FALSE, newer ? "newer" : "not newer",
+		 type, &that_update, FALSE, newer ? "replaced" : "retained");
+	return newer;
+}
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index a4f9aa3e0..e82fed15d 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -197,4 +197,13 @@ struct certificate_t {
 	void (*destroy)(certificate_t *this);
 };
 
+/**
+ * Generic check if a given certificate is newer than another.
+ *
+ * @param this			first certificate to check
+ * @param other			second certificate
+ * @return				TRUE if this newer than other
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other);
+
 #endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 085ad16cc..69bd80b84 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,6 +16,8 @@
 
 #include "crl.h"
 
+#include <debug.h>
+
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
 	"key compromise",
@@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"reason #7",
 	"remove from crl",
 );
+
+/**
+ * Check if this CRL is newer
+ */
+bool crl_is_newer(crl_t *this, crl_t *other)
+{
+	chunk_t this_num, other_num;
+	bool newer;
+
+	this_num = this->get_serial(this);
+	other_num = other->get_serial(other);
+
+	/* compare crlNumbers if available - otherwise use generic cert compare */
+	if (this_num.ptr != NULL && other_num.ptr != NULL)
+	{
+		newer = chunk_compare(this_num, other_num) > 0;
+		DBG1(DBG_LIB, "  crl #%#B is %s - existing crl #%#B %s",
+			 &this_num, newer ? "newer" : "not newer",
+			 &other_num, newer ? "replaced" : "retained");
+	}
+	else
+	{
+		newer = certificate_is_newer(&this->certificate, &other->certificate);
+	}
+	return newer;
+}
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 4b612390c..9425311fb 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -80,7 +80,15 @@ struct crl_t {
 	 * @return			enumerator over revoked certificates.
 	 */
 	enumerator_t* (*create_enumerator)(crl_t *this);
-
 };
 
+/**
+ * Generic check if a given CRL is newer than another.
+ *
+ * @param this			first CRL to check
+ * @param other			second CRL
+ * @return				TRUE if this newer than other
+ */
+bool crl_is_newer(crl_t *this, crl_t *other);
+
 #endif /** CRL_H_ @}*/
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index 3ee05d213..3339d91fb 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -141,7 +141,7 @@ static void ac_add_cert(certificate_t *cert)
 		if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) &&
 			   chunk_equals(hSerial, ac_old->get_holderSerial(ac_old)))
 		{
-			if (cert->is_newer(cert, cert_old))
+			if (certificate_is_newer(cert, cert_old))
 			{
 				acerts->remove_at(acerts, enumerator);
 				cert_old->destroy(cert_old);
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 84fe77554..b28c7be12 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -159,7 +159,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
 	{
 		certificate_t *old_cert_crl = oldcrl->crl;
 
-		if (cert_crl->is_newer(cert_crl, old_cert_crl))
+		if (crl_is_newer(x509crl->crl, oldcrl->crl))
 		{
 			/* keep any known CRL distribution points */
 			add_distribution_points(x509crl->distributionPoints,
@@ -313,7 +313,7 @@ void check_crls(void)
 		certificate_t *cert_crl = x509crl->crl;
 		crl_t *crl = (crl_t*)cert_crl;
 		identification_t *issuer = cert_crl->get_issuer(cert_crl);
-		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);		
+		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
 
 		cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
 		time_left = nextUpdate - now;
@@ -353,7 +353,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
 	char *point;
 
 	ca = get_ca_info(issuer, authKeyID);
-	
+
 	*revocationDate = UNDEFINED_TIME;
 	*revocationReason = CRL_REASON_UNSPECIFIED;