diff options
author | Martin Willi <martin@revosec.ch> | 2010-05-21 09:48:23 +0200 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2010-05-21 16:25:51 +0200 |
commit | 8029e5efd2a264ff9c5c20e81e4c092c11a643eb (patch) | |
tree | e4f40bc654f29ffffd19ef33472e53f1003aaf58 | |
parent | 654218a31b899976ae1788eb5820fc2656a37ab6 (diff) | |
download | strongswan-8029e5efd2a264ff9c5c20e81e4c092c11a643eb.tar.bz2 strongswan-8029e5efd2a264ff9c5c20e81e4c092c11a643eb.tar.xz |
Added generic implementations for crl_is_newer/certificate_is_newer
-rw-r--r-- | src/libcharon/credentials/credential_manager.c | 10 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_cred.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/credentials/certificates/certificate.c | 22 | ||||
-rw-r--r-- | src/libstrongswan/credentials/certificates/certificate.h | 9 | ||||
-rw-r--r-- | src/libstrongswan/credentials/certificates/crl.c | 28 | ||||
-rw-r--r-- | src/libstrongswan/credentials/certificates/crl.h | 10 | ||||
-rw-r--r-- | src/pluto/ac.c | 2 | ||||
-rw-r--r-- | src/pluto/crl.c | 6 |
8 files changed, 78 insertions, 11 deletions
diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c index adea0b4be..f84c88bff 100644 --- a/src/libcharon/credentials/credential_manager.c +++ b/src/libcharon/credentials/credential_manager.c @@ -591,7 +591,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this, } /* select the better of the two responses */ - if (best == NULL || cand->is_newer(cand, best)) + if (best == NULL || certificate_is_newer(cand, best)) { DESTROY_IF(best); best = cand; @@ -812,7 +812,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this, enumerator->destroy(enumerator); /* select the better of the two CRLs */ - if (best == NULL || cand->is_newer(cand, best)) + if (best == NULL || crl_is_newer(crl, (crl_t*)best)) { DESTROY_IF(best); best = cand; @@ -959,7 +959,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) if (!subject_constraint && !issuer_constraint) { - return TRUE; + return TRUE; } if (!subject_constraint) { @@ -969,7 +969,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) if (!issuer_constraint) { DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); - return FALSE; + return FALSE; } subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) @@ -996,7 +996,7 @@ static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) } } subject_enumerator->destroy(subject_enumerator); - return contained; + return contained; } /** diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index e0a5210a9..68703d128 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -378,7 +378,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl) } if (found) { - new = cert->is_newer(cert, current); + new = crl_is_newer(crl, crl_c); if (new) { this->certs->remove_at(this->certs, enumerator); diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 156d12358..661b69e36 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -15,6 +15,7 @@ #include "certificate.h" +#include <debug.h> #include <credentials/certificates/x509.h> ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL, @@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, "REVOKED", ); +/** + * See header + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other) +{ + time_t this_update, that_update; + char *type = "certificate"; + bool newer; + + if (this->get_type(this) == CERT_X509_CRL) + { + type = "crl"; + } + this->get_validity(this, NULL, &this_update, NULL); + other->get_validity(other, NULL, &that_update, NULL); + newer = this_update > that_update; + DBG1(DBG_LIB, " %s from %T is %s - existing %s from %T %s", + type, &this_update, FALSE, newer ? "newer" : "not newer", + type, &that_update, FALSE, newer ? "replaced" : "retained"); + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index a4f9aa3e0..e82fed15d 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -197,4 +197,13 @@ struct certificate_t { void (*destroy)(certificate_t *this); }; +/** + * Generic check if a given certificate is newer than another. + * + * @param this first certificate to check + * @param other second certificate + * @return TRUE if this newer than other + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other); + #endif /** CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c index 085ad16cc..69bd80b84 100644 --- a/src/libstrongswan/credentials/certificates/crl.c +++ b/src/libstrongswan/credentials/certificates/crl.c @@ -16,6 +16,8 @@ #include "crl.h" +#include <debug.h> + ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "unspecified", "key compromise", @@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "reason #7", "remove from crl", ); + +/** + * Check if this CRL is newer + */ +bool crl_is_newer(crl_t *this, crl_t *other) +{ + chunk_t this_num, other_num; + bool newer; + + this_num = this->get_serial(this); + other_num = other->get_serial(other); + + /* compare crlNumbers if available - otherwise use generic cert compare */ + if (this_num.ptr != NULL && other_num.ptr != NULL) + { + newer = chunk_compare(this_num, other_num) > 0; + DBG1(DBG_LIB, " crl #%#B is %s - existing crl #%#B %s", + &this_num, newer ? "newer" : "not newer", + &other_num, newer ? "replaced" : "retained"); + } + else + { + newer = certificate_is_newer(&this->certificate, &other->certificate); + } + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 4b612390c..9425311fb 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -80,7 +80,15 @@ struct crl_t { * @return enumerator over revoked certificates. */ enumerator_t* (*create_enumerator)(crl_t *this); - }; +/** + * Generic check if a given CRL is newer than another. + * + * @param this first CRL to check + * @param other second CRL + * @return TRUE if this newer than other + */ +bool crl_is_newer(crl_t *this, crl_t *other); + #endif /** CRL_H_ @}*/ diff --git a/src/pluto/ac.c b/src/pluto/ac.c index 3ee05d213..3339d91fb 100644 --- a/src/pluto/ac.c +++ b/src/pluto/ac.c @@ -141,7 +141,7 @@ static void ac_add_cert(certificate_t *cert) if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) && chunk_equals(hSerial, ac_old->get_holderSerial(ac_old))) { - if (cert->is_newer(cert, cert_old)) + if (certificate_is_newer(cert, cert_old)) { acerts->remove_at(acerts, enumerator); cert_old->destroy(cert_old); diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 84fe77554..b28c7be12 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -159,7 +159,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) { certificate_t *old_cert_crl = oldcrl->crl; - if (cert_crl->is_newer(cert_crl, old_cert_crl)) + if (crl_is_newer(x509crl->crl, oldcrl->crl)) { /* keep any known CRL distribution points */ add_distribution_points(x509crl->distributionPoints, @@ -313,7 +313,7 @@ void check_crls(void) certificate_t *cert_crl = x509crl->crl; crl_t *crl = (crl_t*)cert_crl; identification_t *issuer = cert_crl->get_issuer(cert_crl); - chunk_t authKeyID = crl->get_authKeyIdentifier(crl); + chunk_t authKeyID = crl->get_authKeyIdentifier(crl); cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate); time_left = nextUpdate - now; @@ -353,7 +353,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, char *point; ca = get_ca_info(issuer, authKeyID); - + *revocationDate = UNDEFINED_TIME; *revocationReason = CRL_REASON_UNSPECIFIED; |