diff options
| author | Martin Willi <martin@revosec.ch> | 2013-01-11 10:19:12 +0100 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-01-11 10:21:56 +0100 |
| commit | bf10ee9495e312fc1380d8e8ed7f16b3c6b061a1 (patch) | |
| tree | 0242cf7f64394ef2dab8e46b3774eebf7d5ee869 | |
| parent | 6d3e7a64a0f69f1581983fa7d741257268049620 (diff) | |
| download | strongswan-bf10ee9495e312fc1380d8e8ed7f16b3c6b061a1.tar.bz2 strongswan-bf10ee9495e312fc1380d8e8ed7f16b3c6b061a1.tar.xz | |
Refactored IKEv1 cert payload processing to multiple functions
| -rw-r--r-- | src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c | 175 |
1 files changed, 102 insertions, 73 deletions
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c index 17279ea07..1b7b01e66 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c @@ -155,6 +155,105 @@ static void process_certreqs(private_isakmp_cert_pre_t *this, message_t *message } /** + * Process an X509 certificate payload + */ +static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, bool *first) +{ + certificate_t *cert; + + cert = payload->get_cert(payload); + if (cert) + { + if (*first) + { /* the first is an end entity certificate */ + DBG1(DBG_IKE, "received end entity cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); + *first = FALSE; + } + else + { + DBG1(DBG_IKE, "received issuer cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_IM_CERT, cert); + } + } +} + +/** + * Process a CRL certificate payload + */ +static void process_crl(cert_payload_t *payload, auth_cfg_t *auth) +{ + certificate_t *cert; + + cert = payload->get_cert(payload); + if (cert) + { + DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); + } +} + +/** + * Process a PKCS7 certificate payload + */ +static void process_pkcs7(cert_payload_t *payload, auth_cfg_t *auth) +{ + enumerator_t *enumerator; + container_t *container; + certificate_t *cert; + pkcs7_t *pkcs7; + + container = payload->get_container(payload); + if (!container) + { + return; + } + switch (container->get_type(container)) + { + case CONTAINER_PKCS7_DATA: + case CONTAINER_PKCS7_SIGNED_DATA: + case CONTAINER_PKCS7_ENVELOPED_DATA: + break; + default: + container->destroy(container); + return; + } + + pkcs7 = (pkcs7_t *)container; + enumerator = pkcs7->create_cert_enumerator(pkcs7); + while (enumerator->enumerate(enumerator, &cert)) + { + if (cert->get_type(cert) == CERT_X509) + { + x509_t *x509 = (x509_t*)cert; + + if (x509->get_flags(x509) & X509_CA) + { + DBG1(DBG_IKE, "received intermediate ca cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_IM_CERT, cert->get_ref(cert)); + } + else + { + DBG1(DBG_IKE, "received end entity cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert->get_ref(cert)); + } + } + else + { + DBG1(DBG_IKE, "received unsupported cert type %N", + certificate_type_names, cert->get_type(cert)); + } + } + enumerator->destroy(enumerator); + + container->destroy(container); +} + +/** * Import received certificates */ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message) @@ -173,7 +272,6 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message) { cert_payload_t *cert_payload; cert_encoding_t encoding; - certificate_t *cert; cert_payload = (cert_payload_t*)payload; encoding = cert_payload->get_cert_encoding(cert_payload); @@ -181,83 +279,14 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message) switch (encoding) { case ENC_X509_SIGNATURE: - { - cert = cert_payload->get_cert(cert_payload); - if (cert) - { - if (first) - { /* the first is an end entity certificate */ - DBG1(DBG_IKE, "received end entity cert \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); - first = FALSE; - } - else - { - DBG1(DBG_IKE, "received issuer cert \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_IM_CERT, cert); - } - } + process_x509(cert_payload, auth, &first); break; - } case ENC_CRL: - cert = cert_payload->get_cert(cert_payload); - if (cert) - { - DBG1(DBG_IKE, "received CRL \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); - } + process_crl(cert_payload, auth); break; case ENC_PKCS7_WRAPPED_X509: - { - container_t *container; - - container = cert_payload->get_container(cert_payload); - if (container) - { - pkcs7_t *pkcs7; - enumerator_t *enumerator; - - pkcs7 = (pkcs7_t *)container; - enumerator = pkcs7->create_cert_enumerator(pkcs7); - while (enumerator->enumerate(enumerator, &cert)) - { - if (cert->get_type(cert) == CERT_X509) - { - auth_rule_t rule; - x509_t *x509 = (x509_t*)cert; - - if (x509->get_flags(x509) & X509_CA) - { - DBG1(DBG_IKE, - "received intermediate ca cert \"%Y\"", - cert->get_subject(cert)); - rule = AUTH_HELPER_IM_CERT; - } - else - { - DBG1(DBG_IKE, - "received end entity cert \"%Y\"", - cert->get_subject(cert)); - rule = AUTH_HELPER_SUBJECT_CERT; - } - auth->add(auth, rule, cert->get_ref(cert)); - } - else - { - DBG1(DBG_IKE, - "received unsupported cert type %N", - certificate_type_names, - cert->get_type(cert)); - } - } - enumerator->destroy(enumerator); - container->destroy(container); - } + process_pkcs7(cert_payload, auth); break; - } case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: |