diff options
| author | Martin Willi <martin@strongswan.org> | 2017-02-22 10:01:19 +0100 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2017-03-02 08:24:02 +0100 |
| commit | d536b94e0d12543e548ed4f0df2220384293f08e (patch) | |
| tree | e738bf30202cd9619e068e735b21528b58e91903 /src/libcharon | |
| parent | d1317adb9a45166cdc8f44117a5fa85ecd053552 (diff) | |
| download | strongswan-d536b94e0d12543e548ed4f0df2220384293f08e.tar.bz2 strongswan-d536b94e0d12543e548ed4f0df2220384293f08e.tar.xz | |
addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SA
Previously, the client had to propose no wider selectors than the certificate
permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2
we can dynamically narrow the selectors to what the certificate allows. This
makes client and gateway configurations very simple by just proposing 0.0.0.0/0,
narrowed to selectors the client is permitted to route into the network.
Diffstat (limited to 'src/libcharon')
| -rw-r--r-- | src/libcharon/plugins/addrblock/addrblock_narrow.c | 71 |
1 files changed, 28 insertions, 43 deletions
diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c index f85fa78d6..97040aa34 100644 --- a/src/libcharon/plugins/addrblock/addrblock_narrow.c +++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c @@ -33,17 +33,15 @@ struct private_addrblock_narrow_t { addrblock_narrow_t public; }; -/** - * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints - */ -static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) +static void narrow_addrblock(private_addrblock_narrow_t *this, ike_sa_t *ike_sa, + linked_list_t *list) { - auth_cfg_t *auth; - enumerator_t *auth_enum; certificate_t *cert = NULL; + enumerator_t *enumerator; + auth_cfg_t *auth; - auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); - while (auth_enum->enumerate(auth_enum, &auth)) + enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); + while (enumerator->enumerate(enumerator, &auth)) { cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT); if (cert) @@ -51,7 +49,7 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) break; } } - auth_enum->destroy(auth_enum); + enumerator->destroy(enumerator); if (cert && cert->get_type(cert) == CERT_X509) { @@ -59,54 +57,45 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) { - enumerator_t *enumerator, *block_enum; - traffic_selector_t *ts, *block_ts; + traffic_selector_t *ts, *block, *subset; + linked_list_t *original; + + original = linked_list_create(); + while (list->remove_last(list, (void**)&ts) == SUCCESS) + { + original->insert_first(original, ts); + } DBG1(DBG_IKE, "checking certificate-based traffic selector " - "constraints [RFC 3779]"); - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &ts)) + "constraints [RFC 3779]"); + while (original->remove_first(original, (void**)&ts) == SUCCESS) { bool contained = FALSE; - block_enum = x509->create_ipAddrBlock_enumerator(x509); - while (block_enum->enumerate(block_enum, &block_ts)) + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) { - if (ts->is_contained_in(ts, block_ts)) + subset = ts->get_subset(ts, block); + if (subset) { DBG1(DBG_IKE, " TS %R is contained in address block" - " constraint %R", ts, block_ts); + " constraint %R (subset %R)", ts, block, subset); + list->insert_last(list, subset); contained = TRUE; - break; } } - block_enum->destroy(block_enum); + enumerator->destroy(enumerator); if (!contained) { DBG1(DBG_IKE, " TS %R is not contained in any" - " address block constraint", ts); - enumerator->destroy(enumerator); - return FALSE; + " address block constraint", ts); } + ts->destroy(ts); } - enumerator->destroy(enumerator); + original->destroy(original); } } - return TRUE; -} - -/** - * Delete all traffic selectors in a list - */ -static void flush_ts_list(linked_list_t *list) -{ - traffic_selector_t *ts; - - while (list->remove_last(list, (void**)&ts) == SUCCESS) - { - ts->destroy(ts); - } } METHOD(listener_t, narrow, bool, @@ -118,11 +107,7 @@ METHOD(listener_t, narrow, bool, case NARROW_RESPONDER: case NARROW_INITIATOR_POST_AUTH: case NARROW_INITIATOR_POST_NOAUTH: - if (!check_constraints(ike_sa, remote)) - { - flush_ts_list(local); - flush_ts_list(remote); - } + narrow_addrblock(this, ike_sa, remote); break; default: break; |