diff options
| author | Martin Willi <martin@revosec.ch> | 2010-07-05 14:36:05 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-07-13 10:26:07 +0200 |
| commit | 5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97 (patch) | |
| tree | fbb3b27fcbfcee153b8afa1b03b9b412d7857043 /src/libstrongswan/credentials/credential_manager.c | |
| parent | 2feb16f5dd1a9a16bf7ec9b55aa279df75622948 (diff) | |
| download | strongswan-5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97.tar.bz2 strongswan-5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97.tar.xz | |
Moved X509 addrBlock validation to a separate addrblock plugin
Diffstat (limited to 'src/libstrongswan/credentials/credential_manager.c')
| -rw-r--r-- | src/libstrongswan/credentials/credential_manager.c | 59 |
1 files changed, 0 insertions, 59 deletions
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index c5a681667..709c5e26a 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -944,60 +944,6 @@ static cert_validation_t check_crl(private_credential_manager_t *this, } /** - * check a certificate for optional IP address block constraints - */ -static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) -{ - bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS; - bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS; - bool contained = TRUE; - - enumerator_t *subject_enumerator, *issuer_enumerator; - traffic_selector_t *subject_ts, *issuer_ts; - - if (!subject_constraint && !issuer_constraint) - { - return TRUE; - } - if (!subject_constraint) - { - DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); - return FALSE; - } - if (!issuer_constraint) - { - DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); - return FALSE; - } - subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); - while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) - { - contained = FALSE; - - issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer); - while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts)) - { - if (subject_ts->is_contained_in(subject_ts, issuer_ts)) - { - DBG2(DBG_CFG, " subject address block %R is contained in " - "issuer address block %R", subject_ts, issuer_ts); - contained = TRUE; - break; - } - } - issuer_enumerator->destroy(issuer_enumerator); - if (!contained) - { - DBG1(DBG_CFG, "subject address block %R is not contained in any " - "issuer address block", subject_ts); - break; - } - } - subject_enumerator->destroy(subject_enumerator); - return contained; -} - -/** * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, @@ -1026,11 +972,6 @@ static bool check_certificate(private_credential_manager_t *this, int pathlen_constraint; x509_t *x509; - if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer)) - { - return FALSE; - } - /* check path length constraint */ x509 = (x509_t*)issuer; pathlen_constraint = x509->get_pathLenConstraint(x509); |