diff options
| author | Martin Willi <martin@revosec.ch> | 2010-07-02 10:29:36 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-07-13 10:26:06 +0200 |
| commit | 5db798c8e0534864412f6aa55b5ae6d2f82dcc7f (patch) | |
| tree | a950f8dbe649047fa8145742be91e7487f379798 /src | |
| parent | 01bb70e4adfea9c8cbea3304df890cd8dac1bb41 (diff) | |
| download | strongswan-5db798c8e0534864412f6aa55b5ae6d2f82dcc7f.tar.bz2 strongswan-5db798c8e0534864412f6aa55b5ae6d2f82dcc7f.tar.xz | |
Charon uses a generic trunstchain length limit, not only for X509 certificates
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/credentials/credential_manager.c | 13 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/certificates/x509.h | 1 | ||||
| -rw-r--r-- | src/pluto/x509.h | 2 |
3 files changed, 11 insertions, 5 deletions
diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c index 01c0c0e1e..079af2da8 100644 --- a/src/libcharon/credentials/credential_manager.c +++ b/src/libcharon/credentials/credential_manager.c @@ -28,6 +28,11 @@ #include <credentials/certificates/ocsp_request.h> #include <credentials/certificates/ocsp_response.h> +/** + * Maximum length of a certificate trust chain + */ +#define MAX_TRUST_PATH_LEN 7 + typedef struct private_credential_manager_t private_credential_manager_t; /** @@ -1132,7 +1137,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, auth = auth_cfg_create(); current = subject->get_ref(subject); - for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++) + for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) { issuer = get_issuer_cert(this, current, TRUE); if (issuer) @@ -1205,9 +1210,9 @@ static bool verify_trust_chain(private_credential_manager_t *this, } } current->destroy(current); - if (pathlen > X509_MAX_PATH_LEN) + if (pathlen > MAX_TRUST_PATH_LEN) { - DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN); + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); } if (trusted) { @@ -1479,7 +1484,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, } issuer = get_issuer_cert(this, current, FALSE); if (!issuer || issuer->equals(issuer, current) || - pathlen > X509_MAX_PATH_LEN) + pathlen > MAX_TRUST_PATH_LEN) { DESTROY_IF(issuer); break; diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 172bd9696..6e0a5002a 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -25,7 +25,6 @@ #include <credentials/certificates/certificate.h> #define X509_NO_PATH_LEN_CONSTRAINT -1 -#define X509_MAX_PATH_LEN 7 typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; diff --git a/src/pluto/x509.h b/src/pluto/x509.h index e904618b3..3101724a6 100644 --- a/src/pluto/x509.h +++ b/src/pluto/x509.h @@ -26,6 +26,8 @@ #include "constants.h" #include "certs.h" +#define X509_MAX_PATH_LEN 7 + extern bool same_keyid(chunk_t a, chunk_t b); extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm, certificate_t *issuer_cert); |