diff options
author | Martin Willi <martin@revosec.ch> | 2010-07-05 14:36:05 +0200 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2010-07-13 10:26:07 +0200 |
commit | 5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97 (patch) | |
tree | fbb3b27fcbfcee153b8afa1b03b9b412d7857043 /src | |
parent | 2feb16f5dd1a9a16bf7ec9b55aa279df75622948 (diff) | |
download | strongswan-5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97.tar.bz2 strongswan-5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97.tar.xz |
Moved X509 addrBlock validation to a separate addrblock plugin
Diffstat (limited to 'src')
-rw-r--r-- | src/libstrongswan/Android.mk | 1 | ||||
-rw-r--r-- | src/libstrongswan/Makefile.am | 8 | ||||
-rw-r--r-- | src/libstrongswan/credentials/cert_validator.h | 2 | ||||
-rw-r--r-- | src/libstrongswan/credentials/credential_manager.c | 59 | ||||
-rw-r--r-- | src/libstrongswan/plugins/addrblock/Makefile.am | 16 | ||||
-rw-r--r-- | src/libstrongswan/plugins/addrblock/addrblock_plugin.c | 61 | ||||
-rw-r--r-- | src/libstrongswan/plugins/addrblock/addrblock_plugin.h | 42 | ||||
-rw-r--r-- | src/libstrongswan/plugins/addrblock/addrblock_validator.c | 124 | ||||
-rw-r--r-- | src/libstrongswan/plugins/addrblock/addrblock_validator.h | 49 |
9 files changed, 303 insertions, 59 deletions
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 96d78916f..34bd5e5b1 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -44,6 +44,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ +credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ selectors/traffic_selector.c selectors/traffic_selector.h \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 0b93dc4af..d90773db7 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -42,6 +42,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ +credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ selectors/traffic_selector.c selectors/traffic_selector.h \ @@ -306,6 +307,13 @@ if MONOLITHIC endif endif +if USE_ADDRBLOCK + SUBDIRS += plugins/addrblock +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/addrblock/libstrongswan-addrblock.la +endif +endif + if USE_TEST_VECTORS SUBDIRS += plugins/test_vectors if MONOLITHIC diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 1f192e1de..0a6518528 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -23,6 +23,8 @@ typedef struct cert_validator_t cert_validator_t; +#include <library.h> + /** * Certificate validator interface. * diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index c5a681667..709c5e26a 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -944,60 +944,6 @@ static cert_validation_t check_crl(private_credential_manager_t *this, } /** - * check a certificate for optional IP address block constraints - */ -static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) -{ - bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS; - bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS; - bool contained = TRUE; - - enumerator_t *subject_enumerator, *issuer_enumerator; - traffic_selector_t *subject_ts, *issuer_ts; - - if (!subject_constraint && !issuer_constraint) - { - return TRUE; - } - if (!subject_constraint) - { - DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); - return FALSE; - } - if (!issuer_constraint) - { - DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); - return FALSE; - } - subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); - while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) - { - contained = FALSE; - - issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer); - while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts)) - { - if (subject_ts->is_contained_in(subject_ts, issuer_ts)) - { - DBG2(DBG_CFG, " subject address block %R is contained in " - "issuer address block %R", subject_ts, issuer_ts); - contained = TRUE; - break; - } - } - issuer_enumerator->destroy(issuer_enumerator); - if (!contained) - { - DBG1(DBG_CFG, "subject address block %R is not contained in any " - "issuer address block", subject_ts); - break; - } - } - subject_enumerator->destroy(subject_enumerator); - return contained; -} - -/** * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, @@ -1026,11 +972,6 @@ static bool check_certificate(private_credential_manager_t *this, int pathlen_constraint; x509_t *x509; - if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer)) - { - return FALSE; - } - /* check path length constraint */ x509 = (x509_t*)issuer; pathlen_constraint = x509->get_pathLenConstraint(x509); diff --git a/src/libstrongswan/plugins/addrblock/Makefile.am b/src/libstrongswan/plugins/addrblock/Makefile.am new file mode 100644 index 000000000..159d2e781 --- /dev/null +++ b/src/libstrongswan/plugins/addrblock/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-addrblock.la +else +plugin_LTLIBRARIES = libstrongswan-addrblock.la +endif + +libstrongswan_addrblock_la_SOURCES = \ + addrblock_plugin.h addrblock_plugin.c \ + addrblock_validator.h addrblock_validator.c + +libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/addrblock/addrblock_plugin.c b/src/libstrongswan/plugins/addrblock/addrblock_plugin.c new file mode 100644 index 000000000..6c1ef73e4 --- /dev/null +++ b/src/libstrongswan/plugins/addrblock/addrblock_plugin.c @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_plugin.h" + +#include <library.h> +#include "addrblock_validator.h" + +typedef struct private_addrblock_plugin_t private_addrblock_plugin_t; + +/** + * private data of addrblock_plugin + */ +struct private_addrblock_plugin_t { + + /** + * public functions + */ + addrblock_plugin_t public; + + /** + * Validator implementation instance. + */ + addrblock_validator_t *validator; +}; + +METHOD(plugin_t, destroy, void, + private_addrblock_plugin_t *this) +{ + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *addrblock_plugin_create() +{ + private_addrblock_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + .validator = addrblock_validator_create(), + ); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/addrblock/addrblock_plugin.h b/src/libstrongswan/plugins/addrblock/addrblock_plugin.h new file mode 100644 index 000000000..e7c3a728e --- /dev/null +++ b/src/libstrongswan/plugins/addrblock/addrblock_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock addrblock + * @ingroup plugins + * + * @defgroup addrblock_plugin addrblock_plugin + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_PLUGIN_H_ +#define ADDRBLOCK_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct addrblock_plugin_t addrblock_plugin_t; + +/** + * RFC 3779 address block checking. + */ +struct addrblock_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** ADDRBLOCK_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/addrblock/addrblock_validator.c b/src/libstrongswan/plugins/addrblock/addrblock_validator.c new file mode 100644 index 000000000..44ef38d85 --- /dev/null +++ b/src/libstrongswan/plugins/addrblock/addrblock_validator.c @@ -0,0 +1,124 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_validator.h" + +#include <debug.h> +#include <credentials/certificates/x509.h> +#include <selectors/traffic_selector.h> + +typedef struct private_addrblock_validator_t private_addrblock_validator_t; + +/** + * Private data of an addrblock_validator_t object. + */ +struct private_addrblock_validator_t { + + /** + * Public addrblock_validator_t interface. + */ + addrblock_validator_t public; +}; + +/** + * Do the addrblock check for two x509 plugins + */ +static bool check_addrblock(x509_t *subject, x509_t *issuer) +{ + bool subject_const, issuer_const, contained = TRUE; + enumerator_t *subject_enumerator, *issuer_enumerator; + traffic_selector_t *subject_ts, *issuer_ts; + + subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS; + issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS; + + if (!subject_const && !issuer_const) + { + return TRUE; + } + if (!subject_const) + { + DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); + return FALSE; + } + if (!issuer_const) + { + DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); + return FALSE; + } + subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); + while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) + { + contained = FALSE; + + issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer); + while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts)) + { + if (subject_ts->is_contained_in(subject_ts, issuer_ts)) + { + DBG2(DBG_CFG, " subject address block %R is contained in " + "issuer address block %R", subject_ts, issuer_ts); + contained = TRUE; + break; + } + } + issuer_enumerator->destroy(issuer_enumerator); + if (!contained) + { + DBG1(DBG_CFG, "subject address block %R is not contained in any " + "issuer address block", subject_ts); + break; + } + } + subject_enumerator->destroy(subject_enumerator); + return contained; +} + +METHOD(cert_validator_t, validate, bool, + private_addrblock_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +{ + if (subject->get_type(subject) == CERT_X509 && + issuer->get_type(issuer) == CERT_X509) + { + return check_addrblock((x509_t*)subject, (x509_t*)issuer); + } + return TRUE; +} + +METHOD(addrblock_validator_t, destroy, void, + private_addrblock_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +addrblock_validator_t *addrblock_validator_create() +{ + private_addrblock_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/addrblock/addrblock_validator.h b/src/libstrongswan/plugins/addrblock/addrblock_validator.h new file mode 100644 index 000000000..423f0d41a --- /dev/null +++ b/src/libstrongswan/plugins/addrblock/addrblock_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock_validator addrblock_validator + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_VALIDATOR_H_ +#define ADDRBLOCK_VALIDATOR_H_ + +#include <credentials/cert_validator.h> + +typedef struct addrblock_validator_t addrblock_validator_t; + +/** + * RFC 3779 address block X509 certificate validator. + */ +struct addrblock_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a addrblock_validator_t. + */ + void (*destroy)(addrblock_validator_t *this); +}; + +/** + * Create a addrblock_validator instance. + */ +addrblock_validator_t *addrblock_validator_create(); + +#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/ |