aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2010-07-05 14:36:05 +0200
committerMartin Willi <martin@revosec.ch>2010-07-13 10:26:07 +0200
commit5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97 (patch)
treefbb3b27fcbfcee153b8afa1b03b9b412d7857043 /src
parent2feb16f5dd1a9a16bf7ec9b55aa279df75622948 (diff)
downloadstrongswan-5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97.tar.bz2
strongswan-5f9e62c54f4b0e74eb78ae6be4801c4ad193ee97.tar.xz
Moved X509 addrBlock validation to a separate addrblock plugin
Diffstat (limited to 'src')
-rw-r--r--src/libstrongswan/Android.mk1
-rw-r--r--src/libstrongswan/Makefile.am8
-rw-r--r--src/libstrongswan/credentials/cert_validator.h2
-rw-r--r--src/libstrongswan/credentials/credential_manager.c59
-rw-r--r--src/libstrongswan/plugins/addrblock/Makefile.am16
-rw-r--r--src/libstrongswan/plugins/addrblock/addrblock_plugin.c61
-rw-r--r--src/libstrongswan/plugins/addrblock/addrblock_plugin.h42
-rw-r--r--src/libstrongswan/plugins/addrblock/addrblock_validator.c124
-rw-r--r--src/libstrongswan/plugins/addrblock/addrblock_validator.h49
9 files changed, 303 insertions, 59 deletions
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 96d78916f..34bd5e5b1 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -44,6 +44,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
selectors/traffic_selector.c selectors/traffic_selector.h \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 0b93dc4af..d90773db7 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -42,6 +42,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
selectors/traffic_selector.c selectors/traffic_selector.h \
@@ -306,6 +307,13 @@ if MONOLITHIC
endif
endif
+if USE_ADDRBLOCK
+ SUBDIRS += plugins/addrblock
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/addrblock/libstrongswan-addrblock.la
+endif
+endif
+
if USE_TEST_VECTORS
SUBDIRS += plugins/test_vectors
if MONOLITHIC
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 1f192e1de..0a6518528 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -23,6 +23,8 @@
typedef struct cert_validator_t cert_validator_t;
+#include <library.h>
+
/**
* Certificate validator interface.
*
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index c5a681667..709c5e26a 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -944,60 +944,6 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
}
/**
- * check a certificate for optional IP address block constraints
- */
-static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
-{
- bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
- bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
- bool contained = TRUE;
-
- enumerator_t *subject_enumerator, *issuer_enumerator;
- traffic_selector_t *subject_ts, *issuer_ts;
-
- if (!subject_constraint && !issuer_constraint)
- {
- return TRUE;
- }
- if (!subject_constraint)
- {
- DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
- return FALSE;
- }
- if (!issuer_constraint)
- {
- DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
- return FALSE;
- }
- subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
- while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
- {
- contained = FALSE;
-
- issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
- while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
- {
- if (subject_ts->is_contained_in(subject_ts, issuer_ts))
- {
- DBG2(DBG_CFG, " subject address block %R is contained in "
- "issuer address block %R", subject_ts, issuer_ts);
- contained = TRUE;
- break;
- }
- }
- issuer_enumerator->destroy(issuer_enumerator);
- if (!contained)
- {
- DBG1(DBG_CFG, "subject address block %R is not contained in any "
- "issuer address block", subject_ts);
- break;
- }
- }
- subject_enumerator->destroy(subject_enumerator);
- return contained;
-}
-
-/**
* check a certificate for its lifetime
*/
static bool check_certificate(private_credential_manager_t *this,
@@ -1026,11 +972,6 @@ static bool check_certificate(private_credential_manager_t *this,
int pathlen_constraint;
x509_t *x509;
- if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
- {
- return FALSE;
- }
-
/* check path length constraint */
x509 = (x509_t*)issuer;
pathlen_constraint = x509->get_pathLenConstraint(x509);
diff --git a/src/libstrongswan/plugins/addrblock/Makefile.am b/src/libstrongswan/plugins/addrblock/Makefile.am
new file mode 100644
index 000000000..159d2e781
--- /dev/null
+++ b/src/libstrongswan/plugins/addrblock/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-addrblock.la
+else
+plugin_LTLIBRARIES = libstrongswan-addrblock.la
+endif
+
+libstrongswan_addrblock_la_SOURCES = \
+ addrblock_plugin.h addrblock_plugin.c \
+ addrblock_validator.h addrblock_validator.c
+
+libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_plugin.c b/src/libstrongswan/plugins/addrblock/addrblock_plugin.c
new file mode 100644
index 000000000..6c1ef73e4
--- /dev/null
+++ b/src/libstrongswan/plugins/addrblock/addrblock_plugin.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_plugin.h"
+
+#include <library.h>
+#include "addrblock_validator.h"
+
+typedef struct private_addrblock_plugin_t private_addrblock_plugin_t;
+
+/**
+ * private data of addrblock_plugin
+ */
+struct private_addrblock_plugin_t {
+
+ /**
+ * public functions
+ */
+ addrblock_plugin_t public;
+
+ /**
+ * Validator implementation instance.
+ */
+ addrblock_validator_t *validator;
+};
+
+METHOD(plugin_t, destroy, void,
+ private_addrblock_plugin_t *this)
+{
+ lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+ this->validator->destroy(this->validator);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *addrblock_plugin_create()
+{
+ private_addrblock_plugin_t *this;
+
+ INIT(this,
+ .public.plugin.destroy = _destroy,
+ .validator = addrblock_validator_create(),
+ );
+ lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+ return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_plugin.h b/src/libstrongswan/plugins/addrblock/addrblock_plugin.h
new file mode 100644
index 000000000..e7c3a728e
--- /dev/null
+++ b/src/libstrongswan/plugins/addrblock/addrblock_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock addrblock
+ * @ingroup plugins
+ *
+ * @defgroup addrblock_plugin addrblock_plugin
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_PLUGIN_H_
+#define ADDRBLOCK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct addrblock_plugin_t addrblock_plugin_t;
+
+/**
+ * RFC 3779 address block checking.
+ */
+struct addrblock_plugin_t {
+
+ /**
+ * Implements plugin_t. interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** ADDRBLOCK_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_validator.c b/src/libstrongswan/plugins/addrblock/addrblock_validator.c
new file mode 100644
index 000000000..44ef38d85
--- /dev/null
+++ b/src/libstrongswan/plugins/addrblock/addrblock_validator.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_validator.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct private_addrblock_validator_t private_addrblock_validator_t;
+
+/**
+ * Private data of an addrblock_validator_t object.
+ */
+struct private_addrblock_validator_t {
+
+ /**
+ * Public addrblock_validator_t interface.
+ */
+ addrblock_validator_t public;
+};
+
+/**
+ * Do the addrblock check for two x509 plugins
+ */
+static bool check_addrblock(x509_t *subject, x509_t *issuer)
+{
+ bool subject_const, issuer_const, contained = TRUE;
+ enumerator_t *subject_enumerator, *issuer_enumerator;
+ traffic_selector_t *subject_ts, *issuer_ts;
+
+ subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+ issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+
+ if (!subject_const && !issuer_const)
+ {
+ return TRUE;
+ }
+ if (!subject_const)
+ {
+ DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+ return FALSE;
+ }
+ if (!issuer_const)
+ {
+ DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+ return FALSE;
+ }
+ subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+ while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+ {
+ contained = FALSE;
+
+ issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+ while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+ {
+ if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+ {
+ DBG2(DBG_CFG, " subject address block %R is contained in "
+ "issuer address block %R", subject_ts, issuer_ts);
+ contained = TRUE;
+ break;
+ }
+ }
+ issuer_enumerator->destroy(issuer_enumerator);
+ if (!contained)
+ {
+ DBG1(DBG_CFG, "subject address block %R is not contained in any "
+ "issuer address block", subject_ts);
+ break;
+ }
+ }
+ subject_enumerator->destroy(subject_enumerator);
+ return contained;
+}
+
+METHOD(cert_validator_t, validate, bool,
+ private_addrblock_validator_t *this, certificate_t *subject,
+ certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+{
+ if (subject->get_type(subject) == CERT_X509 &&
+ issuer->get_type(issuer) == CERT_X509)
+ {
+ return check_addrblock((x509_t*)subject, (x509_t*)issuer);
+ }
+ return TRUE;
+}
+
+METHOD(addrblock_validator_t, destroy, void,
+ private_addrblock_validator_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+addrblock_validator_t *addrblock_validator_create()
+{
+ private_addrblock_validator_t *this;
+
+ INIT(this,
+ .public = {
+ .validator.validate = _validate,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_validator.h b/src/libstrongswan/plugins/addrblock/addrblock_validator.h
new file mode 100644
index 000000000..423f0d41a
--- /dev/null
+++ b/src/libstrongswan/plugins/addrblock/addrblock_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock_validator addrblock_validator
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_VALIDATOR_H_
+#define ADDRBLOCK_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct addrblock_validator_t addrblock_validator_t;
+
+/**
+ * RFC 3779 address block X509 certificate validator.
+ */
+struct addrblock_validator_t {
+
+ /**
+ * Implements cert_validator_t interface.
+ */
+ cert_validator_t validator;
+
+ /**
+ * Destroy a addrblock_validator_t.
+ */
+ void (*destroy)(addrblock_validator_t *this);
+};
+
+/**
+ * Create a addrblock_validator instance.
+ */
+addrblock_validator_t *addrblock_validator_create();
+
+#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/