diff options
-rw-r--r-- | src/charon/credentials/credential_manager.c | 4 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_ac.c | 26 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_crl.c | 10 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_response.c | 10 | ||||
-rw-r--r-- | src/pluto/ac.c | 6 | ||||
-rw-r--r-- | src/pluto/connections.c | 14 | ||||
-rw-r--r-- | src/pluto/crl.c | 34 | ||||
-rw-r--r-- | src/pluto/ocsp.c | 13 | ||||
-rw-r--r-- | src/pluto/smartcard.c | 14 | ||||
-rw-r--r-- | src/pluto/x509.c | 54 | ||||
-rw-r--r-- | src/pluto/x509.h | 1 | ||||
-rw-r--r-- | testing/tests/ikev1/crl-ldap/evaltest.dat | 4 |
12 files changed, 54 insertions, 136 deletions
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index a520fd0f4..7bd724a66 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -951,13 +951,13 @@ static bool check_certificate(private_credential_manager_t *this, if (!subject->get_validity(subject, NULL, ¬_before, ¬_after)) { DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)", - ¬_before, TRUE, ¬_after, TRUE); + ¬_before, FALSE, ¬_after, FALSE); return FALSE; } if (!issuer->get_validity(issuer, NULL, ¬_before, ¬_after)) { DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)", - ¬_before, TRUE, ¬_after, TRUE); + ¬_before, FALSE, ¬_after, FALSE); return FALSE; } if (issuer->get_type(issuer) == CERT_X509 && diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index 5e8ea2e71..79ff80933 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -798,16 +798,8 @@ static private_x509_ac_t* get_ref(private_x509_ac_t *this) static bool get_validity(private_x509_ac_t *this, time_t *when, time_t *not_before, time_t *not_after) { - time_t t; + time_t t = when ? *when : time(NULL); - if (when) - { - t = *when; - } - else - { - t = time(NULL); - } if (not_before) { *not_before = this->notBefore; @@ -816,19 +808,7 @@ static bool get_validity(private_x509_ac_t *this, time_t *when, { *not_after = this->notAfter; } - if (t < this->notBefore) - { - DBG1("attribute certificate is not valid before %T", - this->notBefore, TRUE); - return FALSE; - } - if (t > this->notAfter) - { - DBG1("attribute certificate expired on %T", - this->notAfter, TRUE); - return FALSE; - } - return TRUE; + return (t >= this->notBefore && t <= this->notAfter); } /** @@ -844,7 +824,7 @@ static bool is_newer(private_x509_ac_t *this, ac_t *that) this_cert->get_validity(this_cert, &now, &this_update, NULL); that_cert->get_validity(that_cert, &now, &that_update, NULL); new = this_update > that_update; - DBG1(" attr cert from %T is %s - existing attr_cert from %T %s", + DBG1(" attr cert from %T is %s - existing attr cert from %T %s", &this_update, FALSE, new ? "newer":"not newer", &that_update, FALSE, new ? "replaced":"retained"); return new; diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 643f809c7..b9ef3218b 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -458,16 +458,8 @@ static private_x509_crl_t* get_ref(private_x509_crl_t *this) static bool get_validity(private_x509_crl_t *this, time_t *when, time_t *not_before, time_t *not_after) { - time_t t; + time_t t = when ? *when : time(NULL); - if (when) - { - t = *when; - } - else - { - t = time(NULL); - } if (not_before) { *not_before = this->thisUpdate; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 02713ad33..948d7ad85 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -748,16 +748,8 @@ static public_key_t* get_public_key(private_x509_ocsp_response_t *this) static bool get_validity(private_x509_ocsp_response_t *this, time_t *when, time_t *not_before, time_t *not_after) { - time_t t; + time_t t = when ? *when : time(NULL); - if (when == NULL) - { - t = time(NULL); - } - else - { - t = *when; - } if (not_before) { *not_before = this->producedAt; diff --git a/src/pluto/ac.c b/src/pluto/ac.c index e35245845..14806c3cc 100644 --- a/src/pluto/ac.c +++ b/src/pluto/ac.c @@ -158,7 +158,7 @@ bool verify_x509acert(x509acert_t *x509ac, bool strict) chunk_t issuer_dn = issuer->get_encoding(issuer); chunk_t authKeyID = ac->get_authKeyIdentifier(ac); x509cert_t *aacert; - time_t valid_until; + time_t notBefore, valid_until; DBG(DBG_CONTROL, DBG_log("holder: '%Y'", subject); @@ -167,10 +167,12 @@ bool verify_x509acert(x509acert_t *x509ac, bool strict) if (!cert_ac->get_validity(cert_ac, NULL, NULL, &valid_until)) { + plog("attribute certificate is invalid (valid from %T to %T)", + ¬Before, FALSE, &valid_until, FALSE); return FALSE; } DBG(DBG_CONTROL, - DBG_log("attribute certificate is valid until %T", &valid_until, TRUE) + DBG_log("attribute certificate is valid until %T", &valid_until, FALSE) ) lock_authcert_list("verify_x509acert"); diff --git a/src/pluto/connections.c b/src/pluto/connections.c index e1a28cade..6c2872609 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -717,8 +717,6 @@ static void load_end_certificate(char *filename, struct end *dst) if (valid_cert) { - err_t ugh = NULL; - switch (cert.type) { case CERT_PGP: @@ -738,20 +736,18 @@ static void load_end_certificate(char *filename, struct end *dst) select_x509cert_id(cert.u.x509, &dst->id); if (cached_cert) + { dst->cert = cert; + } else { - time_t valid_until = 0; - - /* check validity of cert */ - ugh = check_validity(cert.u.x509, &valid_until); - if (ugh != NULL) + certificate_t *certificate = cert.u.x509->cert; + + if (!certificate->get_validity(certificate, NULL, NULL, &valid_until)) { - plog(" %s", ugh); free_x509cert(cert.u.x509); break; } - DBG(DBG_CONTROL, DBG_log("certificate is valid") ) diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 01d4839fc..54f08f9d6 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -414,7 +414,7 @@ cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until, crl_t *crl = (crl_t*)cert_crl; chunk_t authKeyID = crl->get_authKeyIdentifier(crl); x509cert_t *issuer_cert; - bool valid; + bool trusted, valid; DBG(DBG_CONTROL, DBG_log("crl found") @@ -435,32 +435,39 @@ cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until, lock_authcert_list("verify_by_crl"); issuer_cert = get_authcert(issuer_dn, authKeyID, X509_CA); - valid = cert_crl->issued_by(cert_crl, issuer_cert->cert); + trusted = cert_crl->issued_by(cert_crl, issuer_cert->cert); unlock_authcert_list("verify_by_crl"); - if (valid) + if (trusted) { - time_t now, nextUpdate; cert_status_t status; DBG(DBG_CONTROL, DBG_log("crl signature is valid") ) - /* return the expiration date */ - time(&now); - cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate); - *until = nextUpdate; + + /* return the expiration date */ + valid = cert_crl->get_validity(cert_crl, NULL, NULL, until); /* has the certificate been revoked? */ status = check_revocation(crl, x509->get_serial(x509), revocationDate , revocationReason); - if (*until < now) + if (valid) + { + unlock_crl_list("verify_by_crl"); + DBG(DBG_CONTROL, + DBG_log("crl is valid: until %T", until, FALSE) + ) + } + else { fetch_req_t *req; - plog("crl update is overdue since %T", until, TRUE); + DBG(DBG_CONTROL, + DBG_log("crl is stale: since %T", until, FALSE) + ) /* try to fetch a crl update */ req = build_crl_fetch_request(issuer_dn, authKeyID, @@ -470,13 +477,6 @@ cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until, add_crl_fetch_request(req); wake_fetch_thread("verify_by_crl"); } - else - { - unlock_crl_list("verify_by_crl"); - DBG(DBG_CONTROL, - DBG_log("crl is valid") - ) - } return status; } else diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index d980e7f14..041df2452 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -424,7 +424,7 @@ cert_status_t verify_by_ocsp(const x509cert_t *cert, time_t *until, chunk_t serialNumber = x509->get_serial(x509); cert_status_t status; ocsp_location_t location; - time_t nextUpdate = 0; + time_t nextUpdate; *revocationDate = UNDEFINED_TIME; *revocationReason = CRL_REASON_UNSPECIFIED; @@ -1008,9 +1008,6 @@ static bool valid_ocsp_response(response_t *res) for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) { - err_t ugh = NULL; - time_t until; - x509cert_t *cert = authcert; certificate_t *certificate = cert->cert; x509_t *x509 = (x509_t*)certificate; @@ -1021,21 +1018,17 @@ static bool valid_ocsp_response(response_t *res) DBG(DBG_CONTROL, DBG_log("subject: '%Y'", subject); DBG_log("issuer: '%Y'", issuer); - if (authKeyID.ptr != NULL) + if (authKeyID.ptr) { DBG_log("authkey: %#B", &authKeyID); } ) - ugh = check_validity(authcert, &until); - - if (ugh != NULL) + if (!certificate->get_validity(certificate, NULL, NULL, NULL)) { - plog("%s", ugh); unlock_authcert_list("valid_ocsp_response"); return FALSE; } - DBG(DBG_CONTROL, DBG_log("certificate is valid") ) diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c index 97074f52e..cf50a5bba 100644 --- a/src/pluto/smartcard.c +++ b/src/pluto/smartcard.c @@ -570,21 +570,15 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session) /* check validity of certificate */ cert = sc->last_cert.u.x509; - valid_until = cert->notAfter; - ugh = check_validity(cert, &valid_until); - if (ugh != NULL) + if (!cert->cert->get_validity(cert->cert, NULL, NULL, &valid_until) { - plog(" %s", ugh); free_x509cert(cert); scx_free(sc); continue; } - else - { - DBG(DBG_CONTROL, - DBG_log(" certificate is valid") - ) - } + DBG(DBG_CONTROL, + DBG_log(" certificate is valid") + ) sc = scx_add(sc); diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 61d263948..77c5156bf 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -1316,41 +1316,6 @@ void parse_authorityKeyIdentifier(chunk_t blob, int level0, } /** - * Verify the validity of a certificate by - * checking the notBefore and notAfter dates - */ -err_t check_validity(const x509cert_t *cert, time_t *until) -{ - time_t current_time, notBefore, notAfter; - certificate_t *certificate = cert->cert; - - time(¤t_time); - certificate->get_validity(certificate, ¤t_time, ¬Before, ¬After); - DBG(DBG_CONTROL | DBG_PARSING , - DBG_log(" not before : %T", ¬Before, TRUE); - DBG_log(" current time: %T", ¤t_time, TRUE); - DBG_log(" not after : %T", ¬After, TRUE); - ) - - if (*until == 0 || notAfter < *until) - { - *until = notAfter; - } - if (current_time < notBefore) - { - return "certificate is not valid yet"; - } - if (current_time > notAfter) - { - return "certificate has expired"; - } - else - { - return NULL; - } -} - -/** * Verifies a X.509 certificate */ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until) @@ -1367,25 +1332,30 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until) x509_t *x509 = (x509_t*)certificate; chunk_t authKeyID = x509->get_authKeyIdentifier(x509); x509cert_t *issuer_cert; - err_t ugh = NULL; + time_t notBefore, notAfter; + bool valid; DBG(DBG_CONTROL, DBG_log("subject: '%Y'", subject); DBG_log("issuer: '%Y'", issuer); - if (authKeyID.ptr != NULL) + if (authKeyID.ptr) { DBG_log("authkey: %#B", &authKeyID); } ) - ugh = check_validity(cert, until); - - if (ugh != NULL) + valid = certificate->get_validity(certificate, NULL, + ¬Before, ¬After); + if (*until == UNDEFINED_TIME || notAfter < *until) { - plog("%s", ugh); + *until = notAfter; + } + if (!valid) + { + plog("certificate is invalid (valid from %T to %T)", + ¬Before, FALSE, ¬After, FALSE); return FALSE; } - DBG(DBG_CONTROL, DBG_log("certificate is valid") ) diff --git a/src/pluto/x509.h b/src/pluto/x509.h index a61d6c06b..e9b61a492 100644 --- a/src/pluto/x509.h +++ b/src/pluto/x509.h @@ -77,7 +77,6 @@ extern void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber); extern chunk_t get_directoryName(chunk_t blob, int level, bool implicit); -extern err_t check_validity(const x509cert_t *cert, time_t *until); extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm, certificate_t *issuer_cert); extern chunk_t x509_build_signature(chunk_t tbs, int algorithm, diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat index 039cec346..a0cd21789 100644 --- a/testing/tests/ikev1/crl-ldap/evaltest.dat +++ b/testing/tests/ikev1/crl-ldap/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/auth.log::loaded crl from::YES carol::cat /var/log/auth.log::loaded crl from::YES -moon::cat /var/log/auth.log::crl update is overdue::YES -carol::cat /var/log/auth.log::crl update is overdue::YES +moon::cat /var/log/auth.log::crl is stale ::YES +carol::cat /var/log/auth.log::crl is stale::YES moon::cat /var/log/auth.log::X.509 certificate rejected::YES carol::cat /var/log/auth.log::X.509 certificate rejected::YES moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES |