diff options
Diffstat (limited to 'src/charon/config')
| -rw-r--r-- | src/charon/config/connections/connection.c | 18 | ||||
| -rw-r--r-- | src/charon/config/connections/connection.h | 2 | ||||
| -rwxr-xr-x | src/charon/config/credentials/credential_store.h | 24 | ||||
| -rw-r--r-- | src/charon/config/credentials/local_credential_store.c | 194 | ||||
| -rw-r--r-- | src/charon/config/policies/policy.c | 23 | ||||
| -rw-r--r-- | src/charon/config/policies/policy.h | 8 |
6 files changed, 205 insertions, 64 deletions
diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c index f3c4bddfb..ce1f0f31a 100644 --- a/src/charon/config/connections/connection.c +++ b/src/charon/config/connections/connection.c @@ -72,7 +72,7 @@ struct private_connection_t { /** * should we send a certificate request? */ - cert_policy_t cert_req_policy; + cert_policy_t certreq_policy; /** * should we send a certificates? @@ -122,11 +122,11 @@ static bool is_ikev2 (private_connection_t *this) } /** - * Implementation of connection_t.get_cert_req_policy. + * Implementation of connection_t.get_certreq_policy. */ -static cert_policy_t get_cert_req_policy (private_connection_t *this) +static cert_policy_t get_certreq_policy (private_connection_t *this) { - return this->cert_req_policy; + return this->certreq_policy; } /** @@ -295,7 +295,8 @@ static connection_t *clone(private_connection_t *this) proposal_t *proposal; private_connection_t *clone = (private_connection_t*)connection_create( this->name, this->ikev2, - this->cert_policy, this->cert_req_policy, + this->cert_policy, + this->certreq_policy, this->my_host->clone(this->my_host), this->other_host->clone(this->other_host), this->auth_method); @@ -336,7 +337,8 @@ static void destroy(private_connection_t *this) * Described in header. */ connection_t * connection_create(char *name, bool ikev2, - cert_policy_t cert_policy, cert_policy_t cert_req_policy, + cert_policy_t cert_policy, + cert_policy_t certreq_policy, host_t *my_host, host_t *other_host, auth_method_t auth_method) { @@ -346,7 +348,7 @@ connection_t * connection_create(char *name, bool ikev2, this->public.get_name = (char*(*)(connection_t*))get_name; this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2; this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy; - this->public.get_cert_req_policy = (cert_policy_t(*)(connection_t*))get_cert_req_policy; + this->public.get_certreq_policy = (cert_policy_t(*)(connection_t*))get_certreq_policy; this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host; this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host; this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host; @@ -364,7 +366,7 @@ connection_t * connection_create(char *name, bool ikev2, this->name = strdup(name); this->ikev2 = ikev2; this->cert_policy = cert_policy; - this->cert_req_policy = cert_req_policy; + this->certreq_policy = certreq_policy; this->my_host = my_host; this->other_host = other_host; this->auth_method = auth_method; diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h index 50563da4e..de6cb4616 100644 --- a/src/charon/config/connections/connection.h +++ b/src/charon/config/connections/connection.h @@ -228,7 +228,7 @@ struct connection_t { * @param this calling object * @return - TRUE, if certificate request should be sent */ - cert_policy_t (*get_cert_req_policy) (connection_t *this); + cert_policy_t (*get_certreq_policy) (connection_t *this); /** * @brief Should be sent a certificate for this connection? diff --git a/src/charon/config/credentials/credential_store.h b/src/charon/config/credentials/credential_store.h index b1dd87784..d08a451c0 100755 --- a/src/charon/config/credentials/credential_store.h +++ b/src/charon/config/credentials/credential_store.h @@ -63,8 +63,6 @@ struct credential_store_t { /** * @brief Returns the RSA public key of a specific ID. * - * The returned rsa_public_key_t must be destroyed by the caller after usage. - * * @param this calling object * @param id identification_t object identifiying the key. * @return public key, or NULL if not found @@ -72,6 +70,15 @@ struct credential_store_t { rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id); /** + * @brief Returns the RSA public key of a specific ID if is trusted + * + * @param this calling object + * @param id identification_t object identifiying the key. + * @return public key, or NULL if not found or not trusted + */ + rsa_public_key_t* (*get_trusted_public_key) (credential_store_t *this, identification_t *id); + + /** * @brief Returns the RSA private key belonging to an RSA public key * * The returned rsa_private_key_t must be destroyed by the caller after usage. @@ -92,14 +99,23 @@ struct credential_store_t { bool (*has_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey); /** + * @brief Returns the certificate of a specific ID. + * + * @param this calling object + * @param id identification_t object identifiying the key. + * @return certificate, or NULL if not found + */ + x509_t* (*get_certificate) (credential_store_t *this, identification_t *id); + + /** * @brief Verify an X.509 certificate up to trust anchor including revocation checks * * @param this calling object * @param cert certificate to be verified - * @param until time until which the cert can be trusted + * @param found found a certificate copy in the credential store * @return TRUE if trusted */ - bool (*verify) (credential_store_t *this, const x509_t *cert, time_t *until); + bool (*verify) (credential_store_t *this, x509_t *cert, bool *found); /** * @brief If an end certificate does not already exists in the credential store then add it. diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c index 53e9cb64f..96c16d7ae 100644 --- a/src/charon/config/credentials/local_credential_store.c +++ b/src/charon/config/credentials/local_credential_store.c @@ -25,6 +25,7 @@ #include <string.h> #include <pthread.h> +#include <types.h> #include <utils/lexparser.h> #include <utils/linked_list.h> #include <utils/logger_manager.h> @@ -96,11 +97,11 @@ static status_t get_shared_secret(private_local_credential_store_t *this, identi } /** - * Implementation of local_credential_store_t.get_rsa_public_key. + * Implementation of credential_store_t.get_certificate. */ -static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *this, identification_t *id) +static x509_t* get_certificate(private_local_credential_store_t *this, identification_t * id) { - rsa_public_key_t *found = NULL; + x509_t *found = NULL; iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE); @@ -112,7 +113,7 @@ static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *th if (id->equals(id, cert->get_subject(cert)) || cert->equals_subjectAltName(cert, id)) { - found = cert->get_public_key(cert); + found = cert; break; } } @@ -121,6 +122,52 @@ static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *th } /** + * Implementation of local_credential_store_t.get_rsa_public_key. + */ +static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *this, identification_t *id) +{ + x509_t *cert = get_certificate(this, id); + + return (cert == NULL)? NULL:cert->get_public_key(cert); +} + +/** + * Implementation of local_credential_store_t.get_trusted_public_key. + */ +static rsa_public_key_t *get_trusted_public_key(private_local_credential_store_t *this, identification_t *id) +{ + cert_status_t status; + err_t ugh; + + x509_t *cert = get_certificate(this, id); + + if (cert == NULL) + return NULL; + + ugh = cert->is_valid(cert, NULL); + if (ugh != NULL) + { + this->logger->log(this->logger, ERROR, "certificate %s"); + return NULL; + } + + status = cert->get_status(cert); + if (status == CERT_REVOKED || status == CERT_UNTRUSTED || (this->strict && status != CERT_GOOD)) + { + this->logger->log(this->logger, ERROR, "certificate status: %s", + enum_name(&cert_status_names, status)); + return NULL; + } + if (status == CERT_GOOD && cert->get_until(cert) < time(NULL)) + { + this->logger->log(this->logger, ERROR, "certificate is good but crl is stale"); + return NULL; + } + + return cert->get_public_key(cert); +} + +/** * Implementation of local_credential_store_t.get_rsa_private_key. */ static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey) @@ -241,7 +288,6 @@ static cert_status_t verify_by_crl(private_local_credential_store_t* this, const issuer_public_key = issuer_cert->get_public_key(issuer_cert); valid_signature = crl->verify(crl, issuer_public_key); - issuer_public_key->destroy(issuer_public_key); if (!valid_signature) { @@ -268,21 +314,47 @@ static cert_status_t verify_by_ocsp(private_local_credential_store_t* this, } /** - * Remove a public key for the linked list - */ -static void remove_public_key(private_local_credential_store_t *this, const x509_t *cert) + * Find an exact copy of a certificate in a linked list + */ +static x509_t* find_certificate_copy(linked_list_t *certs, x509_t *cert) { - /* TODO implement function */ + x509_t *found_cert = NULL; + + iterator_t *iterator = certs->create_iterator(certs, TRUE); + + while (iterator->has_next(iterator)) + { + x509_t *current_cert; + + iterator->current(iterator, (void**)¤t_cert); + if (cert->equals(cert, current_cert)) + { + found_cert = current_cert; + break; + } + } + iterator->destroy(iterator); + + return found_cert; } /** * Implementation of credential_store_t.verify. */ -static bool verify(private_local_credential_store_t *this, const x509_t *cert, time_t *until) +static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *found) { int pathlen; + time_t until = UNDEFINED_TIME; + + x509_t *end_cert = cert; + x509_t *cert_copy = find_certificate_copy(this->certs, end_cert); - *until = UNDEFINED_TIME; + *found = (cert_copy != NULL); + if (*found) + { + this->logger->log(this->logger, CONTROL|LEVEL1, + "end entitity certificate is already in credential store"); + } for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) { @@ -297,7 +369,7 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t this->logger->log(this->logger, CONTROL|LEVEL1, "subject: '%s'", subject->get_string(subject)); this->logger->log(this->logger, CONTROL|LEVEL1, "issuer: '%s'", issuer->get_string(issuer)); - ugh = cert->is_valid(cert, until); + ugh = cert->is_valid(cert, &until); if (ugh != NULL) { this->logger->log(this->logger, ERROR, "certificate %s", ugh); @@ -315,7 +387,6 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t issuer_public_key = issuer_cert->get_public_key(issuer_cert); valid_signature = cert->verify(cert, issuer_public_key); - issuer_public_key->destroy(issuer_public_key); if (!valid_signature) { @@ -328,6 +399,14 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t if (pathlen > 0 && cert->is_self_signed(cert)) { this->logger->log(this->logger, CONTROL|LEVEL1, "reached self-signed root ca"); + + /* set the definite status and trust interval of the end entity certificate */ + end_cert->set_until(end_cert, until); + if (cert_copy) + { + cert_copy->set_status(cert_copy, end_cert->get_status(end_cert)); + cert_copy->set_until(cert_copy, until); + } return TRUE; } else @@ -336,7 +415,7 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t cert_status_t status; certinfo_t *certinfo = certinfo_create(cert->get_serialNumber(cert)); - certinfo->set_nextUpdate(certinfo, *until); + certinfo->set_nextUpdate(certinfo, until); /* first check certificate revocation using ocsp */ status = verify_by_ocsp(this, cert, certinfo); @@ -348,24 +427,27 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t } nextUpdate = certinfo->get_nextUpdate(certinfo); + cert->set_status(cert, status); switch (status) { case CERT_GOOD: + /* set nextUpdate */ + cert->set_until(cert, nextUpdate); + /* if status information is stale */ if (this->strict && nextUpdate < time(NULL)) { this->logger->log(this->logger, CONTROL|LEVEL1, "certificate is good but status is stale"); - remove_public_key(this, cert); return FALSE; } this->logger->log(this->logger, CONTROL|LEVEL1, "certificate is good"); - + /* with strict crl policy the public key must have the same * lifetime as the validity of the ocsp status or crl lifetime */ - if (this->strict && nextUpdate < *until) - *until = nextUpdate; + if (this->strict && nextUpdate < until) + until = nextUpdate; break; case CERT_REVOKED: { @@ -375,7 +457,23 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t timetoa(buf, TIMETOA_BUF, &revocationTime, TRUE); this->logger->log(this->logger, ERROR, "certificate was revoked on %s, reason: %s", buf, certinfo->get_revocationReason(certinfo)); - remove_public_key(this, cert); + + /* set revocationTime */ + cert->set_until(cert, revocationTime); + + /* update status of end certificate in the credential store */ + if (cert_copy) + { + if (pathlen > 0) + { + cert_copy->set_status(cert_copy, CERT_UNTRUSTED); + } + else + { + cert_copy->set_status(cert_copy, CERT_REVOKED); + cert_copy->set_until(cert_copy, certinfo->get_revocationTime(certinfo)); + } + } return FALSE; } case CERT_UNKNOWN: @@ -384,7 +482,11 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t this->logger->log(this->logger, CONTROL|LEVEL1, "certificate status unknown"); if (this->strict) { - remove_public_key(this, cert); + /* update status of end certificate in the credential store */ + if (cert_copy) + { + cert_copy->set_status(cert_copy, CERT_UNTRUSTED); + } return FALSE; } break; @@ -403,30 +505,18 @@ static bool verify(private_local_credential_store_t *this, const x509_t *cert, t */ static x509_t* add_certificate(linked_list_t *certs, x509_t *cert) { - bool found = FALSE; - - iterator_t *iterator = certs->create_iterator(certs, TRUE); + x509_t *found_cert = find_certificate_copy(certs, cert); - while (iterator->has_next(iterator)) + if (found_cert) { - x509_t *current_cert; - - iterator->current(iterator, (void**)¤t_cert); - if (cert->equals(cert, current_cert)) - { - found = TRUE; - cert->destroy(cert); - cert = current_cert; - break; - } + cert->destroy(cert); + return found_cert; } - iterator->destroy(iterator); - - if (!found) + else { certs->insert_last(certs, (void*)cert); + return cert; } - return cert; } /** @@ -829,20 +919,22 @@ local_credential_store_t * local_credential_store_create(bool strict) { private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t); - this->public.credential_store.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret; - this->public.credential_store.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key; - this->public.credential_store.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key; + this->public.credential_store.get_shared_secret = (status_t (*) (credential_store_t*,identification_t*,chunk_t*))get_shared_secret; this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key; - this->public.credential_store.verify = (bool(*)(credential_store_t*,const x509_t*,time_t*))verify; - this->public.credential_store.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate; - this->public.credential_store.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate; - this->public.credential_store.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates; - this->public.credential_store.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates; - this->public.credential_store.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls; - this->public.credential_store.load_ca_certificates = (void(*)(credential_store_t*))load_ca_certificates; - this->public.credential_store.load_crls = (void(*)(credential_store_t*))load_crls; - this->public.credential_store.load_private_keys = (void(*)(credential_store_t*))load_private_keys; - this->public.credential_store.destroy = (void(*)(credential_store_t*))destroy; + this->public.credential_store.get_rsa_private_key = (rsa_private_key_t* (*) (credential_store_t*,rsa_public_key_t*))get_rsa_private_key; + this->public.credential_store.has_rsa_private_key = (bool (*) (credential_store_t*,rsa_public_key_t*))has_rsa_private_key; + this->public.credential_store.get_trusted_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_trusted_public_key; + this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate; + this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify; + this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate; + this->public.credential_store.add_ca_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_ca_certificate; + this->public.credential_store.log_certificates = (void (*) (credential_store_t*,logger_t*,bool))log_certificates; + this->public.credential_store.log_ca_certificates = (void (*) (credential_store_t*,logger_t*,bool))log_ca_certificates; + this->public.credential_store.log_crls = (void (*) (credential_store_t*,logger_t*,bool))log_crls; + this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates; + this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls; + this->public.credential_store.load_private_keys = (void (*) (credential_store_t*))load_private_keys; + this->public.credential_store.destroy = (void (*) (credential_store_t*))destroy; /* initialize mutexes */ pthread_mutex_init(&(this->crls_mutex), NULL); diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c index ac8ae89b7..9e163f9de 100644 --- a/src/charon/config/policies/policy.c +++ b/src/charon/config/policies/policy.c @@ -68,6 +68,11 @@ struct private_policy_t { identification_t *other_ca; /** + * updown script + */ + char *updown; + + /** * list for all proposals */ linked_list_t *proposals; @@ -304,6 +309,14 @@ static void add_authorities(private_policy_t *this, identification_t *my_ca, ide } /** + * Implementation of policy_t.add_updown + */ +static void add_updown(private_policy_t *this, char *updown) +{ + this->updown = (updown == NULL)? NULL:strdup(updown); +} + +/** * Implementation of policy_t.add_my_traffic_selector */ static void add_my_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector) @@ -371,6 +384,9 @@ static policy_t *clone(private_policy_t *this) { clone->other_ca = this->other_ca->clone(this->other_ca); } + + /* clone updown script */ + clone->updown = (this->updown == NULL)? NULL:strdup(this->updown); /* clone all proposals */ iterator = this->proposals->create_iterator(this->proposals, TRUE); @@ -445,6 +461,12 @@ static status_t destroy(private_policy_t *this) this->other_ca->destroy(this->other_ca); } + /* delete updown script */ + if (this->updown) + { + free(this->updown); + } + /* delete ids */ this->my_id->destroy(this->my_id); this->other_id->destroy(this->other_id); @@ -481,6 +503,7 @@ policy_t *policy_create(char *name, identification_t *my_id, identification_t *o this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector; this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal; this->public.add_authorities = (void(*)(policy_t*,identification_t*, identification_t*))add_authorities; + this->public.add_updown = (void(*)(policy_t*,identification_t*,char*))add_updown; this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime; this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime; this->public.clone = (policy_t*(*)(policy_t*))clone; diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h index 089d75112..e6728b3d7 100644 --- a/src/charon/config/policies/policy.h +++ b/src/charon/config/policies/policy.h @@ -239,6 +239,14 @@ struct policy_t { void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca); /** + * @brief Add updown script + * + * @param this calling object + * @param updown updown script + */ + void (*add_updown) (policy_t *this, char *updown); + + /** * @brief Get the lifetime of a policy, before rekeying starts. * * A call to this function automatically adds a jitter to |