diff options
Diffstat (limited to 'src/libstrongswan/plugins')
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_crl.c | 6 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_sha1_prf.c | 1 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_x509.c | 19 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pem/pem_encoder.c | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pgp/pgp_cert.c | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pgp/pgp_encoder.c | 1 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pubkey/pubkey_cert.c | 11 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ac.c | 7 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 24 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_crl.c | 7 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_request.c | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_ocsp_response.c | 6 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_pkcs10.c | 31 |
13 files changed, 75 insertions, 44 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 663f0915d..171b7d684 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -284,7 +284,7 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_openssl_crl_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { chunk_t fingerprint, tbs; public_key_t *key; @@ -338,7 +338,9 @@ METHOD(certificate_t, issued_by, bool, key->destroy(key); if (valid && scheme) { - *scheme = this->scheme; + INIT(*scheme, + .scheme = this->scheme, + ); } return valid; } diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c index f6df03f12..3a6d2f193 100644 --- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c @@ -20,6 +20,7 @@ #include "openssl_sha1_prf.h" #include <openssl/sha.h> +#include <crypto/hashers/hasher.h> typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t; diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index 7e077e74d..d2773e3f8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -384,7 +384,7 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_openssl_x509_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { public_key_t *key; bool valid; @@ -392,11 +392,16 @@ METHOD(certificate_t, issued_by, bool, ASN1_BIT_STRING *sig; chunk_t tbs; + if (this->scheme == SIGN_UNKNOWN) + { + return FALSE; + } if (&this->public.x509.interface == issuer) { if (this->flags & X509_SELF_SIGNED) { - return TRUE; + valid = TRUE; + goto out; } } else @@ -414,10 +419,6 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } } - if (this->scheme == SIGN_UNKNOWN) - { - return FALSE; - } key = issuer->get_public_key(issuer); if (!key) { @@ -434,9 +435,13 @@ METHOD(certificate_t, issued_by, bool, openssl_asn1_str2chunk(sig)); free(tbs.ptr); key->destroy(key); + +out: if (valid && scheme) { - *scheme = this->scheme; + INIT(*scheme, + .scheme = this->scheme, + ); } return valid; } diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index 76b0b7b40..8c6c5dae7 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -15,6 +15,8 @@ #include "pem_encoder.h" +#include <library.h> + #define BYTES_PER_LINE 48 /** diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c index 0ffce4cfc..392ef5440 100644 --- a/src/libstrongswan/plugins/pgp/pgp_cert.c +++ b/src/libstrongswan/plugins/pgp/pgp_cert.c @@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by,bool, - private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme) + private_pgp_cert_t *this, certificate_t *issuer, signature_params_t **scheme) { /* TODO: check signature blobs for a valid signature */ return FALSE; diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c index 100f3ef33..eba936b83 100644 --- a/src/libstrongswan/plugins/pgp/pgp_encoder.c +++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c @@ -15,6 +15,7 @@ #include "pgp_encoder.h" +#include <library.h> #include <utils/debug.h> /** diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c index 0631a6857..81dad65b7 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c @@ -137,13 +137,16 @@ METHOD(certificate_t, equals, bool, METHOD(certificate_t, issued_by, bool, private_pubkey_cert_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { - if (scheme) + bool valid = equals(this, issuer); + if (valid && scheme) { - *scheme = SIGN_UNKNOWN; + INIT(*scheme, + .scheme = SIGN_UNKNOWN, + ); } - return equals(this, issuer); + return valid; } METHOD(certificate_t, get_public_key, public_key_t*, diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index 2a1ef638b..c0a64fc5d 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -886,7 +886,8 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep) + private_x509_ac_t *this, certificate_t *issuer, + signature_params_t **schemep) { public_key_t *key; signature_scheme_t scheme; @@ -938,7 +939,9 @@ METHOD(certificate_t, issued_by, bool, key->destroy(key); if (valid && schemep) { - *schemep = scheme; + INIT(*schemep, + .scheme = scheme, + ); } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 6d2fb9de7..9bb272a4f 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1677,18 +1677,26 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_cert_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **schemep) { public_key_t *key; signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; + /* determine signature scheme */ + scheme = signature_scheme_from_oid(this->algorithm); + if (scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (&this->public.interface.interface == issuer) { if (this->flags & X509_SELF_SIGNED) { - return TRUE; + valid = TRUE; + goto out; } } else @@ -1707,12 +1715,6 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->algorithm); - if (scheme == SIGN_UNKNOWN) - { - return FALSE; - } /* get the public key of the issuer */ key = issuer->get_public_key(issuer); if (!key) @@ -1722,9 +1724,13 @@ METHOD(certificate_t, issued_by, bool, valid = key->verify(key, scheme, NULL, this->tbsCertificate, this->signature); key->destroy(key); + +out: if (valid && schemep) { - *schemep = scheme; + INIT(*schemep, + .scheme = scheme, + ); } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 8ea70252f..2712ad83e 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -457,7 +457,8 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep) + private_x509_crl_t *this, certificate_t *issuer, + signature_params_t **schemep) { public_key_t *key; signature_scheme_t scheme; @@ -506,7 +507,9 @@ METHOD(certificate_t, issued_by, bool, key->destroy(key); if (valid && schemep) { - *schemep = scheme; + INIT(*schemep, + .scheme = scheme, + ); } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index de2ad9878..de22ab6be 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -372,7 +372,7 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_ocsp_request_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { DBG1(DBG_LIB, "OCSP request validation not implemented!"); return FALSE; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index fd0d84e48..e803c185c 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -703,7 +703,7 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_ocsp_response_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **schemep) { public_key_t *key; signature_scheme_t scheme; @@ -758,7 +758,9 @@ METHOD(certificate_t, issued_by, bool, key->destroy(key); if (valid && schemep) { - *schemep = scheme; + INIT(*schemep, + .scheme = scheme, + ); } return valid; } diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index beeb436ab..019ccf7c1 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -124,7 +124,7 @@ METHOD(certificate_t, has_subject, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_pkcs10_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **schemep) { public_key_t *key; signature_scheme_t scheme; @@ -134,29 +134,32 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - if (this->self_signed) - { - return TRUE; - } - /* determine signature scheme */ scheme = signature_scheme_from_oid(this->algorithm); if (scheme == SIGN_UNKNOWN) { return FALSE; } - - /* get the public key contained in the certificate request */ - key = this->public_key; - if (!key) + if (this->self_signed) { - return FALSE; + valid = TRUE; + } + else + { + /* get the public key contained in the certificate request */ + key = this->public_key; + if (!key) + { + return FALSE; + } + valid = key->verify(key, scheme, NULL, this->certificationRequestInfo, + this->signature); } - valid = key->verify(key, scheme, NULL, this->certificationRequestInfo, - this->signature); if (valid && schemep) { - *schemep = scheme; + INIT(*schemep, + .scheme = scheme, + ); } return valid; } |