diff options
Diffstat (limited to 'src/pluto')
| -rw-r--r-- | src/pluto/Makefile.am | 16 | ||||
| -rw-r--r-- | src/pluto/ac.c | 2 | ||||
| -rw-r--r-- | src/pluto/alg_info.c | 7 | ||||
| -rw-r--r-- | src/pluto/constants.c | 14 | ||||
| -rw-r--r-- | src/pluto/constants.h | 9 | ||||
| -rw-r--r-- | src/pluto/crl.c | 2 | ||||
| -rw-r--r-- | src/pluto/defs.h | 7 | ||||
| -rw-r--r-- | src/pluto/demux.c | 2 | ||||
| -rw-r--r-- | src/pluto/fetch.c | 2 | ||||
| -rw-r--r-- | src/pluto/id.c | 2 | ||||
| -rw-r--r-- | src/pluto/ike_alg.c | 8 | ||||
| -rw-r--r-- | src/pluto/kernel.c | 2 | ||||
| -rw-r--r-- | src/pluto/keys.c | 2 | ||||
| -rw-r--r-- | src/pluto/modecfg.c | 179 | ||||
| -rw-r--r-- | src/pluto/nat_traversal.c | 4 | ||||
| -rw-r--r-- | src/pluto/pem.c | 5 | ||||
| -rw-r--r-- | src/pluto/pgp.c | 4 | ||||
| -rw-r--r-- | src/pluto/plutomain.c | 8 | ||||
| -rw-r--r-- | src/pluto/server.c | 6 | ||||
| -rw-r--r-- | src/pluto/smartcard.c | 4 | ||||
| -rw-r--r-- | src/pluto/state.c | 22 | ||||
| -rw-r--r-- | src/pluto/vendor.c | 4 | ||||
| -rw-r--r-- | src/pluto/virtual.c | 18 | ||||
| -rw-r--r-- | src/pluto/x509.c | 166 |
24 files changed, 377 insertions, 118 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index f788bc3d1..d3e7ddc89 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -84,11 +84,12 @@ AM_CFLAGS = \ -DIPSEC_CONFDIR=\"${confdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \ +-DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \ -DPLUTO -DKLIPS -DDEBUG pluto_LDADD = \ -oid.o \ +oid.o debug.o linked_list.o enumerator.o settings.o \ $(LIBFREESWANDIR)/libfreeswan.a \ $(LIBCRYPTODIR)/libcrypto.a \ -lgmp -lresolv -lpthread -ldl @@ -99,9 +100,22 @@ $(LIBFREESWANDIR)/libfreeswan.a \ dist_man_MANS = pluto.8 ipsec.secrets.5 +# Copy functions from libstrongswan oid.o : $(LIBSTRONGSWANDIR)/asn1/oid.c $(LIBSTRONGSWANDIR)/asn1/oid.h $(COMPILE) -c -o $@ $< +debug.o : $(LIBSTRONGSWANDIR)/debug.c $(LIBSTRONGSWANDIR)/debug.h + $(COMPILE) -c -o $@ $< + +linked_list.o : $(LIBSTRONGSWANDIR)/utils/linked_list.c $(LIBSTRONGSWANDIR)/utils/linked_list.h + $(COMPILE) -c -o $@ $< + +enumerator.o : $(LIBSTRONGSWANDIR)/utils/enumerator.c $(LIBSTRONGSWANDIR)/utils/enumerator.h + $(COMPILE) -c -o $@ $< + +settings.o : $(LIBSTRONGSWANDIR)/settings.c $(LIBSTRONGSWANDIR)/settings.h + $(COMPILE) -c -o $@ $< + # This compile option activates the sending of a strongSwan VID if USE_VENDORID AM_CFLAGS += -DVENDORID diff --git a/src/pluto/ac.c b/src/pluto/ac.c index 12f4f68d8..171f6edec 100644 --- a/src/pluto/ac.c +++ b/src/pluto/ac.c @@ -321,7 +321,7 @@ static bool same_attribute(const ietfAttr_t *a, const ietfAttr_t *b) { return (a->kind == b->kind && a->value.len == b->value.len - && memcmp(a->value.ptr, b->value.ptr, b->value.len) == 0); + && memeq(a->value.ptr, b->value.ptr, b->value.len)); } bool diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c index c998e54e9..ba2fead7a 100644 --- a/src/pluto/alg_info.c +++ b/src/pluto/alg_info.c @@ -171,12 +171,15 @@ static int ealg_getbyname_esp(const char *const str, int len) { if (!str || !*str) + { return -1; + } /* leave special case for eg: "id248" string */ - if (strcmp("id", str) == 0) + if (streq("id", str)) + { return ESP_MAGIC_ID; - + } return enum_search_prefix(&esp_transformid_names, "ESP_", str, len); } diff --git a/src/pluto/constants.c b/src/pluto/constants.c index 70215441b..7ae04e0c4 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -1208,14 +1208,20 @@ enum_search(enum_names *ed, const char *str) unsigned en; for (p = ed; p != NULL; p = p->en_next_range) + { for (en = p->en_first; en <= p->en_last ;en++) { ptr = p->en_names[en - p->en_first]; - if (ptr == 0) continue; - /* if (strncmp(ptr, str, strlen(ptr))==0) */ - if (strcmp(ptr, str) == 0) - return en; + if (ptr == 0) + { + continue; + } + if (streq(ptr, str)) + { + return en; + } } + } return -1; } diff --git a/src/pluto/constants.h b/src/pluto/constants.h index 13251dc3b..60f431049 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -19,6 +19,8 @@ #ifndef _CONSTANTS_H #define _CONSTANTS_H +#include <utils.h> + extern const char compile_time_interop_options[]; extern void init_constants(void); @@ -39,17 +41,10 @@ extern void init_constants(void); * <freeswan.h> defines err_t for this return type. */ -typedef int bool; -#define FALSE 0 -#define TRUE 1 - #define NULL_FD (-1) /* NULL file descriptor */ #define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd)) #define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } } -#define BITS_PER_BYTE 8 - -#define streq(a, b) (strcmp((a), (b)) == 0) /* clearer shorthand */ #define strcaseeq(a, b) (strcasecmp((a), (b)) == 0) /* clearer shorthand */ /* set type with room for at least 64 elements for ALG opts (was 32 in stock FS) */ diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 70d075263..add131ca9 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -536,7 +536,7 @@ check_revocation(const x509crl_t *crl, chunk_t serial { /* compare serial numbers */ if (revokedCert->userCertificate.len == serial.len && - memcmp(revokedCert->userCertificate.ptr, serial.ptr, serial.len) == 0) + memeq(revokedCert->userCertificate.ptr, serial.ptr, serial.len)) { *revocationDate = revokedCert->revocationDate; *revocationReason = revokedCert->revocationReason; diff --git a/src/pluto/defs.h b/src/pluto/defs.h index 44e012665..30a152120 100644 --- a/src/pluto/defs.h +++ b/src/pluto/defs.h @@ -32,10 +32,6 @@ # define USED_BY_DEBUG UNUSED #endif -/* Length of temporary buffers */ - -#define BUF_LEN 512 - /* type of serial number of a state object * Needed in connections.h and state.h; here to simplify dependencies. */ @@ -118,9 +114,6 @@ typedef struct { int fd; } prompt_pass_t; -/* no time defined in time_t */ -#define UNDEFINED_TIME 0 - /* size of timetoa string buffer */ #define TIMETOA_BUF 30 diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 4a28367e1..94a7f714d 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1713,7 +1713,7 @@ process_packet(struct msg_digest **mdp) if (st != NULL && st->st_rpacket.ptr != NULL && st->st_rpacket.len == pbs_room(&md->packet_pbs) - && memcmp(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len) == 0) + && memeq(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len)) { if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE) { diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c index 284ade0d1..e33de6168 100644 --- a/src/pluto/fetch.c +++ b/src/pluto/fetch.c @@ -905,7 +905,7 @@ add_distribution_points(const generalName_t *newPoints ,generalName_t **distribu { if (gn->kind == newPoints->kind && gn->name.len == newPoints->name.len - && memcmp(gn->name.ptr, newPoints->name.ptr, gn->name.len) == 0) + && memeq(gn->name.ptr, newPoints->name.ptr, gn->name.len)) { /* skip if the distribution point is already present */ add = FALSE; diff --git a/src/pluto/id.c b/src/pluto/id.c index 6c27baac0..c21bab7b2 100644 --- a/src/pluto/id.c +++ b/src/pluto/id.c @@ -423,7 +423,7 @@ same_id(const struct id *a, const struct id *b) case ID_KEY_ID: return a->name.len == b->name.len - && memcmp(a->name.ptr, b->name.ptr, a->name.len) == 0; + && memeq(a->name.ptr, b->name.ptr, a->name.len); default: bad_case(a->kind); diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c index 4f8b88170..5e34b272d 100644 --- a/src/pluto/ike_alg.c +++ b/src/pluto/ike_alg.c @@ -464,8 +464,8 @@ ike_hash_test(const struct hash_desc *desc) desc->hash_update(&ctx, desc->hash_testvectors[i].msg ,desc->hash_testvectors[i].msg_size); desc->hash_final(digest, &ctx); - result = memcmp(digest, desc->hash_testvectors[i].msg_digest - , desc->hash_digest_size) == 0; + result = memeq(digest, desc->hash_testvectors[i].msg_digest + , desc->hash_digest_size); DBG(DBG_CRYPT, DBG_log(" hash testvector %d: %s", i, result ? "ok":"failed") ) @@ -495,8 +495,8 @@ ike_hash_test(const struct hash_desc *desc) hmac_update(&ctx, desc->hmac_testvectors[i].msg ,desc->hmac_testvectors[i].msg_size); hmac_final(digest, &ctx); - result = memcmp(digest, desc->hmac_testvectors[i].hmac - , desc->hash_digest_size) == 0; + result = memeq(digest, desc->hmac_testvectors[i].hmac + , desc->hash_digest_size); DBG(DBG_CRYPT, DBG_log(" hmac testvector %d: %s", i, result ? "ok":"failed") ) diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index 09b4bbaaf..98841bcee 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -2955,7 +2955,7 @@ was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time) break; } - if (strncmp(line, text_said, strlen(text_said)) == 0) + if (strneq(line, text_said, strlen(text_said))) { /* we found a match, now try to find idle= */ char *p = strstr(line, idle); diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 6cdf169d8..0c9f53929 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -253,7 +253,7 @@ get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym) { case PPK_PSK: same = s->u.preshared_secret.len == best->u.preshared_secret.len - && memcmp(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len) == 0; + && memeq(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len); break; case PPK_RSA: /* Dirty trick: since we have code to compare diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index 967a0b2a5..45c7230bc 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -26,6 +26,7 @@ #include <string.h> #include <freeswan.h> +#include <settings.h> #include "constants.h" #include "defs.h" @@ -42,6 +43,8 @@ #include "xauth.h" #define MAX_XAUTH_TRIES 3 +#define DNS_SERVER_MAX 2 +#define NBNS_SERVER_MAX 2 #define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \ | LELEM(INTERNAL_IP4_NETMASK) \ @@ -54,6 +57,8 @@ #define UNITY_BANNER_STR "Welcome to strongSwan - the Linux VPN Solution!\n" +extern settings_t *settings; + /* * Addresses assigned (usually via ModeCfg) to the Initiator */ @@ -67,8 +72,8 @@ struct internal_addr /* ModeCfg variables */ ip_address ipaddr; - ip_address dns[2]; - ip_address wins[2]; + ip_address dns[DNS_SERVER_MAX]; + ip_address nbns[NBNS_SERVER_MAX]; char *unity_banner; @@ -84,6 +89,8 @@ struct internal_addr static void init_internal_addr(internal_addr_t *ia) { + int i; + ia->attr_set = LEMPTY; ia->xauth_attr_set = LEMPTY; ia->xauth_secret.user_name = empty_chunk; @@ -94,10 +101,18 @@ init_internal_addr(internal_addr_t *ia) ia->unity_banner = NULL; anyaddr(AF_INET, &ia->ipaddr); - anyaddr(AF_INET, &ia->dns[0]); - anyaddr(AF_INET, &ia->dns[1]); - anyaddr(AF_INET, &ia->wins[0]); - anyaddr(AF_INET, &ia->wins[1]); + + /* initialize DNS server information */ + for (i = 0; i < DNS_SERVER_MAX; i++) + { + anyaddr(AF_INET, &ia->dns[i]); + } + + /* initialize WINS server information */ + for (i = 0; i < NBNS_SERVER_MAX; i++) + { + anyaddr(AF_INET, &ia->nbns[i]); + } } /* @@ -106,6 +121,8 @@ init_internal_addr(internal_addr_t *ia) static void get_internal_addr(struct connection *c, internal_addr_t *ia) { + int i, dns_idx = 0, nbns_idx = 0; + if (isanyaddr(&c->spd.that.host_srcip)) { /* not defined in connection - fetch it from LDAP */ @@ -130,13 +147,60 @@ get_internal_addr(struct connection *c, internal_addr_t *ia) | LELEM(INTERNAL_IP4_NETMASK); } - if (!isanyaddr(&ia->dns[0])) /* We got DNS addresses, send them */ - ia->attr_set |= LELEM(INTERNAL_IP4_DNS); + /* assign DNS servers */ + for (i = 1; i <= DNS_SERVER_MAX; i++) + { + char dns_key[16], *dns_str; + + snprintf(dns_key, sizeof(dns_key), "pluto.dns%d", i); + dns_str = settings->get_str(settings, dns_key, NULL); + if (dns_str) + { + err_t ugh; + sa_family_t family = strchr(dns_str, ':') ? AF_INET6 : AF_INET; - if (!isanyaddr(&ia->wins[0])) /* We got WINS addresses, send them */ - ia->attr_set |= LELEM(INTERNAL_IP4_NBNS); + ugh = ttoaddr(dns_str, 0, family, &ia->dns[dns_idx]); + if (ugh != NULL) + { + plog("error in DNS server address: %s", ugh); + continue; + } + plog("assigning DNS server %s to peer", dns_str); + + /* differentiate between IP4 and IP6 in modecfg_build_msg() */ + ia->attr_set |= LELEM(INTERNAL_IP4_DNS); + dns_idx++; + } + } + + /* assign WINS servers */ + for (i = 1; i <= NBNS_SERVER_MAX; i++) + { + char nbns_key[16], *nbns_str; + + snprintf(nbns_key, sizeof(nbns_key), "pluto.nbns%d", i); + nbns_str = settings->get_str(settings, nbns_key, NULL); + if (nbns_str) + { + err_t ugh; + sa_family_t family = strchr(nbns_str, ':') ? AF_INET6 : AF_INET; + + ugh = ttoaddr(nbns_str, 0, family, &ia->nbns[nbns_idx]); + if (ugh != NULL) + { + plog("error in WINS server address: %s", ugh); + continue; + } + plog("assigning NBNS server %s to peer", nbns_str); + + /* differentiate between IP4 and IP6 in modecfg_build_msg() */ + ia->attr_set |= LELEM(INTERNAL_IP4_NBNS); + nbns_idx++; + } + } } + /* * Set srcip and client subnet to internal IP address */ @@ -218,8 +282,8 @@ modecfg_build_msg(struct state *st, pb_stream *rbody struct isakmp_mode_attr attrh; struct isakmp_attribute attr; pb_stream strattr,attrval; - int attr_type; - int dns_idx, wins_idx; + int attr_type, dns_attr_type, nbns_attr_type; + int dns_idx, nbns_idx; bool dont_advance; bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY; bool is_unity_attr_set = ia->unity_attr_set != LEMPTY; @@ -230,11 +294,12 @@ modecfg_build_msg(struct state *st, pb_stream *rbody attrh.isama_identifier = ap_id; if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr)) + { return STF_INTERNAL_ERROR; - + } attr_type = 0; dns_idx = 0; - wins_idx = 0; + nbns_idx = 0; while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set) { @@ -272,6 +337,20 @@ modecfg_build_msg(struct state *st, pb_stream *rbody attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV; attr.isaat_lv = ia->xauth_status; } + else if (attr_type == INTERNAL_IP4_DNS && !isanyaddr(&ia->dns[dns_idx])) + { + dns_attr_type = (addrtypeof(&ia->dns[dns_idx]) == AF_INET) ? + INTERNAL_IP4_DNS : INTERNAL_IP6_DNS; + attr.isaat_af_type = dns_attr_type | ISAKMP_ATTR_AF_TLV; + + } + else if (attr_type == INTERNAL_IP4_NBNS && !isanyaddr(&ia->nbns[nbns_idx])) + { + nbns_attr_type = (addrtypeof(&ia->nbns[nbns_idx]) == AF_INET) ? + INTERNAL_IP4_NBNS : INTERNAL_IP6_NBNS; + attr.isaat_af_type = nbns_attr_type | ISAKMP_ATTR_AF_TLV; + + } else { attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV; @@ -303,10 +382,14 @@ modecfg_build_msg(struct state *st, pb_stream *rbody } #endif if (st->st_connection->spd.this.client.maskbits == 0) + { mask = 0; + } else + { mask = 0xffffffff * 1; out_raw(&mask, 4, &attrval, "IP4_mask"); + } } break; case INTERNAL_IP4_SUBNET: @@ -318,13 +401,12 @@ modecfg_build_msg(struct state *st, pb_stream *rbody for (t = 0; t < 4; t++) { - if (m < 8) - mask[t] = bits[m]; - else - mask[t] = 0xff; + mask[t] = (m < 8) ? bits[m] : 0xff; m -= 8; if (m < 0) + { m = 0; + } } len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr); out_raw(byte_ptr, len, &attrval, "IP4_subnet"); @@ -332,23 +414,25 @@ modecfg_build_msg(struct state *st, pb_stream *rbody } break; case INTERNAL_IP4_DNS: + case INTERNAL_IP6_DNS: if (!isanyaddr(&ia->dns[dns_idx])) { len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP4_dns"); + out_raw(byte_ptr, len, &attrval, "IP_dns"); } - if (dns_idx < 2 && !isanyaddr(&ia->dns[dns_idx])) + if (dns_idx < DNS_SERVER_MAX && !isanyaddr(&ia->dns[dns_idx])) { dont_advance = TRUE; } break; case INTERNAL_IP4_NBNS: - if (!isanyaddr(&ia->wins[wins_idx])) + case INTERNAL_IP6_NBNS: + if (!isanyaddr(&ia->nbns[nbns_idx])) { - len = addrbytesptr(&ia->wins[wins_idx++], &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP4_wins"); + len = addrbytesptr(&ia->nbns[nbns_idx++], &byte_ptr); + out_raw(byte_ptr, len, &attrval, "IP_nbns"); } - if (wins_idx < 2 && !isanyaddr(&ia->wins[wins_idx])) + if (nbns_idx < NBNS_SERVER_MAX && !isanyaddr(&ia->nbns[nbns_idx])) { dont_advance = TRUE; } @@ -619,7 +703,9 @@ modecfg_parse_msg(struct msg_digest *md, int isama_type, u_int16_t *isama_id stat = modecfg_parse_attributes(&p->pbs, &ia_candidate); } if (stat != STF_OK) + { return stat; + } } return STF_IGNORE; } @@ -642,7 +728,9 @@ modecfg_send_request(struct state *st) st->st_state = STATE_MODE_CFG_I1; stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia); if (stat == STF_OK) + { st->st_modecfg.started = TRUE; + } return stat; } @@ -662,10 +750,11 @@ modecfg_inR0(struct msg_digest *md) stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia); if (stat != STF_OK) + { return stat; + } want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY; - init_internal_addr(&ia); get_internal_addr(st->st_connection, &ia); @@ -682,8 +771,9 @@ modecfg_inR0(struct msg_digest *md) , &ia , isama_id); if (stat_build != STF_OK) + { return stat_build; - + } st->st_msgid = 0; return STF_OK; } @@ -705,8 +795,9 @@ modecfg_inI1(struct msg_digest *md) stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia); if (stat != STF_OK) + { return stat; - + } st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia); st->st_msgid = 0; return STF_OK; @@ -734,7 +825,9 @@ modecfg_send_set(struct state *st) st->st_state = STATE_MODE_CFG_R3; stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); if (stat == STF_OK) + { st->st_modecfg.started = TRUE; + } return stat; } @@ -756,8 +849,9 @@ modecfg_inI0(struct msg_digest *md) stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia); if (stat != STF_OK) + { return stat; - + } st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia); /* prepare ModeCfg ack which sends zero length attributes */ @@ -774,8 +868,9 @@ modecfg_inI0(struct msg_digest *md) , &ia , isama_id); if (stat_build != STF_OK) + { return stat_build; - + } st->st_msgid = 0; return STF_OK; } @@ -797,8 +892,9 @@ modecfg_inR3(struct msg_digest *md) stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia); if (stat != STF_OK) + { return stat; - + } st->st_msgid = 0; return STF_OK; } @@ -820,7 +916,9 @@ xauth_send_request(struct state *st) st->st_state = STATE_XAUTH_R1; stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia); if (stat == STF_OK) + { st->st_xauth.started = TRUE; + } return stat; } @@ -842,8 +940,10 @@ xauth_inI0(struct msg_digest *md) stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia); if (stat != STF_OK) + { return stat; - + } + /* check XAUTH attributes */ xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY; @@ -890,7 +990,9 @@ xauth_inI0(struct msg_digest *md) ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE) | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE); if (xauth_type_present) + { ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE); + } } else { @@ -905,8 +1007,9 @@ xauth_inI0(struct msg_digest *md) , &ia , isama_id); if (stat_build != STF_OK) + { return stat_build; - + } if (stat == STF_OK) { st->st_xauth.started = TRUE; @@ -942,8 +1045,10 @@ xauth_inR1(struct msg_digest *md) stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia); if (stat != STF_OK) + { return stat; - + } + /* did the client return an XAUTH FAIL status? */ if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY) { @@ -997,7 +1102,9 @@ xauth_inR1(struct msg_digest *md) stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); if (stat_build != STF_OK) + { return stat_build; + } return STF_OK; } @@ -1033,8 +1140,9 @@ xauth_inI1(struct msg_digest *md) , &ia , isama_id); if (stat_build != STF_OK) + { return stat_build; - + } if (st->st_xauth.status) { st->st_msgid = 0; @@ -1069,8 +1177,9 @@ xauth_inR2(struct msg_digest *md) stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia); if (stat != STF_OK) + { return stat; - + } st->st_msgid = 0; if (st->st_xauth.status) { diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c index 5566d3d25..1a5085eeb 100644 --- a/src/pluto/nat_traversal.c +++ b/src/pluto/nat_traversal.c @@ -237,7 +237,7 @@ void nat_traversal_natd_lookup(struct msg_digest *md) &(md->iface->addr), ntohs(st->st_connection->spd.this.host_port)); if (!(pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len && - memcmp(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len) == 0)) + memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len))) { #ifdef NAT_D_DEBUG DBG(DBG_NATT, @@ -258,7 +258,7 @@ void nat_traversal_natd_lookup(struct msg_digest *md) for (p = p->next, i=0 ; p != NULL; p = p->next) { if (pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len && - memcmp(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len) == 0) + memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len)) { i++; } diff --git a/src/pluto/pem.c b/src/pluto/pem.c index 14792d49f..396eb3d1c 100644 --- a/src/pluto/pem.c +++ b/src/pluto/pem.c @@ -45,7 +45,7 @@ present(const char* pattern, chunk_t* ch) { u_int pattern_len = strlen(pattern); - if (ch->len >= pattern_len && strncmp(ch->ptr, pattern, pattern_len) == 0) + if (ch->len >= pattern_len && strneq(ch->ptr, pattern, pattern_len)) { ch->ptr += pattern_len; ch->len -= pattern_len; @@ -60,8 +60,7 @@ present(const char* pattern, chunk_t* ch) static bool match(const char *pattern, const chunk_t *ch) { - return ch->len == strlen(pattern) && - strncmp(pattern, ch->ptr, ch->len) == 0; + return ch->len == strlen(pattern) && strneq(pattern, ch->ptr, ch->len); } /* diff --git a/src/pluto/pgp.c b/src/pluto/pgp.c index aab9bff67..f6744fd8a 100644 --- a/src/pluto/pgp.c +++ b/src/pluto/pgp.c @@ -521,7 +521,7 @@ static bool same_pgpcert(pgpcert_t *a, pgpcert_t *b) { return a->certificate.len == b->certificate.len && - memcmp(a->certificate.ptr, b->certificate.ptr, b->certificate.len) == 0; + memeq(a->certificate.ptr, b->certificate.ptr, b->certificate.len); } /* @@ -531,7 +531,9 @@ void share_pgpcert(pgpcert_t *cert) { if (cert != NULL) + { cert->count++; + } } /* diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index b7bb8df98..eedbf2532 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -38,6 +38,7 @@ #endif /* CAPABILITIES */ #include <freeswan.h> +#include <settings.h> #include <pfkeyv2.h> #include <pfkey.h> @@ -197,6 +198,9 @@ delete_lock(void) } } +/* settings defined by strongswan.conf */ +settings_t *settings; + /* by default pluto sends certificate requests to its peers */ bool no_cr_send = FALSE; @@ -239,6 +243,9 @@ main(int argc, char **argv) int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE }; #endif /* CAPABILITIES */ + /* getting settings from strongswan.conf */ + settings = settings_create(STRONGSWAN_CONF); + /* handle arguments */ for (;;) { @@ -703,6 +710,7 @@ exit_pluto(int status) free_ifaces(); scx_finalize(); /* finalize and unload PKCS #11 module */ xauth_finalize(); /* finalize and unload XAUTH module */ + settings->destroy(settings); stop_adns(); free_md_pool(); delete_lock(); diff --git a/src/pluto/server.c b/src/pluto/server.c index c14f72698..cae16294e 100644 --- a/src/pluto/server.c +++ b/src/pluto/server.c @@ -544,8 +544,10 @@ process_raw_ifaces(struct raw_iface *rifaces) struct raw_iface *vfp; /* ignore if virtual (ipsec*) interface */ - if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0) + if (strneq(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1)) + { continue; + } for (vfp = rifaces; vfp != NULL; vfp = vfp->next) { @@ -558,7 +560,7 @@ process_raw_ifaces(struct raw_iface *rifaces) /* Different entries with matching IP addresses. * Many interesting cases. */ - if (strncmp(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0) + if (strneq(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1)) { if (v != NULL && !streq(v->name, vfp->name)) { diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c index a458d528a..64c36c7c9 100644 --- a/src/pluto/smartcard.c +++ b/src/pluto/smartcard.c @@ -787,7 +787,7 @@ scx_finalize(void) bool scx_on_smartcard(const char *filename) { - return strncmp(filename, SCX_TOKEN, strlen(SCX_TOKEN)) == 0; + return strneq(filename, SCX_TOKEN, strlen(SCX_TOKEN)); } #ifdef SMARTCARD @@ -1619,7 +1619,7 @@ scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op if (keyid != NULL) { - number_slot_id = (strncmp(keyid, SCX_TOKEN, strlen(SCX_TOKEN)) == 0) + number_slot_id = (strneq(keyid, SCX_TOKEN, strlen(SCX_TOKEN))) ? keyid + strlen(SCX_TOKEN) : keyid; } diff --git a/src/pluto/state.c b/src/pluto/state.c index d1587a1a5..0b223e615 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -578,14 +578,19 @@ find_state(const u_char *icookie struct state *st = *state_hash(icookie, rcookie, peer); while (st != (struct state *) NULL) + { if (sameaddr(peer, &st->st_connection->spd.that.host_addr) - && memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0 - && memcmp(rcookie, st->st_rcookie, COOKIE_SIZE) == 0 + && memeq(icookie, st->st_icookie, COOKIE_SIZE) + && memeq(rcookie, st->st_rcookie, COOKIE_SIZE) && msgid == st->st_msgid) + { break; + } else + { st = st->st_hashchain_next; - + } + } DBG(DBG_CONTROL, if (st == NULL) DBG_log("state object not found"); @@ -607,13 +612,20 @@ find_sender(size_t packet_len, u_char *packet) struct state *st; if (packet_len >= sizeof(struct isakmp_hdr)) + { for (i = 0; i < STATE_TABLE_SIZE; i++) + { for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) + { if (st->st_tpacket.ptr != NULL && st->st_tpacket.len == packet_len - && memcmp(st->st_tpacket.ptr, packet, packet_len) == 0) + && memeq(st->st_tpacket.ptr, packet, packet_len)) + { return st; - + } + } + } + } return NULL; } diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index 4f0e6d43a..609366452 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -497,7 +497,7 @@ handle_vendorid (struct msg_digest *md, const char *vid, size_t len) { if (pvid->vid_len == len) { - if (memcmp(pvid->vid, vid, len) == 0) + if (memeq(pvid->vid, vid, len)) { handle_known_vendorid(md, vid, len, pvid); return; @@ -505,7 +505,7 @@ handle_vendorid (struct msg_digest *md, const char *vid, size_t len) } else if ((pvid->vid_len < len) && (pvid->flags & VID_SUBSTRING)) { - if (memcmp(pvid->vid, vid, pvid->vid_len) == 0) + if (memeq(pvid->vid, vid, pvid->vid_len)) { handle_known_vendorid(md, vid, len, pvid); return; diff --git a/src/pluto/virtual.c b/src/pluto/virtual.c index cf036cc7b..9deceb224 100644 --- a/src/pluto/virtual.c +++ b/src/pluto/virtual.c @@ -54,11 +54,11 @@ _read_subnet(const char *src, size_t len, ip_subnet *dst, ip_subnet *dstko, bool ok; int af; - if ((len > 4) && (strncmp(src, "%v4:", 4)==0)) + if ((len > 4) && (strneq(src, "%v4:", 4))) { af = AF_INET; } - else if ((len > 4) && (strncmp(src, "%v6:", 4)==0)) + else if ((len > 4) && (strneq(src, "%v6:", 4))) { af = AF_INET6; } @@ -196,12 +196,12 @@ struct virtual_t if (!string || string[0] == '\0') return NULL; - if (strlen(string) >= 6 && strncmp(string,"vhost:",6) == 0) + if (strlen(string) >= 6 && strneq(string,"vhost:",6)) { flags |= F_VIRTUAL_HOST; str += 6; } - else if (strlen(string) >= 5 && strncmp(string,"vnet:",5) == 0) + else if (strlen(string) >= 5 && strneq(string,"vnet:",5)) str += 5; else goto fail; @@ -213,17 +213,17 @@ struct virtual_t { next = strchr(str,','); if (!next) next = str + strlen(str); - if (next-str == 3 && strncmp(str, "%no", 3) == 0) + if (next-str == 3 && strneq(str, "%no", 3)) flags |= F_VIRTUAL_NO; #if 0 - else if (next-str == 4 && strncmp(str, "%ike", 4) == 0) + else if (next-str == 4 && strneq(str, "%ike", 4)) flags |= F_VIRTUAL_IKE_CONFIG; - else if (next-str == 5 && strncmp(str, "%dhcp", 5) == 0) + else if (next-str == 5 && strneq(str, "%dhcp", 5)) flags |= F_VIRTUAL_DHCP; #endif - else if (next-str == 5 && strncmp(str, "%priv", 5) == 0) + else if (next-str == 5 && strneq(str, "%priv", 5)) flags |= F_VIRTUAL_PRIVATE; - else if (next-str == 4 && strncmp(str, "%all", 4) == 0) + else if (next-str == 4 && strneq(str, "%all", 4)) flags |= F_VIRTUAL_ALL; else if (_read_subnet(str, next-str, &sub, NULL, NULL)) { diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 3c6d85f07..e6f7b24e0 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -423,8 +423,9 @@ init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next) rdn->len = asn1_length(&dn); if (rdn->len == ASN1_INVALID_LENGTH) + { return "Invalid RDN length"; - + } rdn->ptr = dn.ptr; /* are there any RDNs ? */ @@ -451,13 +452,15 @@ get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value { /* an RDN is a SET OF attributeTypeAndValue */ if (*rdn->ptr != ASN1_SET) + { return "RDN is not a SET"; - + } attribute->len = asn1_length(rdn); if (attribute->len == ASN1_INVALID_LENGTH) + { return "Invalid attribute length"; - + } attribute->ptr = rdn->ptr; /* advance to start of next RDN */ @@ -467,14 +470,17 @@ get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value /* an attributeTypeAndValue is a SEQUENCE */ if (*attribute->ptr != ASN1_SEQUENCE) + { return "attributeTypeAndValue is not a SEQUENCE"; + } /* extract the attribute body */ body.len = asn1_length(attribute); if (body.len == ASN1_INVALID_LENGTH) + { return "Invalid attribute body length"; - + } body.ptr = attribute->ptr; /* advance to start of next attribute */ @@ -483,14 +489,17 @@ get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value /* attribute type is an OID */ if (*body.ptr != ASN1_OID) + { return "attributeType is not an OID"; + } /* extract OID */ oid->len = asn1_length(&body); - if (oid->len == ASN1_INVALID_LENGTH) + if (oid->len == ASN1_INVALID_LENGTH) + { return "Invalid attribute OID length"; - + } oid->ptr = body.ptr; /* advance to the attribute value */ @@ -504,8 +513,9 @@ get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value value->len = asn1_length(&body); if (value->len == ASN1_INVALID_LENGTH) + { return "Invalid attribute string length"; - + } value->ptr = body.ptr; /* are there any RDNs left? */ @@ -529,27 +539,39 @@ dn_parse(chunk_t dn, chunk_t *str) err_t ugh = init_rdn(dn, &rdn, &attribute, &next); if (ugh != NULL) /* a parsing error has occured */ + { return ugh; + } while (next) { ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next); if (ugh != NULL) /* a parsing error has occured */ + { return ugh; + } if (first) /* first OID/value pair */ + { first = FALSE; + } else /* separate OID/value pair by a comma */ + { update_chunk(str, snprintf(str->ptr,str->len,", ")); + } /* print OID */ oid_code = known_oid(oid); if (oid_code == OID_UNKNOWN) /* OID not found in list */ + { hex_str(oid, str); + } else + { update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name)); + } /* print value */ update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", @@ -572,16 +594,22 @@ dn_count_wildcards(chunk_t dn) err_t ugh = init_rdn(dn, &rdn, &attribute, &next); if (ugh != NULL) /* a parsing error has occured */ + { return -1; + } while (next) { ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next); if (ugh != NULL) /* a parsing error has occured */ + { return -1; + } if (value.len == 1 && *value.ptr == '*') + { wildcards++; /* we have found a wildcard RDN */ + } } return wildcards; } @@ -631,9 +659,13 @@ int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn, const char* null_dn) { if (dn.ptr == NULL) + { return snprintf(dst, dstlen, "%s", null_dn); + } else + { return dntoa(dst, dstlen, dn); + } } /* Converts an LDAP-style human-readable ASCII-encoded @@ -692,14 +724,18 @@ atodn(char *src, chunk_t *dn) break; case READ_OID: if (*src != ' ' && *src != '=') + { oid.len++; + } else { for (pos = 0; pos < X501_RDN_ROOF; pos++) { if (strlen(x501rdns[pos].name) == oid.len && strncasecmp(x501rdns[pos].name, oid.ptr, oid.len) == 0) + { break; /* found a valid OID */ + } } if (pos == X501_RDN_ROOF) { @@ -728,9 +764,13 @@ atodn(char *src, chunk_t *dn) { name.len++; if (*src == ' ') + { whitespace++; + } else + { whitespace = 0; + } } else { @@ -796,16 +836,22 @@ same_dn(chunk_t a, chunk_t b) /* same lengths for the DNs */ if (a.len != b.len) + { return FALSE; + } /* try a binary comparison first */ - if (memcmp(a.ptr, b.ptr, b.len) == 0) + if (memeq(a.ptr, b.ptr, b.len)) + { return TRUE; - + } + /* initialize DN parsing */ if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL || init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL) + { return FALSE; + } /* fetch next RDN pair */ while (next_a && next_b) @@ -819,28 +865,38 @@ same_dn(chunk_t a, chunk_t b) /* OIDs must agree */ if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0) + { return FALSE; + } /* same lengths for values */ if (value_a.len != value_b.len) + { return FALSE; + } /* printableStrings and email RDNs require uppercase comparison */ if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL))) { if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) + { return FALSE; + } } else { if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0) + { return FALSE; + } } } /* both DNs must have same number of RDNs */ if (next_a || next_b) + { return FALSE; + } /* the two DNs are equal! */ return TRUE; @@ -864,7 +920,9 @@ match_dn(chunk_t a, chunk_t b, int *wildcards) /* initialize DN parsing */ if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL || init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL) + { return FALSE; + } /* fetch next RDN pair */ while (next_a && next_b) @@ -878,7 +936,9 @@ match_dn(chunk_t a, chunk_t b, int *wildcards) /* OIDs must agree */ if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0) + { return FALSE; + } /* does rdn_b contain a wildcard? */ if (value_b.len == 1 && *value_b.ptr == '*') @@ -889,24 +949,33 @@ match_dn(chunk_t a, chunk_t b, int *wildcards) /* same lengths for values */ if (value_a.len != value_b.len) + { return FALSE; + } /* printableStrings and email RDNs require uppercase comparison */ if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL))) { if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) + { return FALSE; + } } else { if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0) + { return FALSE; + } } } + /* both DNs must have same number of RDNs */ if (next_a || next_b) + { return FALSE; + } /* the two DNs match! */ return TRUE; @@ -928,7 +997,9 @@ void share_x509cert(x509cert_t *cert) { if (cert != NULL) + { cert->count++; + } } /* @@ -1009,8 +1080,9 @@ bool same_keyid(chunk_t a, chunk_t b) { if (a.ptr == NULL || b.ptr == NULL) + { return FALSE; - + } return same_chunk(a, b); } @@ -1022,8 +1094,9 @@ same_serial(chunk_t a, chunk_t b) { /* do not compare serial numbers if one of them is not defined */ if (a.ptr == NULL || b.ptr == NULL) + { return TRUE; - + } return same_chunk(a, b); } @@ -1175,7 +1248,9 @@ release_x509cert(x509cert_t *cert) { x509cert_t **pp = &x509certs; while (*pp != cert) + { pp = &(*pp)->next; + } *pp = cert->next; free_x509cert(cert); } @@ -1215,7 +1290,9 @@ store_x509certs(x509cert_t **firstcert, bool strict) } } else + { pp = &cert->next; + } } /* now verify the candidate CA certs */ @@ -1330,9 +1407,13 @@ check_signature(chunk_t tbs, chunk_t sig, int digest_alg, int enc_alg DBG(DBG_PARSING, if (digest_alg != OID_UNKNOWN) + { DBG_log("signature digest algorithm: '%s'",oid_names[digest_alg].name); + } else + { DBG_log("unknown signature digest algorithm"); + } ) if (!compute_digest(tbs, digest_alg, &digest)) @@ -1349,9 +1430,13 @@ check_signature(chunk_t tbs, chunk_t sig, int digest_alg, int enc_alg DBG(DBG_PARSING, if (enc_alg != OID_UNKNOWN) + { DBG_log("signature encryption algorithm: '%s'",oid_names[enc_alg].name); + } else + { DBG_log("unknown signature encryption algorithm"); + } ) if (!decrypt_sig(sig, enc_alg, issuer_cert, &decrypted)) @@ -1361,7 +1446,7 @@ check_signature(chunk_t tbs, chunk_t sig, int digest_alg, int enc_alg } /* check if digests are equal */ - return !memcmp(decrypted.ptr, digest.ptr, digest.len); + return memeq(decrypted.ptr, digest.ptr, digest.len); } /* @@ -1382,8 +1467,9 @@ parse_basicConstraints(chunk_t blob, int level0) if (!extract_object(basicConstraintsObjects, &objectID, &object,&level, &ctx)) + { break; - + } if (objectID == BASIC_CONSTRAINTS_CA) { isCA = object.len && *object.ptr; @@ -1460,7 +1546,9 @@ parse_otherName(chunk_t blob, int level0) while (objectID < ON_OBJ_ROOF) { if (!extract_object(otherNameObjects, &objectID, &object, &level, &ctx)) + { return FALSE; + } switch (objectID) { @@ -1505,7 +1593,9 @@ parse_generalName(chunk_t blob, int level0) bool valid_gn = FALSE; if (!extract_object(generalNameObjects, &objectID, &object, &level, &ctx)) + { return NULL; + } switch (objectID) { case GN_OBJ_RFC822_NAME: @@ -1574,8 +1664,9 @@ parse_generalNames(chunk_t blob, int level0, bool implicit) while (objectID < GENERAL_NAMES_ROOF) { if (!extract_object(generalNamesObjects, &objectID, &object, &level, &ctx)) + { return NULL; - + } if (objectID == GENERAL_NAMES_GN) { generalName_t *gn = parse_generalName(object, level+1); @@ -1599,10 +1690,10 @@ chunk_t get_directoryName(chunk_t blob, int level, bool implicit) generalName_t * gn = parse_generalNames(blob, level, implicit); if (gn != NULL && gn->kind == GN_DIRECTORY_NAME) + { name= gn->name; - + } free_generalNames(gn, FALSE); - return name; } @@ -1622,8 +1713,9 @@ parse_time(chunk_t blob, int level0) while (objectID < TIME_ROOF) { if (!extract_object(timeObjects, &objectID, &object, &level, &ctx)) + { return UNDEFINED_TIME; - + } if (objectID == TIME_UTC || objectID == TIME_GENERALIZED) { return asn1totime(&object, (objectID == TIME_UTC) @@ -1668,9 +1760,11 @@ parse_authorityKeyIdentifier(chunk_t blob, int level0 while (objectID < AUTH_KEY_ID_ROOF) { if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx)) + { return; - - switch (objectID) { + } + switch (objectID) + { case AUTH_KEY_ID_KEY_ID: *authKeyID = parse_keyIdentifier(object, level+1, TRUE); break; @@ -1708,9 +1802,12 @@ parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessLocation) while (objectID < AUTH_INFO_ACCESS_ROOF) { if (!extract_object(authorityInfoAccessObjects, &objectID, &object, &level, &ctx)) + { return; + } - switch (objectID) { + switch (objectID) + { case AUTH_INFO_ACCESS_METHOD: accessMethod = known_oid(object); break; @@ -1722,8 +1819,9 @@ parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessLocation) if (*object.ptr == ASN1_CONTEXT_S_6) { if (asn1_length(&object) == ASN1_INVALID_LENGTH) + { return; - + } DBG(DBG_PARSING, DBG_log(" '%.*s'",(int)object.len, object.ptr) ) @@ -1768,11 +1866,14 @@ parse_extendedKeyUsage(chunk_t blob, int level0) { if (!extract_object(extendedKeyUsageObjects, &objectID , &object, &level, &ctx)) + { return FALSE; - + } if (objectID == EXT_KEY_USAGE_PURPOSE_ID && known_oid(object) == OID_OCSP_SIGNING) + { return TRUE; + } objectID++; } return FALSE; @@ -1798,8 +1899,9 @@ parse_crlDistributionPoints(chunk_t blob, int level0) { if (!extract_object(crlDistributionPointsObjects, &objectID, &object, &level, &ctx)) + { return NULL; - + } if (objectID == CRL_DIST_POINTS_FULLNAME) { generalName_t *gn = parse_generalNames(object, level+1, TRUE); @@ -1836,7 +1938,9 @@ parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert) while (objectID < X509_OBJ_ROOF) { if (!extract_object(certObjects, &objectID, &object, &level, &ctx)) + { return FALSE; + } /* those objects which will parsed further need the next higher level */ level++; @@ -1882,7 +1986,9 @@ parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert) break; case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM: if (parse_algorithmIdentifier(object, level, NULL) == OID_RSA_ENCRYPTION) + { cert->subjectPublicKeyAlgorithm = PUBKEY_ALG_RSA; + } else { plog(" unsupported public key algorithm"); @@ -2003,14 +2109,22 @@ check_validity(const x509cert_t *cert, time_t *until) DBG_log(" not after : %s", timetoa(&cert->notAfter, TRUE)); ) - if (cert->notAfter < *until) *until = cert->notAfter; - + if (cert->notAfter < *until) + { + *until = cert->notAfter; + } if (current_time < cert->notBefore) + { return "certificate is not valid yet"; + } if (current_time > cert->notAfter) + { return "certificate has expired"; + } else + { return NULL; + } } /* @@ -2126,7 +2240,9 @@ verify_x509cert(const x509cert_t *cert, bool strict, time_t *until) * lifetime as the validity of the ocsp status or crl lifetime */ if (strict && nextUpdate < *until) + { *until = nextUpdate; + } break; case CERT_REVOKED: plog("certificate was revoked on %s, reason: %s" |