From be8858e9b650829d90b286a20959f6ecaf7ac9c6 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 9 Dec 2010 10:46:48 +0100 Subject: Moved X509 pathlen constraint checking to constraints plugin --- .../plugins/constraints/constraints_validator.c | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'src/libstrongswan/plugins/constraints/constraints_validator.c') diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c index 834d4efbf..7598f2896 100644 --- a/src/libstrongswan/plugins/constraints/constraints_validator.c +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -15,6 +15,9 @@ #include "constraints_validator.h" +#include +#include + typedef struct private_constraints_validator_t private_constraints_validator_t; /** @@ -28,10 +31,36 @@ struct private_constraints_validator_t { constraints_validator_t public; }; +/** + * Check pathlen constraint of issuer certificate + */ +static bool check_pathlen(x509_t *issuer, int pathlen) +{ + int pathlen_constraint; + + pathlen_constraint = issuer->get_pathLenConstraint(issuer); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + return TRUE; +} + METHOD(cert_validator_t, validate, bool, private_constraints_validator_t *this, certificate_t *subject, certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) { + if (issuer->get_type(issuer) == CERT_X509 && + subject->get_type(subject) == CERT_X509) + { + if (!check_pathlen((x509_t*)issuer, pathlen)) + { + return FALSE; + } + } return TRUE; } -- cgit v1.2.3