From 5db798c8e0534864412f6aa55b5ae6d2f82dcc7f Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Fri, 2 Jul 2010 10:29:36 +0200
Subject: Charon uses a generic trunstchain length limit, not only for X509
 certificates

---
 src/libcharon/credentials/credential_manager.c    | 13 +++++++++----
 src/libstrongswan/credentials/certificates/x509.h |  1 -
 src/pluto/x509.h                                  |  2 ++
 3 files changed, 11 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c
index 01c0c0e1e..079af2da8 100644
--- a/src/libcharon/credentials/credential_manager.c
+++ b/src/libcharon/credentials/credential_manager.c
@@ -28,6 +28,11 @@
 #include <credentials/certificates/ocsp_request.h>
 #include <credentials/certificates/ocsp_response.h>
 
+/**
+ * Maximum length of a certificate trust chain
+ */
+#define MAX_TRUST_PATH_LEN 7
+
 typedef struct private_credential_manager_t private_credential_manager_t;
 
 /**
@@ -1132,7 +1137,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	auth = auth_cfg_create();
 	current = subject->get_ref(subject);
 
-	for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
+	for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
 	{
 		issuer = get_issuer_cert(this, current, TRUE);
 		if (issuer)
@@ -1205,9 +1210,9 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 		}
 	}
 	current->destroy(current);
-	if (pathlen > X509_MAX_PATH_LEN)
+	if (pathlen > MAX_TRUST_PATH_LEN)
 	{
-		DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
+		DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
 	}
 	if (trusted)
 	{
@@ -1479,7 +1484,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 		}
 		issuer = get_issuer_cert(this, current, FALSE);
 		if (!issuer || issuer->equals(issuer, current) ||
-			pathlen > X509_MAX_PATH_LEN)
+			pathlen > MAX_TRUST_PATH_LEN)
 		{
 			DESTROY_IF(issuer);
 			break;
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 172bd9696..6e0a5002a 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -25,7 +25,6 @@
 #include <credentials/certificates/certificate.h>
 
 #define X509_NO_PATH_LEN_CONSTRAINT		-1
-#define X509_MAX_PATH_LEN				 7
 
 typedef struct x509_t x509_t;
 typedef enum x509_flag_t x509_flag_t;
diff --git a/src/pluto/x509.h b/src/pluto/x509.h
index e904618b3..3101724a6 100644
--- a/src/pluto/x509.h
+++ b/src/pluto/x509.h
@@ -26,6 +26,8 @@
 #include "constants.h"
 #include "certs.h"
 
+#define X509_MAX_PATH_LEN				 7
+
 extern bool same_keyid(chunk_t a, chunk_t b);
 extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
 								 certificate_t *issuer_cert);
-- 
cgit v1.2.3