[BACK]Return to addrblock_validator.c CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / addrblock

Annotation of embedaddon/strongswan/src/libcharon/plugins/addrblock/addrblock_validator.c, revision 1.1.1.1

1.1       misho       1: /*
                      2:  * Copyright (C) 2010 Martin Willi
                      3:  * Copyright (C) 2010 revosec AG
                      4:  *
                      5:  * Copyright (C) 2009 Andreas Steffen
                      6:  * HSR Hochschule fuer Technik Rapperswil
                      7:  *
                      8:  * This program is free software; you can redistribute it and/or modify it
                      9:  * under the terms of the GNU General Public License as published by the
                     10:  * Free Software Foundation; either version 2 of the License, or (at your
                     11:  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
                     12:  *
                     13:  * This program is distributed in the hope that it will be useful, but
                     14:  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
                     15:  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
                     16:  * for more details.
                     17:  */
                     18: 
                     19: #include "addrblock_validator.h"
                     20: 
                     21: #include <utils/debug.h>
                     22: #include <credentials/certificates/x509.h>
                     23: #include <selectors/traffic_selector.h>
                     24: 
                     25: typedef struct private_addrblock_validator_t private_addrblock_validator_t;
                     26: 
                     27: /**
                     28:  * Private data of an addrblock_validator_t object.
                     29:  */
                     30: struct private_addrblock_validator_t {
                     31: 
                     32:        /**
                     33:         * Public addrblock_validator_t interface.
                     34:         */
                     35:        addrblock_validator_t public;
                     36: 
                     37:        /**
                     38:         * Whether to reject subject certificates not having a addrBlock extension
                     39:         */
                     40:        bool strict;
                     41: };
                     42: 
                     43: /**
                     44:  * Do the addrblock check for two x509 plugins
                     45:  */
                     46: static bool check_addrblock(private_addrblock_validator_t *this,
                     47:                                                        x509_t *subject, x509_t *issuer)
                     48: {
                     49:        bool subject_const, issuer_const, contained = TRUE;
                     50:        enumerator_t *subject_enumerator, *issuer_enumerator;
                     51:        traffic_selector_t *subject_ts, *issuer_ts;
                     52: 
                     53:        subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
                     54:        issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
                     55: 
                     56:        if (!subject_const && !issuer_const)
                     57:        {
                     58:                return TRUE;
                     59:        }
                     60:        if (!subject_const)
                     61:        {
                     62:                DBG1(DBG_CFG, "subject certificate lacks ipAddrBlocks extension");
                     63:                return !this->strict;
                     64:        }
                     65:        if (!issuer_const)
                     66:        {
                     67:                DBG1(DBG_CFG, "issuer certificate lacks ipAddrBlocks extension");
                     68:                return FALSE;
                     69:        }
                     70:        subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
                     71:        while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
                     72:        {
                     73:                contained = FALSE;
                     74: 
                     75:                issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
                     76:                while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
                     77:                {
                     78:                        if (subject_ts->is_contained_in(subject_ts, issuer_ts))
                     79:                        {
                     80:                                DBG2(DBG_CFG, "  subject address block %R is contained in "
                     81:                                                          "issuer address block %R", subject_ts, issuer_ts);
                     82:                                contained = TRUE;
                     83:                                break;
                     84:                        }
                     85:                }
                     86:                issuer_enumerator->destroy(issuer_enumerator);
                     87:                if (!contained)
                     88:                {
                     89:                        DBG1(DBG_CFG, "subject address block %R is not contained in any "
                     90:                                                  "issuer address block", subject_ts);
                     91:                        break;
                     92:                }
                     93:        }
                     94:        subject_enumerator->destroy(subject_enumerator);
                     95:        return contained;
                     96: }
                     97: 
                     98: METHOD(cert_validator_t, validate, bool,
                     99:        private_addrblock_validator_t *this, certificate_t *subject,
                    100:        certificate_t *issuer, bool online, u_int pathlen, bool anchor,
                    101:        auth_cfg_t *auth)
                    102: {
                    103:        if (subject->get_type(subject) == CERT_X509 &&
                    104:                issuer->get_type(issuer) == CERT_X509)
                    105:        {
                    106:                if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
                    107:                {
                    108:                        lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
                    109:                                                                        subject);
                    110:                        return FALSE;
                    111:                }
                    112:        }
                    113:        return TRUE;
                    114: }
                    115: 
                    116: METHOD(addrblock_validator_t, destroy, void,
                    117:        private_addrblock_validator_t *this)
                    118: {
                    119:        free(this);
                    120: }
                    121: 
                    122: /**
                    123:  * See header
                    124:  */
                    125: addrblock_validator_t *addrblock_validator_create()
                    126: {
                    127:        private_addrblock_validator_t *this;
                    128: 
                    129:        INIT(this,
                    130:                .public = {
                    131:                        .validator = {
                    132:                                .validate = _validate,
                    133:                        },
                    134:                        .destroy = _destroy,
                    135:                },
                    136:                .strict = lib->settings->get_bool(lib->settings,
                    137:                                                "%s.plugins.addrblock.strict", TRUE, lib->ns),
                    138:        );
                    139: 
                    140:        return &this->public;
                    141: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>