Moved X509 addrBlock validation to a separate addrblock plugin
This commit is contained in:
parent
2feb16f5dd
commit
5f9e62c54f
|
@ -142,6 +142,7 @@ ARG_ENABL_SET([padlock], [enables VIA Padlock crypto plugin.])
|
|||
ARG_ENABL_SET([openssl], [enables the OpenSSL crypto plugin.])
|
||||
ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
|
||||
ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.])
|
||||
ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.])
|
||||
ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.])
|
||||
ARG_ENABL_SET([android], [enable Android specific plugin.])
|
||||
ARG_ENABL_SET([nm], [enable NetworkManager plugin.])
|
||||
|
@ -758,6 +759,9 @@ fi
|
|||
if test x$agent = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" agent"
|
||||
fi
|
||||
if test x$addrblock = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" addrblock"
|
||||
fi
|
||||
if test x$gmp = xtrue; then
|
||||
libstrongswan_plugins=${libstrongswan_plugins}" gmp"
|
||||
pluto_plugins=${pluto_plugins}" gmp"
|
||||
|
@ -812,6 +816,7 @@ AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
|
|||
AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
|
||||
AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
|
||||
AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
|
||||
AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
|
||||
|
||||
dnl charon plugins
|
||||
dnl ==============
|
||||
|
@ -936,6 +941,7 @@ AC_OUTPUT(
|
|||
src/libstrongswan/plugins/openssl/Makefile
|
||||
src/libstrongswan/plugins/gcrypt/Makefile
|
||||
src/libstrongswan/plugins/agent/Makefile
|
||||
src/libstrongswan/plugins/addrblock/Makefile
|
||||
src/libstrongswan/plugins/test_vectors/Makefile
|
||||
src/libhydra/Makefile
|
||||
src/libhydra/plugins/attr/Makefile
|
||||
|
|
|
@ -44,6 +44,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
|
|||
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
|
||||
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
|
||||
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
|
||||
credentials/cert_validator.h \
|
||||
database/database.h database/database_factory.h database/database_factory.c \
|
||||
fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
|
||||
selectors/traffic_selector.c selectors/traffic_selector.h \
|
||||
|
|
|
@ -42,6 +42,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
|
|||
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
|
||||
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
|
||||
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
|
||||
credentials/cert_validator.h \
|
||||
database/database.h database/database_factory.h database/database_factory.c \
|
||||
fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
|
||||
selectors/traffic_selector.c selectors/traffic_selector.h \
|
||||
|
@ -306,6 +307,13 @@ if MONOLITHIC
|
|||
endif
|
||||
endif
|
||||
|
||||
if USE_ADDRBLOCK
|
||||
SUBDIRS += plugins/addrblock
|
||||
if MONOLITHIC
|
||||
libstrongswan_la_LIBADD += plugins/addrblock/libstrongswan-addrblock.la
|
||||
endif
|
||||
endif
|
||||
|
||||
if USE_TEST_VECTORS
|
||||
SUBDIRS += plugins/test_vectors
|
||||
if MONOLITHIC
|
||||
|
|
|
@ -23,6 +23,8 @@
|
|||
|
||||
typedef struct cert_validator_t cert_validator_t;
|
||||
|
||||
#include <library.h>
|
||||
|
||||
/**
|
||||
* Certificate validator interface.
|
||||
*
|
||||
|
|
|
@ -943,60 +943,6 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
|
|||
return valid;
|
||||
}
|
||||
|
||||
/**
|
||||
* check a certificate for optional IP address block constraints
|
||||
*/
|
||||
static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
|
||||
{
|
||||
bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
|
||||
bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
|
||||
bool contained = TRUE;
|
||||
|
||||
enumerator_t *subject_enumerator, *issuer_enumerator;
|
||||
traffic_selector_t *subject_ts, *issuer_ts;
|
||||
|
||||
if (!subject_constraint && !issuer_constraint)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
if (!subject_constraint)
|
||||
{
|
||||
DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
|
||||
return FALSE;
|
||||
}
|
||||
if (!issuer_constraint)
|
||||
{
|
||||
DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
|
||||
return FALSE;
|
||||
}
|
||||
subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
|
||||
while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
|
||||
{
|
||||
contained = FALSE;
|
||||
|
||||
issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
|
||||
while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
|
||||
{
|
||||
if (subject_ts->is_contained_in(subject_ts, issuer_ts))
|
||||
{
|
||||
DBG2(DBG_CFG, " subject address block %R is contained in "
|
||||
"issuer address block %R", subject_ts, issuer_ts);
|
||||
contained = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
issuer_enumerator->destroy(issuer_enumerator);
|
||||
if (!contained)
|
||||
{
|
||||
DBG1(DBG_CFG, "subject address block %R is not contained in any "
|
||||
"issuer address block", subject_ts);
|
||||
break;
|
||||
}
|
||||
}
|
||||
subject_enumerator->destroy(subject_enumerator);
|
||||
return contained;
|
||||
}
|
||||
|
||||
/**
|
||||
* check a certificate for its lifetime
|
||||
*/
|
||||
|
@ -1026,11 +972,6 @@ static bool check_certificate(private_credential_manager_t *this,
|
|||
int pathlen_constraint;
|
||||
x509_t *x509;
|
||||
|
||||
if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* check path length constraint */
|
||||
x509 = (x509_t*)issuer;
|
||||
pathlen_constraint = x509->get_pathLenConstraint(x509);
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
|
||||
INCLUDES = -I$(top_srcdir)/src/libstrongswan
|
||||
|
||||
AM_CFLAGS = -rdynamic
|
||||
|
||||
if MONOLITHIC
|
||||
noinst_LTLIBRARIES = libstrongswan-addrblock.la
|
||||
else
|
||||
plugin_LTLIBRARIES = libstrongswan-addrblock.la
|
||||
endif
|
||||
|
||||
libstrongswan_addrblock_la_SOURCES = \
|
||||
addrblock_plugin.h addrblock_plugin.c \
|
||||
addrblock_validator.h addrblock_validator.c
|
||||
|
||||
libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version
|
|
@ -0,0 +1,61 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "addrblock_plugin.h"
|
||||
|
||||
#include <library.h>
|
||||
#include "addrblock_validator.h"
|
||||
|
||||
typedef struct private_addrblock_plugin_t private_addrblock_plugin_t;
|
||||
|
||||
/**
|
||||
* private data of addrblock_plugin
|
||||
*/
|
||||
struct private_addrblock_plugin_t {
|
||||
|
||||
/**
|
||||
* public functions
|
||||
*/
|
||||
addrblock_plugin_t public;
|
||||
|
||||
/**
|
||||
* Validator implementation instance.
|
||||
*/
|
||||
addrblock_validator_t *validator;
|
||||
};
|
||||
|
||||
METHOD(plugin_t, destroy, void,
|
||||
private_addrblock_plugin_t *this)
|
||||
{
|
||||
lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
|
||||
this->validator->destroy(this->validator);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *addrblock_plugin_create()
|
||||
{
|
||||
private_addrblock_plugin_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public.plugin.destroy = _destroy,
|
||||
.validator = addrblock_validator_create(),
|
||||
);
|
||||
lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup addrblock addrblock
|
||||
* @ingroup plugins
|
||||
*
|
||||
* @defgroup addrblock_plugin addrblock_plugin
|
||||
* @{ @ingroup addrblock
|
||||
*/
|
||||
|
||||
#ifndef ADDRBLOCK_PLUGIN_H_
|
||||
#define ADDRBLOCK_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct addrblock_plugin_t addrblock_plugin_t;
|
||||
|
||||
/**
|
||||
* RFC 3779 address block checking.
|
||||
*/
|
||||
struct addrblock_plugin_t {
|
||||
|
||||
/**
|
||||
* Implements plugin_t. interface.
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
#endif /** ADDRBLOCK_PLUGIN_H_ @}*/
|
|
@ -0,0 +1,124 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
* Copyright (C) 2009 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "addrblock_validator.h"
|
||||
|
||||
#include <debug.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
#include <selectors/traffic_selector.h>
|
||||
|
||||
typedef struct private_addrblock_validator_t private_addrblock_validator_t;
|
||||
|
||||
/**
|
||||
* Private data of an addrblock_validator_t object.
|
||||
*/
|
||||
struct private_addrblock_validator_t {
|
||||
|
||||
/**
|
||||
* Public addrblock_validator_t interface.
|
||||
*/
|
||||
addrblock_validator_t public;
|
||||
};
|
||||
|
||||
/**
|
||||
* Do the addrblock check for two x509 plugins
|
||||
*/
|
||||
static bool check_addrblock(x509_t *subject, x509_t *issuer)
|
||||
{
|
||||
bool subject_const, issuer_const, contained = TRUE;
|
||||
enumerator_t *subject_enumerator, *issuer_enumerator;
|
||||
traffic_selector_t *subject_ts, *issuer_ts;
|
||||
|
||||
subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
|
||||
issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
|
||||
|
||||
if (!subject_const && !issuer_const)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
if (!subject_const)
|
||||
{
|
||||
DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
|
||||
return FALSE;
|
||||
}
|
||||
if (!issuer_const)
|
||||
{
|
||||
DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
|
||||
return FALSE;
|
||||
}
|
||||
subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
|
||||
while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
|
||||
{
|
||||
contained = FALSE;
|
||||
|
||||
issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
|
||||
while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
|
||||
{
|
||||
if (subject_ts->is_contained_in(subject_ts, issuer_ts))
|
||||
{
|
||||
DBG2(DBG_CFG, " subject address block %R is contained in "
|
||||
"issuer address block %R", subject_ts, issuer_ts);
|
||||
contained = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
issuer_enumerator->destroy(issuer_enumerator);
|
||||
if (!contained)
|
||||
{
|
||||
DBG1(DBG_CFG, "subject address block %R is not contained in any "
|
||||
"issuer address block", subject_ts);
|
||||
break;
|
||||
}
|
||||
}
|
||||
subject_enumerator->destroy(subject_enumerator);
|
||||
return contained;
|
||||
}
|
||||
|
||||
METHOD(cert_validator_t, validate, bool,
|
||||
private_addrblock_validator_t *this, certificate_t *subject,
|
||||
certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
|
||||
{
|
||||
if (subject->get_type(subject) == CERT_X509 &&
|
||||
issuer->get_type(issuer) == CERT_X509)
|
||||
{
|
||||
return check_addrblock((x509_t*)subject, (x509_t*)issuer);
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(addrblock_validator_t, destroy, void,
|
||||
private_addrblock_validator_t *this)
|
||||
{
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
addrblock_validator_t *addrblock_validator_create()
|
||||
{
|
||||
private_addrblock_validator_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.validator.validate = _validate,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
);
|
||||
|
||||
return &this->public;
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup addrblock_validator addrblock_validator
|
||||
* @{ @ingroup addrblock
|
||||
*/
|
||||
|
||||
#ifndef ADDRBLOCK_VALIDATOR_H_
|
||||
#define ADDRBLOCK_VALIDATOR_H_
|
||||
|
||||
#include <credentials/cert_validator.h>
|
||||
|
||||
typedef struct addrblock_validator_t addrblock_validator_t;
|
||||
|
||||
/**
|
||||
* RFC 3779 address block X509 certificate validator.
|
||||
*/
|
||||
struct addrblock_validator_t {
|
||||
|
||||
/**
|
||||
* Implements cert_validator_t interface.
|
||||
*/
|
||||
cert_validator_t validator;
|
||||
|
||||
/**
|
||||
* Destroy a addrblock_validator_t.
|
||||
*/
|
||||
void (*destroy)(addrblock_validator_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a addrblock_validator instance.
|
||||
*/
|
||||
addrblock_validator_t *addrblock_validator_create();
|
||||
|
||||
#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/
|
Loading…
Reference in New Issue