Moved X509 addrBlock validation to a separate addrblock plugin

configure.in

@@ -142,6 +142,7 @@ ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_ENABL_SET([android],        [enable Android specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
@@ -758,6 +759,9 @@ fi
 if test x$agent = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" agent"
 fi
+if test x$addrblock = xtrue; then
+	libstrongswan_plugins=${libstrongswan_plugins}" addrblock"
+fi
 if test x$gmp = xtrue; then
 	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
 	pluto_plugins=${pluto_plugins}" gmp"
@@ -812,6 +816,7 @@ AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
 AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
+AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
 
 dnl charon plugins
 dnl ==============
@@ -936,6 +941,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/openssl/Makefile
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
+	src/libstrongswan/plugins/addrblock/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libhydra/Makefile
 	src/libhydra/plugins/attr/Makefile

src/libstrongswan/Android.mk

@@ -44,6 +44,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
 selectors/traffic_selector.c selectors/traffic_selector.h \

src/libstrongswan/Makefile.am

@@ -42,6 +42,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
 selectors/traffic_selector.c selectors/traffic_selector.h \
@@ -306,6 +307,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_ADDRBLOCK
+  SUBDIRS += plugins/addrblock
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/addrblock/libstrongswan-addrblock.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC

src/libstrongswan/credentials/cert_validator.h

@@ -23,6 +23,8 @@
 
 typedef struct cert_validator_t cert_validator_t;
 
+#include <library.h>
+
 /**
  * Certificate validator interface.
  *

src/libstrongswan/credentials/credential_manager.c

@@ -943,60 +943,6 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 	return valid;
 }
 
-/**
- * check a certificate for optional IP address block constraints
- */
-static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
-{
-	bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
-	bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
-	bool contained = TRUE;
-
-	enumerator_t *subject_enumerator, *issuer_enumerator;
-	traffic_selector_t *subject_ts, *issuer_ts;
-
-	if (!subject_constraint && !issuer_constraint)
-	{
-		return TRUE;
-	}
-	if (!subject_constraint)
-	{
-		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-		return FALSE;
-	}
-	if (!issuer_constraint)
-	{
-		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
-		return FALSE;
-	}
-	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
-	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
-	{
-		contained = FALSE;
-
-		issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
-		while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
-		{
-			if (subject_ts->is_contained_in(subject_ts, issuer_ts))
-			{
-				DBG2(DBG_CFG, "  subject address block %R is contained in "
-							  "issuer address block %R", subject_ts, issuer_ts);
-				contained = TRUE;
-				break;
-			}
-		}
-		issuer_enumerator->destroy(issuer_enumerator);
-		if (!contained)
-		{
-			DBG1(DBG_CFG, "subject address block %R is not contained in any "
-						  "issuer address block", subject_ts);
-			break;
-		}
-	}
-	subject_enumerator->destroy(subject_enumerator);
-	return contained;
-}
-
 /**
  * check a certificate for its lifetime
  */
@@ -1026,11 +972,6 @@ static bool check_certificate(private_credential_manager_t *this,
 		int pathlen_constraint;
 		x509_t *x509;
 
-		if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
-		{
-			return FALSE;
-		}
-
 		/* check path length constraint */
 		x509 = (x509_t*)issuer;
 		pathlen_constraint = x509->get_pathLenConstraint(x509);

src/libstrongswan/plugins/addrblock/Makefile.am

@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-addrblock.la
+else
+plugin_LTLIBRARIES = libstrongswan-addrblock.la
+endif
+
+libstrongswan_addrblock_la_SOURCES = \
+	addrblock_plugin.h addrblock_plugin.c \
+	addrblock_validator.h addrblock_validator.c
+
+libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version

src/libstrongswan/plugins/addrblock/addrblock_plugin.c

@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_plugin.h"
+
+#include <library.h>
+#include "addrblock_validator.h"
+
+typedef struct private_addrblock_plugin_t private_addrblock_plugin_t;
+
+/**
+ * private data of addrblock_plugin
+ */
+struct private_addrblock_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	addrblock_plugin_t public;
+
+	/**
+	 * Validator implementation instance.
+	 */
+	addrblock_validator_t *validator;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_addrblock_plugin_t *this)
+{
+	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+	this->validator->destroy(this->validator);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *addrblock_plugin_create()
+{
+	private_addrblock_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+		.validator = addrblock_validator_create(),
+	);
+	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+	return &this->public.plugin;
+}

src/libstrongswan/plugins/addrblock/addrblock_plugin.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock addrblock
+ * @ingroup plugins
+ *
+ * @defgroup addrblock_plugin addrblock_plugin
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_PLUGIN_H_
+#define ADDRBLOCK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct addrblock_plugin_t addrblock_plugin_t;
+
+/**
+ * RFC 3779 address block checking.
+ */
+struct addrblock_plugin_t {
+
+	/**
+	 * Implements plugin_t. interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ADDRBLOCK_PLUGIN_H_ @}*/

src/libstrongswan/plugins/addrblock/addrblock_validator.c

@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_validator.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct private_addrblock_validator_t private_addrblock_validator_t;
+
+/**
+ * Private data of an addrblock_validator_t object.
+ */
+struct private_addrblock_validator_t {
+
+	/**
+	 * Public addrblock_validator_t interface.
+	 */
+	addrblock_validator_t public;
+};
+
+/**
+ * Do the addrblock check for two x509 plugins
+ */
+static bool check_addrblock(x509_t *subject, x509_t *issuer)
+{
+	bool subject_const, issuer_const, contained = TRUE;
+	enumerator_t *subject_enumerator, *issuer_enumerator;
+	traffic_selector_t *subject_ts, *issuer_ts;
+
+	subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+	issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+
+	if (!subject_const && !issuer_const)
+	{
+		return TRUE;
+	}
+	if (!subject_const)
+	{
+		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+		return FALSE;
+	}
+	if (!issuer_const)
+	{
+		DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+		return FALSE;
+	}
+	subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+	while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+	{
+		contained = FALSE;
+
+		issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+		while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+		{
+			if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+			{
+				DBG2(DBG_CFG, "  subject address block %R is contained in "
+							  "issuer address block %R", subject_ts, issuer_ts);
+				contained = TRUE;
+				break;
+			}
+		}
+		issuer_enumerator->destroy(issuer_enumerator);
+		if (!contained)
+		{
+			DBG1(DBG_CFG, "subject address block %R is not contained in any "
+						  "issuer address block", subject_ts);
+			break;
+		}
+	}
+	subject_enumerator->destroy(subject_enumerator);
+	return contained;
+}
+
+METHOD(cert_validator_t, validate, bool,
+	private_addrblock_validator_t *this, certificate_t *subject,
+	certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+{
+	if (subject->get_type(subject) == CERT_X509 &&
+		issuer->get_type(issuer) == CERT_X509)
+	{
+		return check_addrblock((x509_t*)subject, (x509_t*)issuer);
+	}
+	return TRUE;
+}
+
+METHOD(addrblock_validator_t, destroy, void,
+	private_addrblock_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+addrblock_validator_t *addrblock_validator_create()
+{
+	private_addrblock_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator.validate = _validate,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}

src/libstrongswan/plugins/addrblock/addrblock_validator.h

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock_validator addrblock_validator
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_VALIDATOR_H_
+#define ADDRBLOCK_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct addrblock_validator_t addrblock_validator_t;
+
+/**
+ * RFC 3779 address block X509 certificate validator.
+ */
+struct addrblock_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a addrblock_validator_t.
+	 */
+	void (*destroy)(addrblock_validator_t *this);
+};
+
+/**
+ * Create a addrblock_validator instance.
+ */
+addrblock_validator_t *addrblock_validator_create();
+
+#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/