Merge branch 'systime'

Add a systime-fix plugin allowing an embedded system to validate certificates
if the system time has not been synchronized after boot. Certificates of
established tunnels can be re-validated after the system time gets valid.

configure.in

@@ -227,6 +227,7 @@ ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
 ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
 ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
+ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
 ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
 ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
@@ -1013,6 +1014,7 @@ ADD_PLUGIN([whitelist],            [c charon])
 ADD_PLUGIN([lookip],               [c charon])
 ADD_PLUGIN([error-notify],         [c charon])
 ADD_PLUGIN([certexpire],           [c charon])
+ADD_PLUGIN([systime-fix],          [c charon])
 ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
 ADD_PLUGIN([coupling],             [c charon])
@@ -1108,6 +1110,7 @@ AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
 AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
 AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
 AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
+AM_CONDITIONAL(USE_SYSTIME_FIX, test x$systime_fix = xtrue)
 AM_CONDITIONAL(USE_LED, test x$led = xtrue)
 AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
 AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
@@ -1349,6 +1352,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/lookip/Makefile
 	src/libcharon/plugins/error_notify/Makefile
 	src/libcharon/plugins/certexpire/Makefile
+	src/libcharon/plugins/systime_fix/Makefile
 	src/libcharon/plugins/led/Makefile
 	src/libcharon/plugins/duplicheck/Makefile
 	src/libcharon/plugins/coupling/Makefile

src/libcharon/Makefile.am

@@ -513,6 +513,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SYSTIME_FIX
+  SUBDIRS += plugins/systime_fix
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/systime_fix/libstrongswan-systime-fix.la
+endif
+endif
+
 if USE_LED
   SUBDIRS += plugins/led
 if MONOLITHIC

src/libcharon/plugins/systime_fix/Makefile.am

@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-systime-fix.la
+else
+plugin_LTLIBRARIES = libstrongswan-systime-fix.la
+endif
+
+libstrongswan_systime_fix_la_SOURCES = \
+	systime_fix_validator.h systime_fix_validator.c \
+	systime_fix_plugin.h systime_fix_plugin.c
+
+libstrongswan_systime_fix_la_LDFLAGS = -module -avoid-version

src/libcharon/plugins/systime_fix/systime_fix_plugin.c

@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "systime_fix_plugin.h"
+#include "systime_fix_validator.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+#include <time.h>
+
+/**
+ * Defining _XOPEN_SOURCE is difficult with libstrongswan includes,
+ * declare function explicitly.
+ */
+char *strptime(const char *s, const char *format, struct tm *tm);
+
+typedef struct private_systime_fix_plugin_t private_systime_fix_plugin_t;
+
+/**
+ * Private data of systime_fix plugin
+ */
+struct private_systime_fix_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	systime_fix_plugin_t public;
+
+	/**
+	 * Certificate lifetime validator
+	 */
+	systime_fix_validator_t *validator;
+
+	/**
+	 * Interval we check for a now-valid system time, in seconds. 0 if disabled
+	 */
+	u_int interval;
+
+	/**
+	 * Timestamp where we start considering system time valid
+	 */
+	time_t threshold;
+
+	/**
+	 * Do we trigger reauth or delete when finding expired certificates?
+	 */
+	bool reauth;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_systime_fix_plugin_t *this)
+{
+	return "systime-fix";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_systime_fix_plugin_t *this)
+{
+	if (this->validator)
+	{
+		lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+		this->validator->destroy(this->validator);
+	}
+	free(this);
+}
+
+/**
+ * Check if all certificates associated to an IKE_SA have valid lifetimes
+ */
+static bool has_invalid_certs(ike_sa_t *ike_sa)
+{
+	enumerator_t *cfgs, *items;
+	certificate_t *cert;
+	auth_rule_t type;
+	auth_cfg_t *auth;
+	time_t not_before, not_after;
+	bool valid = TRUE;
+
+	cfgs = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+	while (valid && cfgs->enumerate(cfgs, &auth))
+	{
+		items = auth->create_enumerator(auth);
+		while (valid && items->enumerate(items, &type, &cert))
+		{
+			switch (type)
+			{
+				case AUTH_RULE_SUBJECT_CERT:
+				case AUTH_RULE_IM_CERT:
+				case AUTH_RULE_CA_CERT:
+					if (!cert->get_validity(cert, NULL, &not_before, &not_after))
+					{
+						DBG1(DBG_CFG, "certificate '%Y' invalid "
+							"(valid from %T to %T)", cert->get_subject(cert),
+							 &not_before, FALSE, &not_after, FALSE);
+						valid = FALSE;
+					}
+					break;
+				default:
+					break;
+			}
+		}
+		items->destroy(items);
+	}
+	cfgs->destroy(cfgs);
+
+	if (valid)
+	{
+		DBG1(DBG_CFG, "all certificates have valid lifetimes");
+	}
+	return !valid;
+}
+
+/**
+ * Check system time, reevaluate certificates
+ */
+static job_requeue_t check_systime(private_systime_fix_plugin_t *this)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	char *action;
+	job_t *job;
+
+	if (time(NULL) < this->threshold)
+	{
+		DBG2(DBG_CFG, "systime not valid, rechecking in %ds", this->interval);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+					callback_job_create((callback_job_cb_t)check_systime, this,
+										NULL, NULL), this->interval);
+		return JOB_REQUEUE_NONE;
+	}
+
+	DBG1(DBG_CFG, "system time got valid, rechecking certificates");
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (has_invalid_certs(ike_sa))
+		{
+			if (this->reauth)
+			{
+				action = "reauthenticating";
+				job = &rekey_ike_sa_job_create(ike_sa->get_id(ike_sa),
+											   TRUE)->job_interface;
+			}
+			else
+			{
+				action = "deleting";
+				job = &delete_ike_sa_job_create(ike_sa->get_id(ike_sa),
+												TRUE)->job_interface;
+			}
+			DBG1(DBG_CFG, "%s[%d] has certificates not valid, %s IKE_SA",
+				 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+				 action);
+			lib->processor->queue_job(lib->processor, job);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Load cert lifetime validator configuration
+ */
+static bool load_validator(private_systime_fix_plugin_t *this)
+{
+	struct tm tm = {
+		.tm_mday = 1,
+	};
+	char *str, *fmt;
+
+	fmt = lib->settings->get_str(lib->settings,
+			"%s.plugins.%s.threshold_format", "%Y", charon->name, get_name(this));
+	str = lib->settings->get_str(lib->settings,
+			"%s.plugins.%s.threshold", NULL, charon->name, get_name(this));
+	if (!str)
+	{
+		DBG1(DBG_CFG, "no threshold configured for %s, disabled",
+			 get_name(this));
+		return FALSE;
+	}
+	if (strptime(str, fmt, &tm) == NULL)
+	{
+		DBG1(DBG_CFG, "threshold for %s invalid, disabled", get_name(this));
+		return FALSE;
+	}
+	this->threshold = mktime(&tm);
+	if (this->threshold == -1)
+	{
+		DBG1(DBG_CFG, "converting threshold for %s failed, disabled",
+			 get_name(this));
+		return FALSE;
+	}
+	if (time(NULL) >= this->threshold)
+	{
+		DBG1(DBG_CFG, "system time looks good, disabling %s", get_name(this));
+		return FALSE;
+	}
+
+	DBG1(DBG_CFG, "enabling %s, threshold: %s", get_name(this), asctime(&tm));
+	this->validator = systime_fix_validator_create(this->threshold);
+	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+	return TRUE;
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *systime_fix_plugin_create()
+{
+	private_systime_fix_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.interval = lib->settings->get_int(lib->settings,
+				"%s.plugins.%s.interval", 0, charon->name, get_name(this)),
+		.reauth = lib->settings->get_bool(lib->settings,
+				"%s.plugins.%s.reauth", FALSE, charon->name, get_name(this)),
+	);
+
+	if (load_validator(this))
+	{
+		if (this->interval != 0)
+		{
+			DBG1(DBG_CFG, "starting systime check, interval: %ds",
+				 this->interval);
+			lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+					callback_job_create((callback_job_cb_t)check_systime, this,
+										NULL, NULL), this->interval);
+		}
+	}
+	return &this->public.plugin;
+}

src/libcharon/plugins/systime_fix/systime_fix_plugin.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup systime_fix systime_fix
+ * @ingroup cplugins
+ *
+ * @defgroup systime_fix_plugin systime_fix_plugin
+ * @{ @ingroup systime_fix
+ */
+
+#ifndef SYSTIME_FIX_PLUGIN_H_
+#define SYSTIME_FIX_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct systime_fix_plugin_t systime_fix_plugin_t;
+
+/**
+ * Plugin handling cert lifetimes gracefully if system time is out of sync.
+ */
+struct systime_fix_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SYSTIME_FIX_PLUGIN_H_ @}*/

src/libcharon/plugins/systime_fix/systime_fix_validator.c

@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "systime_fix_validator.h"
+
+#include <errno.h>
+#include <time.h>
+
+#include <daemon.h>
+
+typedef struct private_systime_fix_validator_t private_systime_fix_validator_t;
+
+/**
+ * Private data of an systime_fix_validator_t object.
+ */
+struct private_systime_fix_validator_t {
+
+	/**
+	 * Public systime_fix_validator_t interface.
+	 */
+	systime_fix_validator_t public;
+
+	/**
+	 * Timestamp where we start to consider system time valid
+	 */
+	time_t threshold;
+};
+
+METHOD(cert_validator_t, check_lifetime, status_t,
+	private_systime_fix_validator_t *this, certificate_t *cert,
+	int pathlen, bool anchor, auth_cfg_t *auth)
+{
+	if (time(NULL) < this->threshold)
+	{
+		/* our system time seems to be invalid, accept certificate */
+		if (pathlen)
+		{	/* report only once per validated chain */
+			DBG1(DBG_CFG, "system time out of sync, skipping certificate "
+				 "lifetime check");
+		}
+		return SUCCESS;
+	}
+	/* validate this certificate normally */
+	return NEED_MORE;
+}
+
+METHOD(systime_fix_validator_t, destroy, void,
+	private_systime_fix_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+systime_fix_validator_t *systime_fix_validator_create(time_t threshold)
+{
+	private_systime_fix_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator = {
+				.check_lifetime = _check_lifetime,
+			},
+			.destroy = _destroy,
+		},
+		.threshold = threshold,
+	);
+
+	return &this->public;
+}

src/libcharon/plugins/systime_fix/systime_fix_validator.h

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup systime_fix_validator systime_fix_validator
+ * @{ @ingroup systime_fix
+ */
+
+#ifndef SYSTIME_FIX_VALIDATOR_H_
+#define SYSTIME_FIX_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct systime_fix_validator_t systime_fix_validator_t;
+
+/**
+ * Validator that accepts cert lifetimes if system time is out of sync.
+ */
+struct systime_fix_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a systime_fix_validator_t.
+	 */
+	void (*destroy)(systime_fix_validator_t *this);
+};
+
+/**
+ * Create a systime_fix_validator instance.
+ */
+systime_fix_validator_t *systime_fix_validator_create();
+
+#endif /** SYSTIME_FIX_VALIDATOR_H_ @}*/

src/libstrongswan/credentials/cert_validator.h

@@ -34,6 +34,22 @@ typedef struct cert_validator_t cert_validator_t;
  */
 struct cert_validator_t {
 
+	/**
+	 * Check the lifetime of a certificate.
+	 *
+	 * If this function returns SUCCESS or FAILED, the certificate lifetime is
+	 * considered definitely (in-)valid, without asking other validators.
+	 * If all registered validaters return NEED_MORE, the default
+	 * lifetime check is performed.
+	 *
+	 * @param cert			certificate to check lifetime
+	 * @param pathlen		the current length of the path bottom-up
+	 * @param anchor		is certificate trusted root anchor?
+	 * @param auth			container for resulting authentication info
+	 * @return				SUCCESS, FAILED or NEED_MORE to ask next validator
+	 */
+	status_t (*check_lifetime)(cert_validator_t *this, certificate_t *cert,
+							   int pathlen, bool anchor, auth_cfg_t *auth);
 	/**
 	 * Validate a subject certificate in relation to its issuer.
 	 *
@@ -43,6 +59,7 @@ struct cert_validator_t {
 	 * @param pathlen		the current length of the path bottom-up
 	 * @param anchor		is issuer trusted root anchor
 	 * @param auth			container for resulting authentication info
+	 * @return				TRUE if subject certificate valid
 	 */
 	bool (*validate)(cert_validator_t *this, certificate_t *subject,
 					 certificate_t *issuer, bool online, u_int pathlen,

src/libstrongswan/credentials/credential_manager.c

@@ -514,6 +514,52 @@ static void cache_queue(private_credential_manager_t *this)
 	this->queue_mutex->unlock(this->queue_mutex);
 }
 
+/**
+ * Use validators to check the lifetime of certificates
+ */
+static bool check_lifetime(private_credential_manager_t *this,
+						   certificate_t *cert, char *label,
+						   int pathlen, bool trusted, auth_cfg_t *auth)
+{
+	time_t not_before, not_after;
+	cert_validator_t *validator;
+	enumerator_t *enumerator;
+	status_t status = NEED_MORE;
+
+	enumerator = this->validators->create_enumerator(this->validators);
+	while (enumerator->enumerate(enumerator, &validator))
+	{
+		if (!validator->check_lifetime)
+		{
+			continue;
+		}
+		status = validator->check_lifetime(validator, cert,
+										   pathlen, trusted, auth);
+		if (status != NEED_MORE)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	switch (status)
+	{
+		case NEED_MORE:
+			if (!cert->get_validity(cert, NULL, &not_before, &not_after))
+			{
+				DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)",
+					 label, &not_before, FALSE, &not_after, FALSE);
+				return FALSE;
+			}
+			return TRUE;
+		case SUCCESS:
+			return TRUE;
+		case FAILED:
+		default:
+			return FALSE;
+	}
+}
+
 /**
  * check a certificate for its lifetime
  */
@@ -521,26 +567,22 @@ static bool check_certificate(private_credential_manager_t *this,
 				certificate_t *subject, certificate_t *issuer, bool online,
 				int pathlen, bool trusted, auth_cfg_t *auth)
 {
-	time_t not_before, not_after;
 	cert_validator_t *validator;
 	enumerator_t *enumerator;
 
-	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
+	if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
+		!check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
 	{
-		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
-		return FALSE;
-	}
-	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
-	{
-		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
 		return FALSE;
 	}
 
 	enumerator = this->validators->create_enumerator(this->validators);
 	while (enumerator->enumerate(enumerator, &validator))
 	{
+		if (!validator->validate)
+		{
+			continue;
+		}
 		if (!validator->validate(validator, subject, issuer,
 								 online, pathlen, trusted, auth))
 		{