diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-10 20:45:41 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-10 20:45:41 +0000 |
commit | 13b6d1819be8ed31bbd0dc95cbfd5fd543e3cac4 (patch) | |
tree | 1650b15c75456cbf91d9b839643f5af2c52a727c /.pc | |
parent | 863c5063ce83104506d1a82e72390703e7b8f246 (diff) | |
download | vyos-strongswan-13b6d1819be8ed31bbd0dc95cbfd5fd543e3cac4.tar.gz vyos-strongswan-13b6d1819be8ed31bbd0dc95cbfd5fd543e3cac4.zip |
Security fix has been applied upstream.
Diffstat (limited to '.pc')
-rw-r--r-- | .pc/applied-patches | 1 | ||||
-rw-r--r-- | .pc/snprintf-fix-4.4.0.patch/.timestamp | 0 | ||||
-rw-r--r-- | .pc/snprintf-fix-4.4.0.patch/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c | 533 | ||||
-rw-r--r-- | .pc/snprintf-fix-4.4.0.patch/src/libstrongswan/utils/identification.c | 1032 | ||||
-rw-r--r-- | .pc/snprintf-fix-4.4.0.patch/src/pluto/x509.c | 459 |
5 files changed, 0 insertions, 2025 deletions
diff --git a/.pc/applied-patches b/.pc/applied-patches index 326403814..e69de29bb 100644 --- a/.pc/applied-patches +++ b/.pc/applied-patches @@ -1 +0,0 @@ -snprintf-fix-4.4.0.patch diff --git a/.pc/snprintf-fix-4.4.0.patch/.timestamp b/.pc/snprintf-fix-4.4.0.patch/.timestamp deleted file mode 100644 index e69de29bb..000000000 --- a/.pc/snprintf-fix-4.4.0.patch/.timestamp +++ /dev/null diff --git a/.pc/snprintf-fix-4.4.0.patch/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/.pc/snprintf-fix-4.4.0.patch/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c deleted file mode 100644 index ff3ddeb6f..000000000 --- a/.pc/snprintf-fix-4.4.0.patch/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c +++ /dev/null @@ -1,533 +0,0 @@ -/* - * Copyright (C) 2007-2009 Andreas Steffen - * - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <asn1/oid.h> -#include <asn1/asn1.h> -#include <asn1/asn1_parser.h> -#include <utils/linked_list.h> -#include <utils/lexparser.h> - -#include "ietf_attributes.h" - -/** - * Private definition of IETF attribute types - */ -typedef enum { - IETF_ATTRIBUTE_OCTETS = 0, - IETF_ATTRIBUTE_OID = 1, - IETF_ATTRIBUTE_STRING = 2 -} ietf_attribute_type_t; - -typedef struct ietf_attr_t ietf_attr_t; - -/** - * Private definition of an IETF attribute - */ -struct ietf_attr_t { - /** - * IETF attribute type - */ - ietf_attribute_type_t type; - - /** - * IETF attribute value - */ - chunk_t value; - - /** - * Compares two IETF attributes - * - * return -1 if this is earlier in the alphabet than other - * return 0 if this equals other - * return +1 if this is later in the alphabet than other - * - * @param other other object - */ - int (*compare) (ietf_attr_t *this, ietf_attr_t *other); - - /** - * Destroys an ietf_attr_t object. - */ - void (*destroy) (ietf_attr_t *this); -}; - -/** - * Implements ietf_attr_t.compare. - */ -static int ietf_attr_compare(ietf_attr_t *this, ietf_attr_t *other) -{ - int cmp_len, len, cmp_value; - - /* OID attributes are appended after STRING and OCTETS attributes */ - if (this->type != IETF_ATTRIBUTE_OID && other->type == IETF_ATTRIBUTE_OID) - { - return -1; - } - if (this->type == IETF_ATTRIBUTE_OID && other->type != IETF_ATTRIBUTE_OID) - { - return 1; - } - - cmp_len = this->value.len - other->value.len; - len = (cmp_len < 0) ? this->value.len : other->value.len; - cmp_value = memcmp(this->value.ptr, other->value.ptr, len); - - return (cmp_value == 0) ? cmp_len : cmp_value; -} - -/** - * Implements ietf_attr_t.destroy. - */ -static void ietf_attr_destroy(ietf_attr_t *this) -{ - free(this->value.ptr); - free(this); -} - -/** - * Creates an ietf_attr_t object. - */ -static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value) -{ - ietf_attr_t *this = malloc_thing(ietf_attr_t); - - /* initialize */ - this->type = type; - this->value = chunk_clone(value); - - /* function */ - this->compare = ietf_attr_compare; - this->destroy = ietf_attr_destroy; - - return this; -} - -typedef struct private_ietf_attributes_t private_ietf_attributes_t; - -/** - * Private data of an ietf_attributes_t object. - */ -struct private_ietf_attributes_t { - /** - * Public interface. - */ - ietf_attributes_t public; - - /** - * Printable representation of the IETF attributes - */ - char *string; - - /** - * Linked list of IETF attributes. - */ - linked_list_t *list; - - /** - * reference count - */ - refcount_t ref; -}; - -/** - * Implementation of ietf_attributes_t.get_string. - */ -static char* get_string(private_ietf_attributes_t *this) -{ - if (this->string == NULL) - { - char buf[BUF_LEN]; - char *pos = buf; - int len = BUF_LEN; - bool first = TRUE; - ietf_attr_t *attr; - enumerator_t *enumerator; - - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, &attr)) - { - int written = 0; - - if (first) - { - first = FALSE; - } - else - { - written = snprintf(pos, len, ", "); - pos += written; - len -= written; - } - - switch (attr->type) - { - case IETF_ATTRIBUTE_OCTETS: - case IETF_ATTRIBUTE_STRING: - written = snprintf(pos, len, "%.*s", (int)attr->value.len, - attr->value.ptr); - break; - case IETF_ATTRIBUTE_OID: - { - int oid = asn1_known_oid(attr->value); - - if (oid == OID_UNKNOWN) - { - written = snprintf(pos, len, "0x#B", &attr->value); - } - else - { - written = snprintf(pos, len, "%s", oid_names[oid]); - } - break; - } - default: - break; - } - pos += written; - len -= written; - } - enumerator->destroy(enumerator); - if (len < BUF_LEN) - { - this->string = strdup(buf); - } - } - return this->string; -} - -/** - * Implementation of ietf_attributes_t.get_encoding. - */ -static chunk_t get_encoding(private_ietf_attributes_t *this) -{ - chunk_t values; - size_t size = 0; - u_char *pos; - ietf_attr_t *attr; - enumerator_t *enumerator; - - /* precalculate the total size of all values */ - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, &attr)) - { - size_t len = attr->value.len; - - size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; - } - enumerator->destroy(enumerator); - - pos = asn1_build_object(&values, ASN1_SEQUENCE, size); - - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, &attr)) - { - chunk_t ietfAttribute; - asn1_t type = ASN1_NULL; - - switch (attr->type) - { - case IETF_ATTRIBUTE_OCTETS: - type = ASN1_OCTET_STRING; - break; - case IETF_ATTRIBUTE_STRING: - type = ASN1_UTF8STRING; - break; - case IETF_ATTRIBUTE_OID: - type = ASN1_OID; - break; - } - ietfAttribute = asn1_simple_object(type, attr->value); - - /* copy ietfAttribute into values chunk */ - memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); - pos += ietfAttribute.len; - free(ietfAttribute.ptr); - } - enumerator->destroy(enumerator); - - return asn1_wrap(ASN1_SEQUENCE, "m", values); -} - -static bool equals(private_ietf_attributes_t *this, private_ietf_attributes_t *other) -{ - bool result = TRUE; - - /* lists must have the same number of attributes */ - if (other == NULL || - this->list->get_count(this->list) != other->list->get_count(other->list)) - { - return FALSE; - } - - /* compare two alphabetically-sorted lists */ - { - ietf_attr_t *attr_a, *attr_b; - enumerator_t *enum_a, *enum_b; - - enum_a = this->list->create_enumerator(this->list); - enum_b = other->list->create_enumerator(other->list); - while (enum_a->enumerate(enum_a, &attr_a) && - enum_b->enumerate(enum_b, &attr_b)) - { - if (attr_a->compare(attr_a, attr_b) != 0) - { - /* we have a mismatch */ - result = FALSE; - break; - } - } - enum_a->destroy(enum_a); - enum_b->destroy(enum_b); - } - return result; -} - -static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t *other) -{ - bool result = FALSE; - ietf_attr_t *attr_a, *attr_b; - enumerator_t *enum_a, *enum_b; - - /* always match if this->list does not contain any attributes */ - if (this->list->get_count(this->list) == 0) - { - return TRUE; - } - - /* never match if other->list does not contain any attributes */ - if (other == NULL || other->list->get_count(other->list) == 0) - { - return FALSE; - } - - /* get first attribute from both lists */ - enum_a = this->list->create_enumerator(this->list); - enum_a->enumerate(enum_a, &attr_a); - enum_b = other->list->create_enumerator(other->list); - enum_b->enumerate(enum_b, &attr_b); - - /* look for at least one common attribute */ - while (TRUE) - { - bool cmp = attr_a->compare(attr_a, attr_b); - - if (cmp == 0) - { - /* we have a match */ - result = TRUE; - break; - } - if (cmp == -1) - { - /* attr_a is earlier in the alphabet, get next attr_a */ - if (!enum_a->enumerate(enum_a, &attr_a)) - { - /* we have reached the end of enum_a */ - break; - } - } - else - { - /* attr_a is later in the alphabet, get next attr_b */ - if (!enum_b->enumerate(enum_b, &attr_b)) - { - /* we have reached the end of enum_b */ - break; - } - } - } - enum_a->destroy(enum_a); - enum_b->destroy(enum_b); - - return result; -} - -/** - * Implementation of ietf_attributes_t.get_ref - */ -static private_ietf_attributes_t* get_ref(private_ietf_attributes_t *this) -{ - ref_get(&this->ref); - return this; -} - -/** - * Implementation of ietf_attributes_t.destroy. - */ -static void destroy(private_ietf_attributes_t *this) -{ - if (ref_put(&this->ref)) - { - this->list->destroy_offset(this->list, offsetof(ietf_attr_t, destroy)); - free(this->string); - free(this); - } -} - -static private_ietf_attributes_t* create_empty(void) -{ - private_ietf_attributes_t *this = malloc_thing(private_ietf_attributes_t); - - this->public.get_string = (char* (*)(ietf_attributes_t*))get_string; - this->public.get_encoding = (chunk_t (*)(ietf_attributes_t*))get_encoding; - this->public.equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals; - this->public.matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches; - this->public.get_ref = (ietf_attributes_t* (*)(ietf_attributes_t*))get_ref; - this->public.destroy = (void (*)(ietf_attributes_t*))destroy; - - this->list = linked_list_create(); - this->string = NULL; - this->ref = 1; - return this; -} - -/** - * Adds an ietf_attr_t object to a sorted linked list - */ -static void ietf_attributes_add(private_ietf_attributes_t *this, - ietf_attr_t *attr) -{ - ietf_attr_t *current_attr; - bool found = FALSE; - iterator_t *iterator; - - iterator = this->list->create_iterator(this->list, TRUE); - while (iterator->iterate(iterator, (void **)¤t_attr)) - { - int cmp = attr->compare(attr, current_attr); - - if (cmp > 0) - { - continue; - } - if (cmp == 0) - { - attr->destroy(attr); - } - else - { - iterator->insert_before(iterator, attr); - } - found = TRUE; - break; - } - iterator->destroy(iterator); - if (!found) - { - this->list->insert_last(this->list, attr); - } -} - -/* - * Described in header. - */ -ietf_attributes_t *ietf_attributes_create_from_string(char *string) -{ - private_ietf_attributes_t *this = create_empty(); - - chunk_t line = { string, strlen(string) }; - - while (eat_whitespace(&line)) - { - chunk_t group; - - /* extract the next comma-separated group attribute */ - if (!extract_token(&group, ',', &line)) - { - group = line; - line.len = 0; - } - - /* remove any trailing spaces */ - while (group.len > 0 && *(group.ptr + group.len - 1) == ' ') - { - group.len--; - } - - /* add the group attribute to the list */ - if (group.len > 0) - { - ietf_attr_t *attr = ietf_attr_create(IETF_ATTRIBUTE_STRING, group); - - ietf_attributes_add(this, attr); - } - } - - return &(this->public); -} - -/** - * ASN.1 definition of ietfAttrSyntax - */ -static const asn1Object_t ietfAttrSyntaxObjects[] = -{ - { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | - ASN1_BODY }, /* 1 */ - { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ - { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ - { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | - ASN1_BODY }, /* 4 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ - { 2, "oid", ASN1_OID, ASN1_OPT | - ASN1_BODY }, /* 6 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ - { 2, "string", ASN1_UTF8STRING, ASN1_OPT | - ASN1_BODY }, /* 8 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ - { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define IETF_ATTR_OCTETS 4 -#define IETF_ATTR_OID 6 -#define IETF_ATTR_STRING 8 - -/* - * Described in header. - */ -ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded) -{ - private_ietf_attributes_t *this = create_empty(); - asn1_parser_t *parser; - chunk_t object; - int objectID; - - parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded); - while (parser->iterate(parser, &objectID, &object)) - { - switch (objectID) - { - case IETF_ATTR_OCTETS: - case IETF_ATTR_OID: - case IETF_ATTR_STRING: - { - ietf_attribute_type_t type; - ietf_attr_t *attr; - - type = (objectID - IETF_ATTR_OCTETS) / 2; - attr = ietf_attr_create(type, object); - ietf_attributes_add(this, attr); - } - break; - default: - break; - } - } - parser->destroy(parser); - - return &(this->public); -} - diff --git a/.pc/snprintf-fix-4.4.0.patch/src/libstrongswan/utils/identification.c b/.pc/snprintf-fix-4.4.0.patch/src/libstrongswan/utils/identification.c deleted file mode 100644 index 6a3c3936c..000000000 --- a/.pc/snprintf-fix-4.4.0.patch/src/libstrongswan/utils/identification.c +++ /dev/null @@ -1,1032 +0,0 @@ -/* - * Copyright (C) 2009 Tobias Brunner - * Copyright (C) 2005-2009 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <string.h> -#include <stdio.h> - -#include "identification.h" - -#include <asn1/oid.h> -#include <asn1/asn1.h> -#include <crypto/hashers/hasher.h> - -ENUM_BEGIN(id_match_names, ID_MATCH_NONE, ID_MATCH_MAX_WILDCARDS, - "MATCH_NONE", - "MATCH_ANY", - "MATCH_MAX_WILDCARDS"); -ENUM_NEXT(id_match_names, ID_MATCH_PERFECT, ID_MATCH_PERFECT, ID_MATCH_MAX_WILDCARDS, - "MATCH_PERFECT"); -ENUM_END(id_match_names, ID_MATCH_PERFECT); - -ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID, - "ID_ANY", - "ID_IPV4_ADDR", - "ID_FQDN", - "ID_RFC822_ADDR", - "ID_IPV4_ADDR_SUBNET", - "ID_IPV6_ADDR", - "ID_IPV6_ADDR_SUBNET", - "ID_IPV4_ADDR_RANGE", - "ID_IPV6_ADDR_RANGE", - "ID_DER_ASN1_DN", - "ID_DER_ASN1_GN", - "ID_KEY_ID"); -ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID, - "ID_DER_ASN1_GN_URI" - "ID_IETF_ATTR_STRING" - "ID_MYID"); -ENUM_END(id_type_names, ID_MYID); - -/** - * coding of X.501 distinguished name - */ -typedef struct { - const u_char *name; - int oid; - u_char type; -} x501rdn_t; - -static const x501rdn_t x501rdns[] = { - {"ND", OID_NAME_DISTINGUISHER, ASN1_PRINTABLESTRING}, - {"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING}, - {"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING}, - {"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING}, - {"S", OID_SURNAME, ASN1_PRINTABLESTRING}, - {"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING}, - {"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING}, - {"C", OID_COUNTRY, ASN1_PRINTABLESTRING}, - {"L", OID_LOCALITY, ASN1_PRINTABLESTRING}, - {"ST", OID_STATE_OR_PROVINCE, ASN1_PRINTABLESTRING}, - {"O", OID_ORGANIZATION, ASN1_PRINTABLESTRING}, - {"OU", OID_ORGANIZATION_UNIT, ASN1_PRINTABLESTRING}, - {"T", OID_TITLE, ASN1_PRINTABLESTRING}, - {"D", OID_DESCRIPTION, ASN1_PRINTABLESTRING}, - {"N", OID_NAME, ASN1_PRINTABLESTRING}, - {"G", OID_GIVEN_NAME, ASN1_PRINTABLESTRING}, - {"I", OID_INITIALS, ASN1_PRINTABLESTRING}, - {"ID", OID_UNIQUE_IDENTIFIER, ASN1_PRINTABLESTRING}, - {"EN", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING}, - {"employeeNumber", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING}, - {"E", OID_EMAIL_ADDRESS, ASN1_IA5STRING}, - {"Email", OID_EMAIL_ADDRESS, ASN1_IA5STRING}, - {"emailAddress", OID_EMAIL_ADDRESS, ASN1_IA5STRING}, - {"UN", OID_UNSTRUCTURED_NAME, ASN1_IA5STRING}, - {"unstructuredName",OID_UNSTRUCTURED_NAME, ASN1_IA5STRING}, - {"TCGID", OID_TCGID, ASN1_PRINTABLESTRING} -}; - -/** - * maximum number of RDNs in atodn() - */ -#define RDN_MAX 20 - - -typedef struct private_identification_t private_identification_t; - -/** - * Private data of an identification_t object. - */ -struct private_identification_t { - /** - * Public interface. - */ - identification_t public; - - /** - * Encoded representation of this ID. - */ - chunk_t encoded; - - /** - * Type of this ID. - */ - id_type_t type; -}; - -/** - * Enumerator over RDNs - */ -typedef struct { - /* implements enumerator interface */ - enumerator_t public; - /* next set to parse, if any */ - chunk_t sets; - /* next sequence in set, if any */ - chunk_t seqs; -} rdn_enumerator_t; - -METHOD(enumerator_t, rdn_enumerate, bool, - rdn_enumerator_t *this, chunk_t *oid, u_char *type, chunk_t *data) -{ - chunk_t rdn; - - /* a DN contains one or more SET, each containing one or more SEQUENCES, - * each containing a OID/value RDN */ - if (!this->seqs.len) - { - /* no SEQUENCEs in current SET, parse next SET */ - if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET) - { - return FALSE; - } - } - if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE && - asn1_unwrap(&rdn, oid) == ASN1_OID) - { - int t = asn1_unwrap(&rdn, data); - - if (t != ASN1_INVALID) - { - *type = t; - return TRUE; - } - } - return FALSE; -} - -/** - * Create an enumerator over all RDNs (oid, string type, data) of a DN - */ -static enumerator_t* create_rdn_enumerator(chunk_t dn) -{ - rdn_enumerator_t *e; - - INIT(e, - .public = { - .enumerate = (void*)_rdn_enumerate, - .destroy = (void*)free, - }, - ); - - /* a DN is a SEQUENCE, get the first SET of it */ - if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE) - { - e->seqs = chunk_empty; - return &e->public; - } - free(e); - return enumerator_create_empty(); -} - -/** - * Part enumerator over RDNs - */ -typedef struct { - /* implements enumerator interface */ - enumerator_t public; - /* inner RDN enumerator */ - enumerator_t *inner; -} rdn_part_enumerator_t; - -METHOD(enumerator_t, rdn_part_enumerate, bool, - rdn_part_enumerator_t *this, id_part_t *type, chunk_t *data) -{ - int i, known_oid, strtype; - chunk_t oid, inner_data; - static const struct { - int oid; - id_part_t type; - } oid2part[] = { - {OID_COMMON_NAME, ID_PART_RDN_CN}, - {OID_SURNAME, ID_PART_RDN_S}, - {OID_SERIAL_NUMBER, ID_PART_RDN_SN}, - {OID_COUNTRY, ID_PART_RDN_C}, - {OID_LOCALITY, ID_PART_RDN_L}, - {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST}, - {OID_ORGANIZATION, ID_PART_RDN_O}, - {OID_ORGANIZATION_UNIT, ID_PART_RDN_OU}, - {OID_TITLE, ID_PART_RDN_T}, - {OID_DESCRIPTION, ID_PART_RDN_D}, - {OID_NAME, ID_PART_RDN_N}, - {OID_GIVEN_NAME, ID_PART_RDN_G}, - {OID_INITIALS, ID_PART_RDN_I}, - {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID}, - {OID_EMAIL_ADDRESS, ID_PART_RDN_E}, - {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN}, - }; - - while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data)) - { - known_oid = asn1_known_oid(oid); - for (i = 0; i < countof(oid2part); i++) - { - if (oid2part[i].oid == known_oid) - { - *type = oid2part[i].type; - *data = inner_data; - return TRUE; - } - } - } - return FALSE; -} - -METHOD(enumerator_t, rdn_part_enumerator_destroy, void, - rdn_part_enumerator_t *this) -{ - this->inner->destroy(this->inner); - free(this); -} - -METHOD(identification_t, create_part_enumerator, enumerator_t*, - private_identification_t *this) -{ - switch (this->type) - { - case ID_DER_ASN1_DN: - { - rdn_part_enumerator_t *e; - - INIT(e, - .inner = create_rdn_enumerator(this->encoded), - .public = { - .enumerate = (void*)_rdn_part_enumerate, - .destroy = _rdn_part_enumerator_destroy, - }, - ); - return &e->public; - } - case ID_RFC822_ADDR: - /* TODO */ - case ID_FQDN: - /* TODO */ - default: - return enumerator_create_empty(); - } -} - -/** - * Print a DN with all its RDN in a buffer to present it to the user - */ -static void dntoa(chunk_t dn, char *buf, size_t len) -{ - enumerator_t *e; - chunk_t oid_data, data, printable; - u_char type; - int oid, written; - bool finished = FALSE; - - e = create_rdn_enumerator(dn); - while (e->enumerate(e, &oid_data, &type, &data)) - { - oid = asn1_known_oid(oid_data); - - if (oid == OID_UNKNOWN) - { - written = snprintf(buf, len, "%#B=", &oid_data); - } - else - { - written = snprintf(buf, len,"%s=", oid_names[oid].name); - } - buf += written; - len -= written; - - chunk_printable(data, &printable, '?'); - written = snprintf(buf, len, "%.*s", printable.len, printable.ptr); - chunk_free(&printable); - buf += written; - len -= written; - - if (data.ptr + data.len != dn.ptr + dn.len) - { - written = snprintf(buf, len, ", "); - buf += written; - len -= written; - } - else - { - finished = TRUE; - break; - } - } - if (!finished) - { - snprintf(buf, len, "(invalid ID_DER_ASN1_DN)"); - } - e->destroy(e); -} - -/** - * Converts an LDAP-style human-readable ASCII-encoded - * ASN.1 distinguished name into binary DER-encoded format - */ -static status_t atodn(char *src, chunk_t *dn) -{ - /* finite state machine for atodn */ - typedef enum { - SEARCH_OID = 0, - READ_OID = 1, - SEARCH_NAME = 2, - READ_NAME = 3, - UNKNOWN_OID = 4 - } state_t; - - chunk_t oid = chunk_empty; - chunk_t name = chunk_empty; - chunk_t rdns[RDN_MAX]; - int rdn_count = 0; - int dn_len = 0; - int whitespace = 0; - int i = 0; - asn1_t rdn_type; - state_t state = SEARCH_OID; - status_t status = SUCCESS; - - do - { - switch (state) - { - case SEARCH_OID: - if (*src != ' ' && *src != '/' && *src != ',') - { - oid.ptr = src; - oid.len = 1; - state = READ_OID; - } - break; - case READ_OID: - if (*src != ' ' && *src != '=') - { - oid.len++; - } - else - { - bool found = FALSE; - - for (i = 0; i < countof(x501rdns); i++) - { - if (strlen(x501rdns[i].name) == oid.len && - strncasecmp(x501rdns[i].name, oid.ptr, oid.len) == 0) - { - found = TRUE; - break; - } - } - if (!found) - { - status = NOT_SUPPORTED; - state = UNKNOWN_OID; - break; - } - /* reset oid and change state */ - oid = chunk_empty; - state = SEARCH_NAME; - } - break; - case SEARCH_NAME: - if (*src != ' ' && *src != '=') - { - name.ptr = src; - name.len = 1; - whitespace = 0; - state = READ_NAME; - } - break; - case READ_NAME: - if (*src != ',' && *src != '/' && *src != '\0') - { - name.len++; - if (*src == ' ') - whitespace++; - else - whitespace = 0; - } - else - { - name.len -= whitespace; - rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING - && !asn1_is_printablestring(name)) - ? ASN1_T61STRING : x501rdns[i].type; - - if (rdn_count < RDN_MAX) - { - chunk_t rdn_oid; - - rdn_oid = asn1_build_known_oid(x501rdns[i].oid); - if (rdn_oid.len) - { - rdns[rdn_count] = - asn1_wrap(ASN1_SET, "m", - asn1_wrap(ASN1_SEQUENCE, "mm", - rdn_oid, - asn1_wrap(rdn_type, "c", name) - ) - ); - dn_len += rdns[rdn_count++].len; - } - else - { - status = INVALID_ARG; - } - } - else - { - status = OUT_OF_RES; - } - /* reset name and change state */ - name = chunk_empty; - state = SEARCH_OID; - } - break; - case UNKNOWN_OID: - break; - } - } while (*src++ != '\0'); - - /* build the distinguished name sequence */ - { - int i; - u_char *pos = asn1_build_object(dn, ASN1_SEQUENCE, dn_len); - - for (i = 0; i < rdn_count; i++) - { - memcpy(pos, rdns[i].ptr, rdns[i].len); - pos += rdns[i].len; - free(rdns[i].ptr); - } - } - - if (status != SUCCESS) - { - free(dn->ptr); - *dn = chunk_empty; - } - return status; -} - -METHOD(identification_t, get_encoding, chunk_t, - private_identification_t *this) -{ - return this->encoded; -} - -METHOD(identification_t, get_type, id_type_t, - private_identification_t *this) -{ - return this->type; -} - -METHOD(identification_t, contains_wildcards_dn, bool, - private_identification_t *this) -{ - enumerator_t *enumerator; - bool contains = FALSE; - id_part_t type; - chunk_t data; - - enumerator = create_part_enumerator(this); - while (enumerator->enumerate(enumerator, &type, &data)) - { - if (data.len == 1 && data.ptr[0] == '*') - { - contains = TRUE; - break; - } - } - enumerator->destroy(enumerator); - return contains; -} - -METHOD(identification_t, contains_wildcards_memchr, bool, - private_identification_t *this) -{ - return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; -} - -METHOD(identification_t, equals_binary, bool, - private_identification_t *this, identification_t *other) -{ - if (this->type == other->get_type(other)) - { - if (this->type == ID_ANY) - { - return TRUE; - } - return chunk_equals(this->encoded, other->get_encoding(other)); - } - return FALSE; -} - -/** - * Compare to DNs, for equality if wc == NULL, for match otherwise - */ -static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc) -{ - enumerator_t *t, *o; - chunk_t t_oid, o_oid, t_data, o_data; - u_char t_type, o_type; - bool t_next, o_next, finished = FALSE; - - if (wc) - { - *wc = 0; - } - else - { - if (t_dn.len != o_dn.len) - { - return FALSE; - } - } - /* try a binary compare */ - if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len)) - { - return TRUE; - } - - t = create_rdn_enumerator(t_dn); - o = create_rdn_enumerator(o_dn); - while (TRUE) - { - t_next = t->enumerate(t, &t_oid, &t_type, &t_data); - o_next = o->enumerate(o, &o_oid, &o_type, &o_data); - - if (!o_next && !t_next) - { - break; - } - finished = FALSE; - if (o_next != t_next) - { - break; - } - if (!chunk_equals(t_oid, o_oid)) - { - break; - } - if (wc && o_data.len == 1 && o_data.ptr[0] == '*') - { - (*wc)++; - } - else - { - if (t_data.len != o_data.len) - { - break; - } - if (t_type == o_type && - (t_type == ASN1_PRINTABLESTRING || - (t_type == ASN1_IA5STRING && - asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS))) - { /* ignore case for printableStrings and email RDNs */ - if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0) - { - break; - } - } - else - { /* respect case and length for everything else */ - if (!memeq(t_data.ptr, o_data.ptr, t_data.len)) - { - break; - } - } - } - /* the enumerator returns FALSE on parse error, we are finished - * if we have reached the end of the DN only */ - if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) && - (o_data.ptr + o_data.len == o_dn.ptr + o_dn.len)) - { - finished = TRUE; - } - } - t->destroy(t); - o->destroy(o); - return finished; -} - -METHOD(identification_t, equals_dn, bool, - private_identification_t *this, identification_t *other) -{ - return compare_dn(this->encoded, other->get_encoding(other), NULL); -} - -METHOD(identification_t, equals_strcasecmp, bool, - private_identification_t *this, identification_t *other) -{ - chunk_t encoded = other->get_encoding(other); - - /* we do some extra sanity checks to check for invalid IDs with a - * terminating null in it. */ - if (this->encoded.len == encoded.len && - memchr(this->encoded.ptr, 0, this->encoded.len) == NULL && - memchr(encoded.ptr, 0, encoded.len) == NULL && - strncasecmp(this->encoded.ptr, encoded.ptr, this->encoded.len) == 0) - { - return TRUE; - } - return FALSE; -} - -METHOD(identification_t, matches_binary, id_match_t, - private_identification_t *this, identification_t *other) -{ - if (other->get_type(other) == ID_ANY) - { - return ID_MATCH_ANY; - } - if (this->type == other->get_type(other) && - chunk_equals(this->encoded, other->get_encoding(other))) - { - return ID_MATCH_PERFECT; - } - return ID_MATCH_NONE; -} - -METHOD(identification_t, matches_string, id_match_t, - private_identification_t *this, identification_t *other) -{ - chunk_t encoded = other->get_encoding(other); - u_int len = encoded.len; - - if (other->get_type(other) == ID_ANY) - { - return ID_MATCH_ANY; - } - if (this->type != other->get_type(other)) - { - return ID_MATCH_NONE; - } - /* try a equals check first */ - if (equals_strcasecmp(this, other)) - { - return ID_MATCH_PERFECT; - } - if (len == 0 || this->encoded.len < len) - { - return ID_MATCH_NONE; - } - - /* check for single wildcard at the head of the string */ - if (*encoded.ptr == '*') - { - /* single asterisk matches any string */ - if (len-- == 1) - { /* not better than ID_ANY */ - return ID_MATCH_ANY; - } - if (strncasecmp(this->encoded.ptr + this->encoded.len - len, - encoded.ptr + 1, len) == 0) - { - return ID_MATCH_ONE_WILDCARD; - } - } - return ID_MATCH_NONE; -} - -METHOD(identification_t, matches_any, id_match_t, - private_identification_t *this, identification_t *other) -{ - if (other->get_type(other) == ID_ANY) - { - return ID_MATCH_ANY; - } - return ID_MATCH_NONE; -} - -METHOD(identification_t, matches_dn, id_match_t, - private_identification_t *this, identification_t *other) -{ - int wc; - - if (other->get_type(other) == ID_ANY) - { - return ID_MATCH_ANY; - } - - if (this->type == other->get_type(other)) - { - if (compare_dn(this->encoded, other->get_encoding(other), &wc)) - { - wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS); - return ID_MATCH_PERFECT - wc; - } - } - return ID_MATCH_NONE; -} - -/** - * Described in header. - */ -int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, - const void *const *args) -{ - private_identification_t *this = *((private_identification_t**)(args[0])); - chunk_t proper; - char buf[512]; - - if (this == NULL) - { - return print_in_hook(dst, len, "%*s", spec->width, "(null)"); - } - - switch (this->type) - { - case ID_ANY: - snprintf(buf, sizeof(buf), "%%any"); - break; - case ID_IPV4_ADDR: - if (this->encoded.len < sizeof(struct in_addr) || - inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL) - { - snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)"); - } - break; - case ID_IPV6_ADDR: - if (this->encoded.len < sizeof(struct in6_addr) || - inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL) - { - snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)"); - } - break; - case ID_FQDN: - case ID_RFC822_ADDR: - case ID_DER_ASN1_GN_URI: - case ID_IETF_ATTR_STRING: - chunk_printable(this->encoded, &proper, '?'); - snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); - chunk_free(&proper); - break; - case ID_DER_ASN1_DN: - dntoa(this->encoded, buf, sizeof(buf)); - break; - case ID_DER_ASN1_GN: - snprintf(buf, sizeof(buf), "(ASN.1 general Name"); - break; - case ID_KEY_ID: - if (chunk_printable(this->encoded, NULL, '?') && - this->encoded.len != HASH_SIZE_SHA1) - { /* fully printable, use ascii version */ - snprintf(buf, sizeof(buf), "%.*s", - this->encoded.len, this->encoded.ptr); - } - else - { /* not printable, hex dump */ - snprintf(buf, sizeof(buf), "%#B", &this->encoded); - } - break; - case ID_MYID: - snprintf(buf, sizeof(buf), "%%myid"); - break; - default: - snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type); - break; - } - if (spec->minus) - { - return print_in_hook(dst, len, "%-*s", spec->width, buf); - } - return print_in_hook(dst, len, "%*s", spec->width, buf); -} - -METHOD(identification_t, clone_, identification_t*, - private_identification_t *this) -{ - private_identification_t *clone = malloc_thing(private_identification_t); - - memcpy(clone, this, sizeof(private_identification_t)); - if (this->encoded.len) - { - clone->encoded = chunk_clone(this->encoded); - } - return &clone->public; -} - -METHOD(identification_t, destroy, void, - private_identification_t *this) -{ - chunk_free(&this->encoded); - free(this); -} - -/** - * Generic constructor used for the other constructors. - */ -static private_identification_t *identification_create(id_type_t type) -{ - private_identification_t *this; - - INIT(this, - .public = { - .get_encoding = _get_encoding, - .get_type = _get_type, - .create_part_enumerator = _create_part_enumerator, - .clone = _clone_, - .destroy = _destroy, - }, - .type = type, - ); - - switch (type) - { - case ID_ANY: - this->public.matches = _matches_any; - this->public.equals = _equals_binary; - this->public.contains_wildcards = return_true; - break; - case ID_FQDN: - case ID_RFC822_ADDR: - this->public.matches = _matches_string; - this->public.equals = _equals_strcasecmp; - this->public.contains_wildcards = _contains_wildcards_memchr; - break; - case ID_DER_ASN1_DN: - this->public.equals = _equals_dn; - this->public.matches = _matches_dn; - this->public.contains_wildcards = _contains_wildcards_dn; - break; - default: - this->public.equals = _equals_binary; - this->public.matches = _matches_binary; - this->public.contains_wildcards = return_false; - break; - } - return this; -} - -/* - * Described in header. - */ -identification_t *identification_create_from_string(char *string) -{ - private_identification_t *this; - chunk_t encoded; - - if (string == NULL) - { - string = "%any"; - } - if (strchr(string, '=') != NULL) - { - /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN. - * convert from LDAP style or openssl x509 -subject style to ASN.1 DN - */ - if (atodn(string, &encoded) == SUCCESS) - { - this = identification_create(ID_DER_ASN1_DN); - this->encoded = encoded; - } - else - { - this = identification_create(ID_KEY_ID); - this->encoded = chunk_clone(chunk_create(string, strlen(string))); - } - return &this->public; - } - else if (strchr(string, '@') == NULL) - { - if (streq(string, "%any") - || streq(string, "%any6") - || streq(string, "0.0.0.0") - || streq(string, "*") - || streq(string, "::") - || streq(string, "0::0")) - { - /* any ID will be accepted */ - this = identification_create(ID_ANY); - return &this->public; - } - else - { - if (strchr(string, ':') == NULL) - { - struct in_addr address; - chunk_t chunk = {(void*)&address, sizeof(address)}; - - if (inet_pton(AF_INET, string, &address) > 0) - { /* is IPv4 */ - this = identification_create(ID_IPV4_ADDR); - this->encoded = chunk_clone(chunk); - } - else - { /* not IPv4, mostly FQDN */ - this = identification_create(ID_FQDN); - this->encoded = chunk_create(strdup(string), strlen(string)); - } - return &this->public; - } - else - { - struct in6_addr address; - chunk_t chunk = {(void*)&address, sizeof(address)}; - - if (inet_pton(AF_INET6, string, &address) > 0) - { /* is IPv6 */ - this = identification_create(ID_IPV6_ADDR); - this->encoded = chunk_clone(chunk); - } - else - { /* not IPv4/6 fallback to KEY_ID */ - this = identification_create(ID_KEY_ID); - this->encoded = chunk_create(strdup(string), strlen(string)); - } - return &this->public; - } - } - } - else - { - if (*string == '@') - { - if (*(string + 1) == '#') - { - this = identification_create(ID_KEY_ID); - string += 2; - this->encoded = chunk_from_hex( - chunk_create(string, strlen(string)), NULL); - return &this->public; - } - else - { - this = identification_create(ID_FQDN); - string += 1; - this->encoded = chunk_create(strdup(string), strlen(string)); - return &this->public; - } - } - else - { - this = identification_create(ID_RFC822_ADDR); - this->encoded = chunk_create(strdup(string), strlen(string)); - return &this->public; - } - } -} - -/* - * Described in header. - */ -identification_t * identification_create_from_data(chunk_t data) -{ - char buf[data.len + 1]; - - /* use string constructor */ - snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr); - return identification_create_from_string(buf); -} - -/* - * Described in header. - */ -identification_t *identification_create_from_encoding(id_type_t type, - chunk_t encoded) -{ - private_identification_t *this = identification_create(type); - - /* apply encoded chunk */ - if (type != ID_ANY) - { - this->encoded = chunk_clone(encoded); - } - return &(this->public); -} - -/* - * Described in header. - */ -identification_t *identification_create_from_sockaddr(sockaddr_t *sockaddr) -{ - switch (sockaddr->sa_family) - { - case AF_INET: - { - struct in_addr *addr = &(((struct sockaddr_in*)sockaddr)->sin_addr); - - return identification_create_from_encoding(ID_IPV4_ADDR, - chunk_create((u_char*)addr, sizeof(struct in_addr))); - } - case AF_INET6: - { - struct in6_addr *addr = &(((struct sockaddr_in6*)sockaddr)->sin6_addr); - - return identification_create_from_encoding(ID_IPV6_ADDR, - chunk_create((u_char*)addr, sizeof(struct in6_addr))); - } - default: - { - private_identification_t *this = identification_create(ID_ANY); - - return &(this->public); - } - } -} - diff --git a/.pc/snprintf-fix-4.4.0.patch/src/pluto/x509.c b/.pc/snprintf-fix-4.4.0.patch/src/pluto/x509.c deleted file mode 100644 index 0a29830ea..000000000 --- a/.pc/snprintf-fix-4.4.0.patch/src/pluto/x509.c +++ /dev/null @@ -1,459 +0,0 @@ -/* Support of X.509 certificates - * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann - * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss - * Copyright (C) 2002 Mario Strasser - * Copyright (C) 2000-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <dirent.h> -#include <time.h> -#include <sys/types.h> - -#include <freeswan.h> - -#include <asn1/asn1.h> -#include <crypto/hashers/hasher.h> -#include <utils/enumerator.h> -#include <utils/identification.h> - -#include "constants.h" -#include "defs.h" -#include "log.h" -#include "x509.h" -#include "crl.h" -#include "ca.h" -#include "certs.h" -#include "keys.h" -#include "whack.h" -#include "fetch.h" -#include "ocsp.h" - -/** - * Check for equality between two key identifiers - */ -bool same_keyid(chunk_t a, chunk_t b) -{ - if (a.ptr == NULL || b.ptr == NULL) - { - return FALSE; - } - return chunk_equals(a, b); -} - -/** - * Stores a chained list of end certs and CA certs - */ -void store_x509certs(linked_list_t *certs, bool strict) -{ - cert_t *x509cert, *cacerts = NULL; - certificate_t *cert; - enumerator_t *enumerator; - - /* first extract CA certs, ignoring self-signed root CA certs */ - - enumerator = certs->create_enumerator(certs); - while (enumerator->enumerate(enumerator, &cert)) - { - x509_t *x509 = (x509_t*)cert; - x509_flag_t flags; - - flags = x509->get_flags(x509); - if (flags & X509_CA) - { - /* we don't accept self-signed CA certs */ - if (flags & X509_SELF_SIGNED) - { - plog("self-signed cacert rejected"); - } - else - { - /* insertion into temporary chain of candidate CA certs */ - x509cert = malloc_thing(cert_t); - *x509cert = cert_empty; - x509cert->cert = cert->get_ref(cert); - x509cert->next = cacerts; - cacerts = x509cert; - } - } - } - enumerator->destroy(enumerator); - - /* now verify the candidate CA certs */ - - while (cacerts) - { - cert_t *cert = cacerts; - - cacerts = cacerts->next; - - if (trust_authcert_candidate(cert, cacerts)) - { - add_authcert(cert, X509_CA); - } - else - { - plog("intermediate cacert rejected"); - cert_free(cert); - } - } - - /* now verify the end certificates */ - - enumerator = certs->create_enumerator(certs); - while (enumerator->enumerate(enumerator, &cert)) - { - time_t valid_until; - x509_t *x509 = (x509_t*)cert; - - if (!(x509->get_flags(x509) & X509_CA)) - { - x509cert = malloc_thing(cert_t); - *x509cert = cert_empty; - x509cert->cert = cert->get_ref(cert); - - if (verify_x509cert(x509cert, strict, &valid_until)) - { - DBG(DBG_CONTROL | DBG_PARSING, - DBG_log("public key validated") - ) - add_public_key_from_cert(x509cert, valid_until, DAL_SIGNED); - } - else - { - plog("X.509 certificate rejected"); - cert_free(x509cert); - } - } - } - enumerator->destroy(enumerator); -} - -/** - * Check if a signature over binary blob is genuine - */ -bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm, - certificate_t *issuer_cert) -{ - bool success; - public_key_t *key; - signature_scheme_t scheme; - - scheme = signature_scheme_from_oid(algorithm); - if (scheme == SIGN_UNKNOWN) - { - return FALSE; - } - - key = issuer_cert->get_public_key(issuer_cert); - if (key == NULL) - { - return FALSE; - } - success = key->verify(key, scheme, tbs, sig); - key->destroy(key); - - return success; -} - -/** - * Build an ASN.1 encoded PKCS#1 signature over a binary blob - */ -chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key, - bool bit_string) -{ - chunk_t signature; - signature_scheme_t scheme = signature_scheme_from_oid(algorithm); - - if (scheme == SIGN_UNKNOWN || !key->sign(key, scheme, tbs, &signature)) - { - return chunk_empty; - } - return (bit_string) ? asn1_bitstring("m", signature) - : asn1_wrap(ASN1_OCTET_STRING, "m", signature); -} - -/** - * Verifies a X.509 certificate - */ -bool verify_x509cert(cert_t *cert, bool strict, time_t *until) -{ - int pathlen, pathlen_constraint; - - *until = 0; - - for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++) - { - certificate_t *certificate = cert->cert; - identification_t *subject = certificate->get_subject(certificate); - identification_t *issuer = certificate->get_issuer(certificate); - x509_t *x509 = (x509_t*)certificate; - chunk_t authKeyID = x509->get_authKeyIdentifier(x509); - cert_t *issuer_cert; - time_t notBefore, notAfter; - bool valid; - - DBG(DBG_CONTROL, - DBG_log("subject: '%Y'", subject); - DBG_log("issuer: '%Y'", issuer); - if (authKeyID.ptr) - { - DBG_log("authkey: %#B", &authKeyID); - } - ) - - valid = certificate->get_validity(certificate, NULL, - ¬Before, ¬After); - if (*until == UNDEFINED_TIME || notAfter < *until) - { - *until = notAfter; - } - if (!valid) - { - plog("certificate is invalid (valid from %T to %T)", - ¬Before, FALSE, ¬After, FALSE); - return FALSE; - } - DBG(DBG_CONTROL, - DBG_log("certificate is valid") - ) - - lock_authcert_list("verify_x509cert"); - issuer_cert = get_authcert(issuer, authKeyID, X509_CA); - if (issuer_cert == NULL) - { - plog("issuer cacert not found"); - unlock_authcert_list("verify_x509cert"); - return FALSE; - } - DBG(DBG_CONTROL, - DBG_log("issuer cacert found") - ) - - if (!certificate->issued_by(certificate, issuer_cert->cert)) - { - plog("certificate signature is invalid"); - unlock_authcert_list("verify_x509cert"); - return FALSE; - } - DBG(DBG_CONTROL, - DBG_log("certificate signature is valid") - ) - unlock_authcert_list("verify_x509cert"); - - /* check path length constraint */ - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && - pathlen > pathlen_constraint) - { - plog("path length of %d violates constraint of %d", - pathlen, pathlen_constraint); - return FALSE; - } - - /* check if cert is a self-signed root ca */ - if (pathlen >= 0 && (x509->get_flags(x509) & X509_SELF_SIGNED)) - { - DBG(DBG_CONTROL, - DBG_log("reached self-signed root ca with a path length of %d", - pathlen) - ) - return TRUE; - } - else - { - time_t nextUpdate = *until; - time_t revocationDate = UNDEFINED_TIME; - crl_reason_t revocationReason = CRL_REASON_UNSPECIFIED; - - /* first check certificate revocation using ocsp */ - cert_status_t status = verify_by_ocsp(cert, &nextUpdate - , &revocationDate, &revocationReason); - - /* if ocsp service is not available then fall back to crl */ - if ((status == CERT_UNDEFINED) - || (status == CERT_UNKNOWN && strict)) - { - status = verify_by_crl(cert, &nextUpdate, &revocationDate - , &revocationReason); - } - - switch (status) - { - case CERT_GOOD: - /* if status information is stale */ - if (strict && nextUpdate < time(NULL)) - { - DBG(DBG_CONTROL, - DBG_log("certificate is good but status is stale") - ) - remove_x509_public_key(cert); - return FALSE; - } - DBG(DBG_CONTROL, - DBG_log("certificate is good") - ) - - /* with strict crl policy the public key must have the same - * lifetime as the validity of the ocsp status or crl lifetime - */ - if (strict && nextUpdate < *until) - { - *until = nextUpdate; - } - break; - case CERT_REVOKED: - plog("certificate was revoked on %T, reason: %N" - , &revocationDate, TRUE - , crl_reason_names, revocationReason); - remove_x509_public_key(cert); - return FALSE; - case CERT_UNKNOWN: - case CERT_UNDEFINED: - default: - plog("certificate status unknown"); - if (strict) - { - remove_x509_public_key(cert); - return FALSE; - } - break; - } - } - - /* go up one step in the trust chain */ - cert = issuer_cert; - } - plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN); - return FALSE; -} - -/** - * List all X.509 certs in a chained list - */ -void list_x509cert_chain(const char *caption, cert_t* cert, - x509_flag_t flags, bool utc) -{ - bool first = TRUE; - time_t now; - - /* determine the current time */ - time(&now); - - while (cert) - { - certificate_t *certificate = cert->cert; - x509_t *x509 = (x509_t*)certificate; - - if (certificate->get_type(certificate) == CERT_X509 && - (flags == X509_NONE || (flags & x509->get_flags(x509)))) - { - enumerator_t *enumerator; - char buf[BUF_LEN]; - char *pos = buf; - int len = BUF_LEN, pathlen; - bool first_altName = TRUE; - identification_t *id; - time_t notBefore, notAfter; - public_key_t *key; - chunk_t serial, keyid, subjkey, authkey; - - if (first) - { - whack_log(RC_COMMENT, " "); - whack_log(RC_COMMENT, "List of X.509 %s Certificates:", caption); - first = FALSE; - } - whack_log(RC_COMMENT, " "); - - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, &id)) - { - int written; - - if (first_altName) - { - written = snprintf(pos, len, "%Y", id); - first_altName = FALSE; - } - else - { - written = snprintf(pos, len, ", %Y", id); - } - pos += written; - len -= written; - } - enumerator->destroy(enumerator); - if (!first_altName) - { - whack_log(RC_COMMENT, " altNames: %s", buf); - } - - whack_log(RC_COMMENT, " subject: \"%Y\"", - certificate->get_subject(certificate)); - whack_log(RC_COMMENT, " issuer: \"%Y\"", - certificate->get_issuer(certificate)); - serial = x509->get_serial(x509); - whack_log(RC_COMMENT, " serial: %#B", &serial); - - /* list validity */ - certificate->get_validity(certificate, &now, ¬Before, ¬After); - whack_log(RC_COMMENT, " validity: not before %T %s", - ¬Before, utc, - (notBefore < now)?"ok":"fatal (not valid yet)"); - whack_log(RC_COMMENT, " not after %T %s", - ¬After, utc, - check_expiry(notAfter, CA_CERT_WARNING_INTERVAL, TRUE)); - - key = certificate->get_public_key(certificate); - if (key) - { - whack_log(RC_COMMENT, " pubkey: %N %4d bits%s", - key_type_names, key->get_type(key), - key->get_keysize(key) * BITS_PER_BYTE, - cert->smartcard ? ", on smartcard" : - (has_private_key(cert)? ", has private key" : "")); - - if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) - { - whack_log(RC_COMMENT, " keyid: %#B", &keyid); - } - if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &subjkey)) - { - whack_log(RC_COMMENT, " subjkey: %#B", &subjkey); - } - key->destroy(key); - } - - /* list optional authorityKeyIdentifier */ - authkey = x509->get_authKeyIdentifier(x509); - if (authkey.ptr) - { - whack_log(RC_COMMENT, " authkey: %#B", &authkey); - } - - /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) - { - whack_log(RC_COMMENT, " pathlen: %d", pathlen); - } - - } - cert = cert->next; - } -} - |