summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/x509
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-01-02 14:18:20 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-01-02 14:18:20 +0100
commitc1343b3278cdf99533b7902744d15969f9d6fdc1 (patch)
treed5ed3dc5677a59260ec41cd39bb284d3e94c91b3 /src/libstrongswan/plugins/x509
parentb34738ed08c2227300d554b139e2495ca5da97d6 (diff)
downloadvyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.tar.gz
vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.zip
Imported Upstream version 5.0.1
Diffstat (limited to 'src/libstrongswan/plugins/x509')
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.in14
-rw-r--r--src/libstrongswan/plugins/x509/x509_ac.c6
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c64
-rw-r--r--src/libstrongswan/plugins/x509/x509_crl.c8
-rw-r--r--src/libstrongswan/plugins/x509/x509_ocsp_request.c47
-rw-r--r--src/libstrongswan/plugins/x509/x509_ocsp_response.c16
-rw-r--r--src/libstrongswan/plugins/x509/x509_pkcs10.c17
-rw-r--r--src/libstrongswan/plugins/x509/x509_plugin.c3
8 files changed, 113 insertions, 62 deletions
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 8c05cb22d..6d9f88647 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -49,6 +49,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -84,7 +85,7 @@ libstrongswan_x509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
$(libstrongswan_x509_la_LDFLAGS) $(LDFLAGS) -o $@
@MONOLITHIC_FALSE@am_libstrongswan_x509_la_rpath = -rpath $(plugindir)
@MONOLITHIC_TRUE@am_libstrongswan_x509_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
am__mv = mv -f
@@ -110,6 +111,7 @@ AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BFDLIB = @BFDLIB@
BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
@@ -204,11 +206,14 @@ build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
clearsilver_LIBS = @clearsilver_LIBS@
datadir = @datadir@
datarootdir = @datarootdir@
dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
@@ -225,11 +230,12 @@ imcvdir = @imcvdir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
ipsecdir = @ipsecdir@
ipsecgroup = @ipsecgroup@
ipseclibdir = @ipseclibdir@
ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
libexecdir = @libexecdir@
linux_headers = @linux_headers@
@@ -245,6 +251,7 @@ mkdir_p = @mkdir_p@
nm_CFLAGS = @nm_CFLAGS@
nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
@@ -254,7 +261,6 @@ pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
pool_plugins = @pool_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index a2cb589e0..d6ca8c4fa 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -701,7 +701,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
}
METHOD(certificate_t, issued_by, bool,
- private_x509_ac_t *this, certificate_t *issuer)
+ private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
{
public_key_t *key;
signature_scheme_t scheme;
@@ -750,6 +750,10 @@ METHOD(certificate_t, issued_by, bool,
}
valid = key->verify(key, scheme, this->certificateInfo, this->signature);
key->destroy(key);
+ if (valid && schemep)
+ {
+ *schemep = scheme;
+ }
return valid;
}
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 4859f4310..2269eb453 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -752,6 +752,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
case OID_CLIENT_AUTH:
this->flags |= X509_CLIENT_AUTH;
break;
+ case OID_IKE_INTERMEDIATE:
+ this->flags |= X509_IKE_INTERMEDIATE;
+ break;
case OID_OCSP_SIGNING:
this->flags |= X509_OCSP_SIGNER;
break;
@@ -1105,19 +1108,19 @@ static void parse_policyConstraints(chunk_t blob, int level0,
* ASN.1 definition of ipAddrBlocks according to RFC 3779
*/
static const asn1Object_t ipAddrBlocksObjects[] = {
- { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
{ 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
- { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
- { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
- { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
- { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
- { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
- { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
- { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
+ { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
+ { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
+ { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
+ { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
+ { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
+ { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
+ { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
+ { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
+ { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
+ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
@@ -1480,18 +1483,20 @@ end:
/* check if the certificate is self-signed */
if (this->public.interface.interface.issued_by(
&this->public.interface.interface,
- &this->public.interface.interface))
+ &this->public.interface.interface,
+ NULL))
{
this->flags |= X509_SELF_SIGNED;
}
/* create certificate hash */
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
- if (hasher == NULL)
+ if (!hasher ||
+ !hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash))
{
+ DESTROY_IF(hasher);
DBG1(DBG_ASN, " unable to create hash of certificate, SHA1 not supported");
return FALSE;
}
- hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
hasher->destroy(hasher);
}
return success;
@@ -1565,7 +1570,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
}
METHOD(certificate_t, issued_by, bool,
- private_x509_cert_t *this, certificate_t *issuer)
+ private_x509_cert_t *this, certificate_t *issuer,
+ signature_scheme_t *schemep)
{
public_key_t *key;
signature_scheme_t scheme;
@@ -1609,6 +1615,10 @@ METHOD(certificate_t, issued_by, bool,
}
valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
key->destroy(key);
+ if (valid && schemep)
+ {
+ *schemep = scheme;
+ }
return valid;
}
@@ -1994,6 +2004,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
+ chunk_t ikeIntermediate = chunk_empty;
identification_t *issuer, *subject;
chunk_t key_info;
signature_scheme_t scheme;
@@ -2107,7 +2118,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
}
- /* add serverAuth extendedKeyUsage flag */
+ /* add extendedKeyUsage flags */
if (cert->flags & X509_SERVER_AUTH)
{
serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
@@ -2116,20 +2127,24 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
{
clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
}
-
- /* add ocspSigning extendedKeyUsage flag */
+ if (cert->flags & X509_IKE_INTERMEDIATE)
+ {
+ ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
+ }
if (cert->flags & X509_OCSP_SIGNER)
{
ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
}
- if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
+ if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
+ ocspSigning.ptr)
{
extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmm",
- serverAuth, clientAuth, ocspSigning)));
+ asn1_wrap(ASN1_SEQUENCE, "mmmm",
+ serverAuth, clientAuth, ikeIntermediate,
+ ocspSigning)));
}
/* add subjectKeyIdentifier to CA and OCSP signer certificates */
@@ -2330,11 +2345,12 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_bitstring("c", cert->signature));
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
- if (!hasher)
+ if (!hasher ||
+ !hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash))
{
+ DESTROY_IF(hasher);
return FALSE;
}
- hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
hasher->destroy(hasher);
return TRUE;
}
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 7bcca16a3..47621103e 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -221,7 +221,7 @@ static bool parse(private_x509_crl_t *this)
{
asn1_parser_t *parser;
chunk_t object;
- chunk_t extnID;
+ chunk_t extnID = chunk_empty;
chunk_t userCertificate = chunk_empty;
int objectID;
int sig_alg = OID_UNKNOWN;
@@ -442,7 +442,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
}
METHOD(certificate_t, issued_by, bool,
- private_x509_crl_t *this, certificate_t *issuer)
+ private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
{
public_key_t *key;
signature_scheme_t scheme;
@@ -490,6 +490,10 @@ METHOD(certificate_t, issued_by, bool,
}
valid = key->verify(key, scheme, this->tbsCertList, this->signature);
key->destroy(key);
+ if (valid && schemep)
+ {
+ *schemep = scheme;
+ }
return valid;
}
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 33d0aa792..bbd1c5905 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -159,22 +159,24 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
enumerator_t *enumerator;
issuer = cert->get_subject(cert);
- hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
- &issuerNameHash);
- hasher->destroy(hasher);
-
- enumerator = this->candidates->create_enumerator(this->candidates);
- while (enumerator->enumerate(enumerator, &x509))
+ if (hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
+ &issuerNameHash))
{
- chunk_t request, serialNumber;
-
- serialNumber = x509->get_serial(x509);
- request = build_Request(this, issuerNameHash, issuerKeyHash,
- serialNumber);
- list = chunk_cat("mm", list, request);
+ enumerator = this->candidates->create_enumerator(
+ this->candidates);
+ while (enumerator->enumerate(enumerator, &x509))
+ {
+ chunk_t request, serialNumber;
+
+ serialNumber = x509->get_serial(x509);
+ request = build_Request(this, issuerNameHash,
+ issuerKeyHash, serialNumber);
+ list = chunk_cat("mm", list, request);
+ }
+ enumerator->destroy(enumerator);
+ chunk_free(&issuerNameHash);
}
- enumerator->destroy(enumerator);
- chunk_free(&issuerNameHash);
+ hasher->destroy(hasher);
}
}
else
@@ -199,15 +201,15 @@ static chunk_t build_nonce(private_x509_ocsp_request_t *this)
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- if (rng)
+ if (!rng || !rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
{
- rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
- rng->destroy(rng);
- return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
- asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
+ DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
+ DESTROY_IF(rng);
+ return chunk_empty;
}
- DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
- return chunk_empty;
+ rng->destroy(rng);
+ return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
+ asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
}
/**
@@ -364,7 +366,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
}
METHOD(certificate_t, issued_by, bool,
- private_x509_ocsp_request_t *this, certificate_t *issuer)
+ private_x509_ocsp_request_t *this, certificate_t *issuer,
+ signature_scheme_t *scheme)
{
DBG1(DBG_LIB, "OCSP request validation not implemented!");
return FALSE;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 7dfef3993..27497e0e3 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -201,19 +201,22 @@ METHOD(ocsp_response_t, get_status, cert_validation_t,
/* check issuerNameHash, if available */
else if (response->issuerNameHash.ptr)
{
+ id = issuercert->get_subject(issuercert);
hasher = lib->crypto->create_hasher(lib->crypto,
hasher_algorithm_from_oid(response->hashAlgorithm));
- if (!hasher)
+ if (!hasher ||
+ !hasher->allocate_hash(hasher, id->get_encoding(id), &hash))
{
+ DESTROY_IF(hasher);
continue;
}
- id = issuercert->get_subject(issuercert);
- hasher->allocate_hash(hasher, id->get_encoding(id), &hash);
hasher->destroy(hasher);
if (!chunk_equals(hash, response->issuerNameHash))
{
+ free(hash.ptr);
continue;
}
+ free(hash.ptr);
}
else
{
@@ -670,7 +673,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
}
METHOD(certificate_t, issued_by, bool,
- private_x509_ocsp_response_t *this, certificate_t *issuer)
+ private_x509_ocsp_response_t *this, certificate_t *issuer,
+ signature_scheme_t *schemep)
{
public_key_t *key;
signature_scheme_t scheme;
@@ -722,6 +726,10 @@ METHOD(certificate_t, issued_by, bool,
}
valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
key->destroy(key);
+ if (valid && schemep)
+ {
+ *schemep = scheme;
+ }
return valid;
}
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index ca08db2c6..9fa91fed2 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -123,10 +123,12 @@ METHOD(certificate_t, has_subject, id_match_t,
}
METHOD(certificate_t, issued_by, bool,
- private_x509_pkcs10_t *this, certificate_t *issuer)
+ private_x509_pkcs10_t *this, certificate_t *issuer,
+ signature_scheme_t *schemep)
{
public_key_t *key;
signature_scheme_t scheme;
+ bool valid;
if (&this->public.interface.interface != issuer)
{
@@ -150,8 +152,13 @@ METHOD(certificate_t, issued_by, bool,
{
return FALSE;
}
- return key->verify(key, scheme, this->certificationRequestInfo,
- this->signature);
+ valid = key->verify(key, scheme, this->certificationRequestInfo,
+ this->signature);
+ if (valid && schemep)
+ {
+ *schemep = scheme;
+ }
+ return valid;
}
METHOD(certificate_t, get_public_key, public_key_t*,
@@ -327,7 +334,7 @@ static bool parse_challengePassword(private_x509_pkcs10_t *this, chunk_t blob, i
return FALSE;
}
DBG2(DBG_ASN, "L%d - challengePassword:", level);
- DBG4(DBG_ASN, " '%.*s'", blob.len, blob.ptr);
+ DBG4(DBG_ASN, " '%.*s'", (int)blob.len, blob.ptr);
return TRUE;
}
@@ -441,7 +448,7 @@ end:
if (success)
{
/* check if the certificate request is self-signed */
- if (issued_by(this, &this->public.interface.interface))
+ if (issued_by(this, &this->public.interface.interface, NULL))
{
this->self_signed = TRUE;
}
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index ed6fbfd91..15fea7ee0 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -52,6 +52,9 @@ METHOD(plugin_t, get_features, int,
PLUGIN_REGISTER(CERT_DECODE, x509_cert_load, TRUE),
PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+ PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
+ PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
+ PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
PLUGIN_REGISTER(CERT_ENCODE, x509_ac_gen, FALSE),
PLUGIN_PROVIDE(CERT_ENCODE, CERT_X509_AC),