diff options
Diffstat (limited to 'src/charon/plugins/stroke/stroke_cred.c')
| -rw-r--r-- | src/charon/plugins/stroke/stroke_cred.c | 81 |
1 files changed, 44 insertions, 37 deletions
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index 434aec22b..dc73299b8 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id$ */ #include <sys/stat.h> @@ -382,10 +380,18 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, - BUILD_X509_FLAG, X509_CA, BUILD_END); if (cert) { + x509_t *x509 = (x509_t*)cert; + + if (!(x509->get_flags(x509) & X509_CA)) + { + cert->destroy(cert); + DBG1(DBG_CFG, " ca certificate must have ca basic constraint set, " + "discarded"); + return NULL; + } return (certificate_t*)add_cert(this, cert); } return NULL; @@ -524,11 +530,32 @@ static void load_certdir(private_stroke_cred_t *this, char *path, switch (type) { case CERT_X509: - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, - BUILD_X509_FLAG, flag, - BUILD_END); + if (flag & X509_CA) + { /* for CA certificates, we strictly require CA + * basicconstraints to be set */ + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + if (cert) + { + x509_t *x509 = (x509_t*)cert; + + if (!(x509->get_flags(x509) & X509_CA)) + { + DBG1(DBG_CFG, " ca certificate must have ca " + "basic constraint set, discarded"); + cert->destroy(cert); + cert = NULL; + } + } + } + else + { /* for all other flags, we add them to the certificate. */ + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, + BUILD_X509_FLAG, flag, BUILD_END); + } if (cert) { add_cert(this, cert); @@ -568,13 +595,13 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) { if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl) { - /* CRLs get written to /etc/ipsec.d/crls/authkeyId.crl */ + /* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */ crl_t *crl = (crl_t*)cert; cert->get_ref(cert); if (add_crl(this, crl)) { - char buf[256]; + char buf[BUF_LEN]; chunk_t chunk, hex; identification_t *id; @@ -585,14 +612,7 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) free(hex.ptr); chunk = cert->get_encoding(cert); - if (chunk_write(chunk, buf, 022, TRUE)) - { - DBG1(DBG_CFG, " written crl to '%s'", buf); - } - else - { - DBG1(DBG_CFG, " writing crl to '%s' failed", buf); - } + chunk_write(chunk, buf, "crl", 022, TRUE); free(chunk.ptr); } } @@ -905,26 +925,13 @@ static void load_secrets(private_stroke_cred_t *this) continue; } - if (type == SHARED_EAP) + /* NULL terminate the ID string */ + *(id.ptr + id.len) = '\0'; + peer_id = identification_create_from_string(id.ptr); + if (peer_id->get_type(peer_id) == ID_ANY) { - /* we use a special EAP identity type for EAP secrets */ - peer_id = identification_create_from_encoding(ID_EAP, id); - } - else - { - /* NULL terminate the ID string */ - *(id.ptr + id.len) = '\0'; - peer_id = identification_create_from_string(id.ptr); - if (peer_id == NULL) - { - DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr); - goto error; - } - if (peer_id->get_type(peer_id) == ID_ANY) - { - peer_id->destroy(peer_id); - continue; - } + peer_id->destroy(peer_id); + continue; } shared_key->add_owner(shared_key, peer_id); |