summaryrefslogtreecommitdiff
path: root/src/libcharon/plugins/addrblock
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/plugins/addrblock')
-rw-r--r--src/libcharon/plugins/addrblock/Makefile.in2
-rw-r--r--src/libcharon/plugins/addrblock/addrblock_narrow.c72
-rw-r--r--src/libcharon/plugins/addrblock/addrblock_validator.c14
3 files changed, 41 insertions, 47 deletions
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 7917d457e..f5dfc14d7 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c
index f85fa78d6..3b3b72ff8 100644
--- a/src/libcharon/plugins/addrblock/addrblock_narrow.c
+++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c
@@ -33,17 +33,15 @@ struct private_addrblock_narrow_t {
addrblock_narrow_t public;
};
-/**
- * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints
- */
-static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
+static void narrow_addrblock(private_addrblock_narrow_t *this, ike_sa_t *ike_sa,
+ linked_list_t *list)
{
- auth_cfg_t *auth;
- enumerator_t *auth_enum;
certificate_t *cert = NULL;
+ enumerator_t *enumerator;
+ auth_cfg_t *auth;
- auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
- while (auth_enum->enumerate(auth_enum, &auth))
+ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+ while (enumerator->enumerate(enumerator, &auth))
{
cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
if (cert)
@@ -51,7 +49,7 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
break;
}
}
- auth_enum->destroy(auth_enum);
+ enumerator->destroy(enumerator);
if (cert && cert->get_type(cert) == CERT_X509)
{
@@ -59,54 +57,45 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
{
- enumerator_t *enumerator, *block_enum;
- traffic_selector_t *ts, *block_ts;
+ traffic_selector_t *ts, *block, *subset;
+ linked_list_t *original;
+
+ original = linked_list_create();
+ while (list->remove_last(list, (void**)&ts) == SUCCESS)
+ {
+ original->insert_first(original, ts);
+ }
DBG1(DBG_IKE, "checking certificate-based traffic selector "
- "constraints [RFC 3779]");
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, &ts))
+ "constraints [RFC 3779]");
+ while (original->remove_first(original, (void**)&ts) == SUCCESS)
{
bool contained = FALSE;
- block_enum = x509->create_ipAddrBlock_enumerator(x509);
- while (block_enum->enumerate(block_enum, &block_ts))
+ enumerator = x509->create_ipAddrBlock_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &block))
{
- if (ts->is_contained_in(ts, block_ts))
+ subset = ts->get_subset(ts, block);
+ if (subset)
{
DBG1(DBG_IKE, " TS %R is contained in address block"
- " constraint %R", ts, block_ts);
+ " constraint %R (subset %R)", ts, block, subset);
+ list->insert_last(list, subset);
contained = TRUE;
- break;
}
}
- block_enum->destroy(block_enum);
+ enumerator->destroy(enumerator);
if (!contained)
{
DBG1(DBG_IKE, " TS %R is not contained in any"
- " address block constraint", ts);
- enumerator->destroy(enumerator);
- return FALSE;
+ " address block constraint", ts);
}
+ ts->destroy(ts);
}
- enumerator->destroy(enumerator);
+ original->destroy(original);
}
}
- return TRUE;
-}
-
-/**
- * Delete all traffic selectors in a list
- */
-static void flush_ts_list(linked_list_t *list)
-{
- traffic_selector_t *ts;
-
- while (list->remove_last(list, (void**)&ts) == SUCCESS)
- {
- ts->destroy(ts);
- }
}
METHOD(listener_t, narrow, bool,
@@ -116,13 +105,10 @@ METHOD(listener_t, narrow, bool,
switch (type)
{
case NARROW_RESPONDER:
+ case NARROW_INITIATOR_PRE_AUTH:
case NARROW_INITIATOR_POST_AUTH:
case NARROW_INITIATOR_POST_NOAUTH:
- if (!check_constraints(ike_sa, remote))
- {
- flush_ts_list(local);
- flush_ts_list(remote);
- }
+ narrow_addrblock(this, ike_sa, remote);
break;
default:
break;
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 372c978a2..d16a1170c 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -30,12 +30,18 @@ struct private_addrblock_validator_t {
* Public addrblock_validator_t interface.
*/
addrblock_validator_t public;
+
+ /**
+ * Whether to reject subject certificates not having a addrBlock extension
+ */
+ bool strict;
};
/**
* Do the addrblock check for two x509 plugins
*/
-static bool check_addrblock(x509_t *subject, x509_t *issuer)
+static bool check_addrblock(private_addrblock_validator_t *this,
+ x509_t *subject, x509_t *issuer)
{
bool subject_const, issuer_const, contained = TRUE;
enumerator_t *subject_enumerator, *issuer_enumerator;
@@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
if (!subject_const)
{
DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
- return FALSE;
+ return !this->strict;
}
if (!issuer_const)
{
@@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool,
if (subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509)
{
- if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+ if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
{
lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
subject);
@@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create()
},
.destroy = _destroy,
},
+ .strict = lib->settings->get_bool(lib->settings,
+ "%s.plugins.addrblock.strict", TRUE, lib->ns),
);
return &this->public;