diff options
Diffstat (limited to 'src/libcharon/plugins/addrblock')
-rw-r--r-- | src/libcharon/plugins/addrblock/Makefile.in | 2 | ||||
-rw-r--r-- | src/libcharon/plugins/addrblock/addrblock_narrow.c | 72 | ||||
-rw-r--r-- | src/libcharon/plugins/addrblock/addrblock_validator.c | 14 |
3 files changed, 41 insertions, 47 deletions
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 7917d457e..f5dfc14d7 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c index f85fa78d6..3b3b72ff8 100644 --- a/src/libcharon/plugins/addrblock/addrblock_narrow.c +++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c @@ -33,17 +33,15 @@ struct private_addrblock_narrow_t { addrblock_narrow_t public; }; -/** - * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints - */ -static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) +static void narrow_addrblock(private_addrblock_narrow_t *this, ike_sa_t *ike_sa, + linked_list_t *list) { - auth_cfg_t *auth; - enumerator_t *auth_enum; certificate_t *cert = NULL; + enumerator_t *enumerator; + auth_cfg_t *auth; - auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); - while (auth_enum->enumerate(auth_enum, &auth)) + enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); + while (enumerator->enumerate(enumerator, &auth)) { cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT); if (cert) @@ -51,7 +49,7 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) break; } } - auth_enum->destroy(auth_enum); + enumerator->destroy(enumerator); if (cert && cert->get_type(cert) == CERT_X509) { @@ -59,54 +57,45 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) { - enumerator_t *enumerator, *block_enum; - traffic_selector_t *ts, *block_ts; + traffic_selector_t *ts, *block, *subset; + linked_list_t *original; + + original = linked_list_create(); + while (list->remove_last(list, (void**)&ts) == SUCCESS) + { + original->insert_first(original, ts); + } DBG1(DBG_IKE, "checking certificate-based traffic selector " - "constraints [RFC 3779]"); - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &ts)) + "constraints [RFC 3779]"); + while (original->remove_first(original, (void**)&ts) == SUCCESS) { bool contained = FALSE; - block_enum = x509->create_ipAddrBlock_enumerator(x509); - while (block_enum->enumerate(block_enum, &block_ts)) + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) { - if (ts->is_contained_in(ts, block_ts)) + subset = ts->get_subset(ts, block); + if (subset) { DBG1(DBG_IKE, " TS %R is contained in address block" - " constraint %R", ts, block_ts); + " constraint %R (subset %R)", ts, block, subset); + list->insert_last(list, subset); contained = TRUE; - break; } } - block_enum->destroy(block_enum); + enumerator->destroy(enumerator); if (!contained) { DBG1(DBG_IKE, " TS %R is not contained in any" - " address block constraint", ts); - enumerator->destroy(enumerator); - return FALSE; + " address block constraint", ts); } + ts->destroy(ts); } - enumerator->destroy(enumerator); + original->destroy(original); } } - return TRUE; -} - -/** - * Delete all traffic selectors in a list - */ -static void flush_ts_list(linked_list_t *list) -{ - traffic_selector_t *ts; - - while (list->remove_last(list, (void**)&ts) == SUCCESS) - { - ts->destroy(ts); - } } METHOD(listener_t, narrow, bool, @@ -116,13 +105,10 @@ METHOD(listener_t, narrow, bool, switch (type) { case NARROW_RESPONDER: + case NARROW_INITIATOR_PRE_AUTH: case NARROW_INITIATOR_POST_AUTH: case NARROW_INITIATOR_POST_NOAUTH: - if (!check_constraints(ike_sa, remote)) - { - flush_ts_list(local); - flush_ts_list(remote); - } + narrow_addrblock(this, ike_sa, remote); break; default: break; diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c index 372c978a2..d16a1170c 100644 --- a/src/libcharon/plugins/addrblock/addrblock_validator.c +++ b/src/libcharon/plugins/addrblock/addrblock_validator.c @@ -30,12 +30,18 @@ struct private_addrblock_validator_t { * Public addrblock_validator_t interface. */ addrblock_validator_t public; + + /** + * Whether to reject subject certificates not having a addrBlock extension + */ + bool strict; }; /** * Do the addrblock check for two x509 plugins */ -static bool check_addrblock(x509_t *subject, x509_t *issuer) +static bool check_addrblock(private_addrblock_validator_t *this, + x509_t *subject, x509_t *issuer) { bool subject_const, issuer_const, contained = TRUE; enumerator_t *subject_enumerator, *issuer_enumerator; @@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer) if (!subject_const) { DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); - return FALSE; + return !this->strict; } if (!issuer_const) { @@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool, if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509) { - if (!check_addrblock((x509_t*)subject, (x509_t*)issuer)) + if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer)) { lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION, subject); @@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create() }, .destroy = _destroy, }, + .strict = lib->settings->get_bool(lib->settings, + "%s.plugins.addrblock.strict", TRUE, lib->ns), ); return &this->public; |