diff options
Diffstat (limited to 'src/libstrongswan/credentials/credential_manager.c')
| -rw-r--r-- | src/libstrongswan/credentials/credential_manager.c | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 27b97eab3..3e54368ff 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -452,8 +452,13 @@ static void cache_queue(private_credential_manager_t *this) * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, +<<<<<<< HEAD + certificate_t *subject, certificate_t *issuer, + bool online, int pathlen, auth_cfg_t *auth) +======= certificate_t *subject, certificate_t *issuer, bool online, int pathlen, bool trusted, auth_cfg_t *auth) +>>>>>>> upstream/4.5.1 { time_t not_before, not_after; cert_validator_t *validator; @@ -471,12 +476,36 @@ static bool check_certificate(private_credential_manager_t *this, ¬_before, FALSE, ¬_after, FALSE); return FALSE; } +<<<<<<< HEAD + if (issuer->get_type(issuer) == CERT_X509 && + subject->get_type(subject) == CERT_X509) + { + int pathlen_constraint; + x509_t *x509; + + /* check path length constraint */ + x509 = (x509_t*)issuer; + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + } +======= +>>>>>>> upstream/4.5.1 enumerator = this->validators->create_enumerator(this->validators); while (enumerator->enumerate(enumerator, &validator)) { if (!validator->validate(validator, subject, issuer, +<<<<<<< HEAD + online, pathlen, auth)) +======= online, pathlen, trusted, auth)) +>>>>>>> upstream/4.5.1 { enumerator->destroy(enumerator); return FALSE; @@ -534,6 +563,8 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this, } /** +<<<<<<< HEAD +======= * Get the strength of certificate, add it to auth */ static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) @@ -565,6 +596,7 @@ static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) } /** +>>>>>>> upstream/4.5.1 * try to verify the trust chain of subject, return TRUE if trusted */ static bool verify_trust_chain(private_credential_manager_t *this, @@ -576,9 +608,13 @@ static bool verify_trust_chain(private_credential_manager_t *this, int pathlen; auth = auth_cfg_create(); +<<<<<<< HEAD + current = subject->get_ref(subject); +======= get_key_strength(subject, auth); current = subject->get_ref(subject); auth->add(auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current)); +>>>>>>> upstream/4.5.1 for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) { @@ -623,17 +659,25 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } +<<<<<<< HEAD + if (!check_certificate(this, current, issuer, online, pathlen, + current == subject ? auth : NULL)) +======= if (!check_certificate(this, current, issuer, online, pathlen, trusted, auth)) +>>>>>>> upstream/4.5.1 { trusted = FALSE; issuer->destroy(issuer); break; } +<<<<<<< HEAD +======= if (issuer) { get_key_strength(issuer, auth); } +>>>>>>> upstream/4.5.1 current->destroy(current); current = issuer; if (trusted) @@ -657,6 +701,8 @@ static bool verify_trust_chain(private_credential_manager_t *this, } /** +<<<<<<< HEAD +======= * List find match function for certificates */ static bool cert_equals(certificate_t *a, certificate_t *b) @@ -665,6 +711,7 @@ static bool cert_equals(certificate_t *a, certificate_t *b) } /** +>>>>>>> upstream/4.5.1 * enumerator for trusted certificates */ typedef struct { @@ -684,8 +731,11 @@ typedef struct { certificate_t *pretrusted; /** currently enumerating auth config */ auth_cfg_t *auth; +<<<<<<< HEAD +======= /** list of failed candidates */ linked_list_t *failed; +>>>>>>> upstream/4.5.1 } trusted_enumerator_t; METHOD(enumerator_t, trusted_enumerate, bool, @@ -713,6 +763,13 @@ METHOD(enumerator_t, trusted_enumerate, bool, verify_trust_chain(this->this, this->pretrusted, this->auth, TRUE, this->online)) { +<<<<<<< HEAD + this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, + this->pretrusted->get_ref(this->pretrusted)); + DBG1(DBG_CFG, " using trusted certificate \"%Y\"", + this->pretrusted->get_subject(this->pretrusted)); + *cert = this->pretrusted; +======= DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; @@ -721,6 +778,7 @@ METHOD(enumerator_t, trusted_enumerate, bool, this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, this->pretrusted->get_ref(this->pretrusted)); } +>>>>>>> upstream/4.5.1 if (auth) { *auth = this->auth; @@ -738,12 +796,15 @@ METHOD(enumerator_t, trusted_enumerate, bool, continue; } +<<<<<<< HEAD +======= if (this->failed->find_first(this->failed, (void*)cert_equals, NULL, current) == SUCCESS) { /* check each candidate only once */ continue; } +>>>>>>> upstream/4.5.1 DBG1(DBG_CFG, " using certificate \"%Y\"", current->get_subject(current)); if (verify_trust_chain(this->this, current, this->auth, FALSE, @@ -756,7 +817,10 @@ METHOD(enumerator_t, trusted_enumerate, bool, } return TRUE; } +<<<<<<< HEAD +======= this->failed->insert_last(this->failed, current->get_ref(current)); +>>>>>>> upstream/4.5.1 } return FALSE; } @@ -767,7 +831,10 @@ METHOD(enumerator_t, trusted_destroy, void, DESTROY_IF(this->pretrusted); DESTROY_IF(this->auth); DESTROY_IF(this->candidates); +<<<<<<< HEAD +======= this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy)); +>>>>>>> upstream/4.5.1 free(this); } @@ -786,7 +853,10 @@ METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*, .type = type, .id = id, .online = online, +<<<<<<< HEAD +======= .failed = linked_list_create(), +>>>>>>> upstream/4.5.1 ); return &enumerator->public; } |