diff options
Diffstat (limited to 'src/libstrongswan/credentials')
| -rw-r--r-- | src/libstrongswan/credentials/auth_cfg.c | 205 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/auth_cfg.h | 14 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/builder.c | 13 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/builder.h | 26 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/cert_validator.h | 10 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/certificates/crl.h | 18 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/certificates/x509.h | 106 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/credential_manager.c | 112 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/sets/auth_cfg_wrapper.c | 5 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/sets/mem_cred.c | 280 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/sets/mem_cred.h | 67 |
11 files changed, 856 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index ce718b9cb..9c7df81a6 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -131,11 +131,19 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *cert = (certificate_t*)entry->value; cert->destroy(cert); break; } +<<<<<<< HEAD +======= + case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -147,6 +155,11 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 break; } } @@ -172,6 +185,11 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 /* integer type */ enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -182,10 +200,18 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: +<<<<<<< HEAD +======= + case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 /* pointer type */ enumerator->current->value = va_arg(args, void*); break; @@ -237,6 +263,11 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_EAP_TYPE: return (void*)EAP_NAK; case AUTH_RULE_EAP_VENDOR: +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 return (void*)0; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: @@ -248,10 +279,18 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: +<<<<<<< HEAD +======= + case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 default: return NULL; } @@ -274,6 +313,11 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -284,10 +328,18 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: +<<<<<<< HEAD +======= + case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 /* pointer type */ entry->value = va_arg(args, void*); break; @@ -358,6 +410,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: { +<<<<<<< HEAD cert_validation_t validated, required; required = (uintptr_t)value; @@ -390,6 +443,47 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, } break; } +======= + uintptr_t validated; + + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &validated)) + { + if (t2 == t1) + { + switch ((uintptr_t)value) + { + case VALIDATION_FAILED: + /* no constraint */ + break; + case VALIDATION_SKIPPED: + if (validated == VALIDATION_SKIPPED) + { + break; + } + /* FALL */ + case VALIDATION_GOOD: + if (validated == VALIDATION_GOOD) + { + break; + } + /* FALL */ + default: + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: " + "%N is %N, but requires at least %N", + auth_rule_names, t1, + cert_validation_names, validated, + cert_validation_names, (uintptr_t)value); + } + break; + } + } + } + e2->destroy(e2); +>>>>>>> upstream/4.5.1 break; } case AUTH_RULE_IDENTITY: @@ -473,10 +567,82 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, e2->destroy(e2); break; } +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + { + uintptr_t strength; + + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &strength)) + { + if (t2 == t1) + { + if ((uintptr_t)value > strength) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit " + "public keys, but %d bit key used", + (uintptr_t)value, strength); + } + } + } + else if (t2 == AUTH_RULE_RSA_STRENGTH) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit ECDSA, " + "but RSA used", (uintptr_t)value); + } + } + else if (t2 == AUTH_RULE_ECDSA_STRENGTH) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit RSA, " + "but ECDSA used", (uintptr_t)value); + } + } + } + e2->destroy(e2); + break; + } + case AUTH_RULE_CERT_POLICY: + { + char *oid1, *oid2; + + oid1 = (char*)value; + success = FALSE; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &oid2)) + { + if (t2 == t1 && streq(oid1, oid2)) + { + success = TRUE; + break; + } + } + e2->destroy(e2); + if (!success && log_error) + { + DBG1(DBG_CFG, "constraint requires cert policy %s", oid1); + } + break; + } +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 /* skip helpers */ continue; } @@ -523,6 +689,10 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *cert = (certificate_t*)value; @@ -534,6 +704,11 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: case AUTH_RULE_EAP_VENDOR: +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 { add(this, type, (uintptr_t)value); break; @@ -548,6 +723,10 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy add(this, type, id->clone(id)); break; } +<<<<<<< HEAD +======= + case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -600,6 +779,11 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 { if (i1->value == i2->value) { @@ -613,6 +797,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *c1, *c2; @@ -643,6 +831,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) } continue; } +<<<<<<< HEAD +======= + case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -725,11 +917,19 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= + case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *cert = (certificate_t*)entry->value; clone->add(clone, entry->type, cert->get_ref(cert)); break; } +<<<<<<< HEAD +======= + case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -741,6 +941,11 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 clone->add(clone, entry->type, (uintptr_t)entry->value); break; } diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 19624a2fe..659a7c9ef 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -90,6 +90,15 @@ enum auth_rule_t { * The group membership constraint is fulfilled if the subject is member of * one group defined in the constraints. */ AUTH_RULE_GROUP, +<<<<<<< HEAD +======= + /** required RSA public key strength, u_int in bits */ + AUTH_RULE_RSA_STRENGTH, + /** required ECDSA public key strength, u_int in bits */ + AUTH_RULE_ECDSA_STRENGTH, + /** certificatePolicy constraint, numerical OID as char* */ + AUTH_RULE_CERT_POLICY, +>>>>>>> upstream/4.5.1 /** intermediate certificate, certificate_t* */ AUTH_HELPER_IM_CERT, @@ -99,6 +108,11 @@ enum auth_rule_t { AUTH_HELPER_IM_HASH_URL, /** Hash and URL of a end-entity certificate, char* */ AUTH_HELPER_SUBJECT_HASH_URL, +<<<<<<< HEAD +======= + /** revocation certificate (CRL, OCSP), certificate_t* */ + AUTH_HELPER_REVOCATION_CERT, +>>>>>>> upstream/4.5.1 }; /** diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index c43e5fd5d..4d3a78eab 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -43,8 +43,21 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_CRL_DISTRIBUTION_POINTS", "BUILD_OCSP_ACCESS_LOCATIONS", "BUILD_PATHLEN", +<<<<<<< HEAD "BUILD_X509_FLAG", "BUILD_REVOKED_ENUMERATOR", +======= + "BUILD_PERMITTED_NAME_CONSTRAINTS", + "BUILD_EXCLUDED_NAME_CONSTRAINTS", + "BUILD_CERTIFICATE_POLICIES", + "BUILD_POLICY_MAPPINGS", + "BUILD_POLICY_REQUIRE_EXPLICIT", + "BUILD_POLICY_INHIBIT_MAPPING", + "BUILD_POLICY_INHIBIT_ANY", + "BUILD_X509_FLAG", + "BUILD_REVOKED_ENUMERATOR", + "BUILD_BASE_CRL", +>>>>>>> upstream/4.5.1 "BUILD_CHALLENGE_PWD", "BUILD_PKCS11_MODULE", "BUILD_PKCS11_SLOT", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index dc87da2a4..fc93a6007 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -87,16 +87,42 @@ enum builder_part_t { BUILD_CA_CERT, /** a certificate, certificate_t* */ BUILD_CERT, +<<<<<<< HEAD /** CRL distribution point URIs, linked_list_t* containing char* */ +======= + /** CRL distribution point URIs, x509_cdp_t* */ +>>>>>>> upstream/4.5.1 BUILD_CRL_DISTRIBUTION_POINTS, /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */ BUILD_OCSP_ACCESS_LOCATIONS, /** certificate path length constraint */ BUILD_PATHLEN, +<<<<<<< HEAD +======= + /** permitted X509 name constraints, linked_list_t* of identification_t* */ + BUILD_PERMITTED_NAME_CONSTRAINTS, + /** excluded X509 name constraints, linked_list_t* of identification_t* */ + BUILD_EXCLUDED_NAME_CONSTRAINTS, + /** certificatePolicy OIDs, linked_list_t* of x509_cert_policy_t* */ + BUILD_CERTIFICATE_POLICIES, + /** policyMapping OIDs, linked_list_t* of x509_policy_mapping_t* */ + BUILD_POLICY_MAPPINGS, + /** requireExplicitPolicy constraint, int */ + BUILD_POLICY_REQUIRE_EXPLICIT, + /** inhibitPolicyMapping constraint, int */ + BUILD_POLICY_INHIBIT_MAPPING, + /** inhibitAnyPolicy constraint, int */ + BUILD_POLICY_INHIBIT_ANY, +>>>>>>> upstream/4.5.1 /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */ BUILD_REVOKED_ENUMERATOR, +<<<<<<< HEAD +======= + /** Base CRL serial for a delta CRL, chunk_t, */ + BUILD_BASE_CRL, +>>>>>>> upstream/4.5.1 /** PKCS#10 challenge password */ BUILD_CHALLENGE_PWD, /** friendly name of a PKCS#11 module, null terminated char* */ diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 1e67c23ab..f329281d3 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -40,12 +40,22 @@ struct cert_validator_t { * @param subject subject certificate to check * @param issuer issuer of subject * @param online wheter to do online revocation checking +<<<<<<< HEAD * @param pathlen the current length of the path up to the root CA * @param auth container for resulting authentication info */ bool (*validate)(cert_validator_t *this, certificate_t *subject, certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth); +======= + * @param pathlen the current length of the path bottom-up + * @param anchor is issuer trusted root anchor + * @param auth container for resulting authentication info + */ + bool (*validate)(cert_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, u_int pathlen, + bool anchor, auth_cfg_t *auth); +>>>>>>> upstream/4.5.1 }; #endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 9425311fb..11ad7f2f3 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -72,6 +72,24 @@ struct crl_t { chunk_t (*get_authKeyIdentifier)(crl_t *this); /** +<<<<<<< HEAD +======= + * Is this CRL a delta CRL? + * + * @param base_crl gets to baseCrlNumber, if this is a delta CRL + * @return TRUE if delta CRL + */ + bool (*is_delta_crl)(crl_t *this, chunk_t *base_crl); + + /** + * Create an enumerator over Freshest CRL distribution points and issuers. + * + * @return enumerator over x509_cdp_t + */ + enumerator_t* (*create_delta_crl_uri_enumerator)(crl_t *this); + + /** +>>>>>>> upstream/4.5.1 * Create an enumerator over all revoked certificates. * * The enumerator takes 3 pointer arguments: diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 6e0a5002a..3ab26c8c5 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,10 +24,22 @@ #include <utils/enumerator.h> #include <credentials/certificates/certificate.h> +<<<<<<< HEAD #define X509_NO_PATH_LEN_CONSTRAINT -1 typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; +======= +/* constraints are currently restricted to the range 0..127 */ +#define X509_NO_CONSTRAINT 255 + +typedef struct x509_t x509_t; +typedef struct x509_cert_policy_t x509_cert_policy_t; +typedef struct x509_policy_mapping_t x509_policy_mapping_t; +typedef struct x509_cdp_t x509_cdp_t; +typedef enum x509_flag_t x509_flag_t; +typedef enum x509_constraint_t x509_constraint_t; +>>>>>>> upstream/4.5.1 /** * X.509 certificate flags. @@ -49,12 +61,64 @@ enum x509_flag_t { X509_SELF_SIGNED = (1<<5), /** cert has an ipAddrBlocks extension */ X509_IP_ADDR_BLOCKS = (1<<6), +<<<<<<< HEAD }; /** * enum names for x509 flags */ extern enum_name_t *x509_flag_names; +======= + /** cert has CRL sign key usage */ + X509_CRL_SIGN = (1<<7), +}; + +/** + * Different numerical X.509 constraints. + */ +enum x509_constraint_t { + /** pathLenConstraint basicConstraints */ + X509_PATH_LEN, + /** inhibitPolicyMapping policyConstraint */ + X509_INHIBIT_POLICY_MAPPING, + /** requireExplicitPolicy policyConstraint */ + X509_REQUIRE_EXPLICIT_POLICY, + /** inhibitAnyPolicy constraint */ + X509_INHIBIT_ANY_POLICY, +}; + +/** + * X.509 certPolicy extension. + */ +struct x509_cert_policy_t { + /** OID of certPolicy */ + chunk_t oid; + /** Certification Practice Statement URI qualifier */ + char *cps_uri; + /** UserNotice Text qualifier */ + char *unotice_text; +}; + +/** + * X.509 policyMapping extension + */ +struct x509_policy_mapping_t { + /** OID of issuerDomainPolicy */ + chunk_t issuer; + /** OID of subjectDomainPolicy */ + chunk_t subject; +}; + +/** + * X.509 CRL distributionPoint + */ +struct x509_cdp_t { + /** CDP URI, as string */ + char *uri; + /** CRL issuer */ + identification_t *issuer; +}; +>>>>>>> upstream/4.5.1 /** * X.509 certificate interface. @@ -98,11 +162,20 @@ struct x509_t { chunk_t (*get_authKeyIdentifier)(x509_t *this); /** +<<<<<<< HEAD * Get an optional path length constraint. * * @return pathLenConstraint, -1 if no constraint exists */ int (*get_pathLenConstraint)(x509_t *this); +======= + * Get a numerical X.509 constraint. + * + * @param type type of constraint to get + * @return constraint, X509_NO_CONSTRAINT if none found + */ + u_int (*get_constraint)(x509_t *this, x509_constraint_t type); +>>>>>>> upstream/4.5.1 /** * Create an enumerator over all subjectAltNames. @@ -112,9 +185,15 @@ struct x509_t { enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this); /** +<<<<<<< HEAD * Create an enumerator over all CRL URIs. * * @return enumerator over URIs as char* +======= + * Create an enumerator over all CRL URIs and CRL Issuers. + * + * @return enumerator over x509_cdp_t +>>>>>>> upstream/4.5.1 */ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); @@ -131,6 +210,33 @@ struct x509_t { * @return enumerator over ipAddrBlocks as traffic_selector_t* */ enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this); +<<<<<<< HEAD +======= + + /** + * Create an enumerator over name constraints. + * + * @param perm TRUE for permitted, FALSE for excluded subtrees + * @return enumerator over subtrees as identification_t + */ + enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm); + + /** + * Create an enumerator over certificate policies. + * + * @return enumerator over x509_cert_policy_t + */ + enumerator_t* (*create_cert_policy_enumerator)(x509_t *this); + + /** + * Create an enumerator over policy mappings. + * + * @return enumerator over x509_policy_mapping + */ + enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this); + + +>>>>>>> upstream/4.5.1 }; #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 97e8d8887..3e54368ff 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -452,8 +452,13 @@ static void cache_queue(private_credential_manager_t *this) * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, +<<<<<<< HEAD certificate_t *subject, certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +======= + certificate_t *subject, certificate_t *issuer, bool online, + int pathlen, bool trusted, auth_cfg_t *auth) +>>>>>>> upstream/4.5.1 { time_t not_before, not_after; cert_validator_t *validator; @@ -471,6 +476,7 @@ static bool check_certificate(private_credential_manager_t *this, ¬_before, FALSE, ¬_after, FALSE); return FALSE; } +<<<<<<< HEAD if (issuer->get_type(issuer) == CERT_X509 && subject->get_type(subject) == CERT_X509) { @@ -488,12 +494,18 @@ static bool check_certificate(private_credential_manager_t *this, return FALSE; } } +======= +>>>>>>> upstream/4.5.1 enumerator = this->validators->create_enumerator(this->validators); while (enumerator->enumerate(enumerator, &validator)) { if (!validator->validate(validator, subject, issuer, +<<<<<<< HEAD online, pathlen, auth)) +======= + online, pathlen, trusted, auth)) +>>>>>>> upstream/4.5.1 { enumerator->destroy(enumerator); return FALSE; @@ -551,6 +563,40 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this, } /** +<<<<<<< HEAD +======= + * Get the strength of certificate, add it to auth + */ +static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) +{ + uintptr_t strength; + public_key_t *key; + key_type_t type; + + key = cert->get_public_key(cert); + if (key) + { + type = key->get_type(key); + strength = key->get_keysize(key); + DBG2(DBG_CFG, " certificate \"%Y\" key: %d bit %N", + cert->get_subject(cert), strength, key_type_names, type); + switch (type) + { + case KEY_RSA: + auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength); + break; + case KEY_ECDSA: + auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength); + break; + default: + break; + } + key->destroy(key); + } +} + +/** +>>>>>>> upstream/4.5.1 * try to verify the trust chain of subject, return TRUE if trusted */ static bool verify_trust_chain(private_credential_manager_t *this, @@ -562,7 +608,13 @@ static bool verify_trust_chain(private_credential_manager_t *this, int pathlen; auth = auth_cfg_create(); +<<<<<<< HEAD + current = subject->get_ref(subject); +======= + get_key_strength(subject, auth); current = subject->get_ref(subject); + auth->add(auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current)); +>>>>>>> upstream/4.5.1 for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) { @@ -607,13 +659,25 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } +<<<<<<< HEAD if (!check_certificate(this, current, issuer, online, pathlen, current == subject ? auth : NULL)) +======= + if (!check_certificate(this, current, issuer, online, + pathlen, trusted, auth)) +>>>>>>> upstream/4.5.1 { trusted = FALSE; issuer->destroy(issuer); break; } +<<<<<<< HEAD +======= + if (issuer) + { + get_key_strength(issuer, auth); + } +>>>>>>> upstream/4.5.1 current->destroy(current); current = issuer; if (trusted) @@ -637,6 +701,17 @@ static bool verify_trust_chain(private_credential_manager_t *this, } /** +<<<<<<< HEAD +======= + * List find match function for certificates + */ +static bool cert_equals(certificate_t *a, certificate_t *b) +{ + return a->equals(a, b); +} + +/** +>>>>>>> upstream/4.5.1 * enumerator for trusted certificates */ typedef struct { @@ -656,6 +731,11 @@ typedef struct { certificate_t *pretrusted; /** currently enumerating auth config */ auth_cfg_t *auth; +<<<<<<< HEAD +======= + /** list of failed candidates */ + linked_list_t *failed; +>>>>>>> upstream/4.5.1 } trusted_enumerator_t; METHOD(enumerator_t, trusted_enumerate, bool, @@ -683,11 +763,22 @@ METHOD(enumerator_t, trusted_enumerate, bool, verify_trust_chain(this->this, this->pretrusted, this->auth, TRUE, this->online)) { +<<<<<<< HEAD this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, this->pretrusted->get_ref(this->pretrusted)); DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; +======= + DBG1(DBG_CFG, " using trusted certificate \"%Y\"", + this->pretrusted->get_subject(this->pretrusted)); + *cert = this->pretrusted; + if (!this->auth->get(this->auth, AUTH_RULE_SUBJECT_CERT)) + { /* add cert to auth info, if not returned by trustchain */ + this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, + this->pretrusted->get_ref(this->pretrusted)); + } +>>>>>>> upstream/4.5.1 if (auth) { *auth = this->auth; @@ -705,6 +796,15 @@ METHOD(enumerator_t, trusted_enumerate, bool, continue; } +<<<<<<< HEAD +======= + if (this->failed->find_first(this->failed, (void*)cert_equals, + NULL, current) == SUCCESS) + { /* check each candidate only once */ + continue; + } + +>>>>>>> upstream/4.5.1 DBG1(DBG_CFG, " using certificate \"%Y\"", current->get_subject(current)); if (verify_trust_chain(this->this, current, this->auth, FALSE, @@ -717,6 +817,10 @@ METHOD(enumerator_t, trusted_enumerate, bool, } return TRUE; } +<<<<<<< HEAD +======= + this->failed->insert_last(this->failed, current->get_ref(current)); +>>>>>>> upstream/4.5.1 } return FALSE; } @@ -727,6 +831,10 @@ METHOD(enumerator_t, trusted_destroy, void, DESTROY_IF(this->pretrusted); DESTROY_IF(this->auth); DESTROY_IF(this->candidates); +<<<<<<< HEAD +======= + this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy)); +>>>>>>> upstream/4.5.1 free(this); } @@ -745,6 +853,10 @@ METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*, .type = type, .id = id, .online = online, +<<<<<<< HEAD +======= + .failed = linked_list_create(), +>>>>>>> upstream/4.5.1 ); return &enumerator->public; } diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c index 5e8458616..046ccfd12 100644 --- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -132,7 +132,12 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) } } else if (rule != AUTH_HELPER_SUBJECT_CERT && +<<<<<<< HEAD rule != AUTH_HELPER_IM_CERT) +======= + rule != AUTH_HELPER_IM_CERT && + rule != AUTH_HELPER_REVOCATION_CERT) +>>>>>>> upstream/4.5.1 { /* handle only HELPER certificates */ continue; } diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c index c29a99f1f..5a2385b72 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.c +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -1,4 +1,9 @@ /* +<<<<<<< HEAD +======= + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperwsil +>>>>>>> upstream/4.5.1 * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -54,6 +59,14 @@ struct private_mem_cred_t { * List of shared keys, as shared_entry_t */ linked_list_t *shared; +<<<<<<< HEAD +======= + + /** + * List of CDPs, as cdp_t + */ + linked_list_t *cdps; +>>>>>>> upstream/4.5.1 }; /** @@ -144,6 +157,7 @@ static bool certificate_equals(certificate_t *item, certificate_t *cert) return item->equals(item, cert); } +<<<<<<< HEAD METHOD(mem_cred_t, add_cert, void, private_mem_cred_t *this, bool trusted, certificate_t *cert) { @@ -159,6 +173,106 @@ METHOD(mem_cred_t, add_cert, void, } cert->destroy(cert); this->lock->unlock(this->lock); +======= +/** + * Add a certificate the the cache. Returns a reference to "cert" or a + * previously cached certificate that equals "cert". + */ +static certificate_t *add_cert_internal(private_mem_cred_t *this, bool trusted, + certificate_t *cert) +{ + certificate_t *cached; + this->lock->write_lock(this->lock); + if (this->untrusted->find_first(this->untrusted, + (linked_list_match_t)certificate_equals, + (void**)&cached, cert) == SUCCESS) + { + cert->destroy(cert); + cert = cached->get_ref(cached); + } + else + { + if (trusted) + { + this->trusted->insert_first(this->trusted, cert->get_ref(cert)); + } + this->untrusted->insert_first(this->untrusted, cert->get_ref(cert)); + } + this->lock->unlock(this->lock); + return cert; +} + +METHOD(mem_cred_t, add_cert, void, + private_mem_cred_t *this, bool trusted, certificate_t *cert) +{ + certificate_t *cached = add_cert_internal(this, trusted, cert); + cached->destroy(cached); +} + +METHOD(mem_cred_t, add_cert_ref, certificate_t*, + private_mem_cred_t *this, bool trusted, certificate_t *cert) +{ + return add_cert_internal(this, trusted, cert); +} + +METHOD(mem_cred_t, add_crl, bool, + private_mem_cred_t *this, crl_t *crl) +{ + certificate_t *current, *cert = &crl->certificate; + enumerator_t *enumerator; + bool new = TRUE; + + this->lock->write_lock(this->lock); + enumerator = this->untrusted->create_enumerator(this->untrusted); + while (enumerator->enumerate(enumerator, (void**)¤t)) + { + if (current->get_type(current) == CERT_X509_CRL) + { + bool found = FALSE; + crl_t *crl_c = (crl_t*)current; + chunk_t authkey = crl->get_authKeyIdentifier(crl); + chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); + + /* compare authorityKeyIdentifiers if available */ + if (chunk_equals(authkey, authkey_c)) + { + found = TRUE; + } + else + { + identification_t *issuer = cert->get_issuer(cert); + identification_t *issuer_c = current->get_issuer(current); + + /* otherwise compare issuer distinguished names */ + if (issuer->equals(issuer, issuer_c)) + { + found = TRUE; + } + } + if (found) + { + new = crl_is_newer(crl, crl_c); + if (new) + { + this->untrusted->remove_at(this->untrusted, enumerator); + } + else + { + cert->destroy(cert); + } + break; + } + } + } + enumerator->destroy(enumerator); + + if (new) + { + this->untrusted->insert_first(this->untrusted, cert); + } + this->lock->unlock(this->lock); + return new; +>>>>>>> upstream/4.5.1 } /** @@ -218,7 +332,11 @@ METHOD(mem_cred_t, add_key, void, private_mem_cred_t *this, private_key_t *key) { this->lock->write_lock(this->lock); +<<<<<<< HEAD this->keys->insert_last(this->keys, key); +======= + this->keys->insert_first(this->keys, key); +>>>>>>> upstream/4.5.1 this->lock->unlock(this->lock); } @@ -342,6 +460,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, (void*)shared_filter, data, (void*)shared_data_destroy); } +<<<<<<< HEAD METHOD(mem_cred_t, add_shared, void, private_mem_cred_t *this, shared_key_t *shared, ...) { @@ -354,20 +473,148 @@ METHOD(mem_cred_t, add_shared, void, .owners = linked_list_create(), ); +======= +METHOD(mem_cred_t, add_shared_list, void, + private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners) +{ + shared_entry_t *entry; + + INIT(entry, + .shared = shared, + .owners = owners, + ); + + this->lock->write_lock(this->lock); + this->shared->insert_first(this->shared, entry); + this->lock->unlock(this->lock); +} + +METHOD(mem_cred_t, add_shared, void, + private_mem_cred_t *this, shared_key_t *shared, ...) +{ + identification_t *id; + linked_list_t *owners = linked_list_create(); + va_list args; + +>>>>>>> upstream/4.5.1 va_start(args, shared); do { id = va_arg(args, identification_t*); if (id) { +<<<<<<< HEAD entry->owners->insert_last(entry->owners, id); +======= + owners->insert_first(owners, id); +>>>>>>> upstream/4.5.1 } } while (id); va_end(args); +<<<<<<< HEAD this->lock->write_lock(this->lock); this->shared->insert_last(this->shared, entry); +======= + add_shared_list(this, shared, owners); +} + +/** + * Certificate distribution point + */ +typedef struct { + certificate_type_t type; + identification_t *id; + char *uri; +} cdp_t; + +/** + * Destroy a CDP entry + */ +static void cdp_destroy(cdp_t *this) +{ + this->id->destroy(this->id); + free(this->uri); + free(this); +} + +METHOD(mem_cred_t, add_cdp, void, + private_mem_cred_t *this, certificate_type_t type, + identification_t *id, char *uri) +{ + cdp_t *cdp; + + INIT(cdp, + .type = type, + .id = id->clone(id), + .uri = strdup(uri), + ); + this->lock->write_lock(this->lock); + this->cdps->insert_last(this->cdps, cdp); + this->lock->unlock(this->lock); +} + +/** + * CDP enumerator data + */ +typedef struct { + certificate_type_t type; + identification_t *id; + rwlock_t *lock; +} cdp_data_t; + +/** + * Clean up CDP enumerator data + */ +static void cdp_data_destroy(cdp_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} + +/** + * CDP enumerator filter + */ +static bool cdp_filter(cdp_data_t *data, cdp_t **cdp, char **uri) +{ + if (data->type != CERT_ANY && data->type != (*cdp)->type) + { + return FALSE; + } + if (data->id && !(*cdp)->id->matches((*cdp)->id, data->id)) + { + return FALSE; + } + *uri = (*cdp)->uri; + return TRUE; +} + +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_mem_cred_t *this, certificate_type_t type, identification_t *id) +{ + cdp_data_t *data; + + INIT(data, + .type = type, + .id = id, + .lock = this->lock, + ); + this->lock->read_lock(this->lock); + return enumerator_create_filter(this->cdps->create_enumerator(this->cdps), + (void*)cdp_filter, data, (void*)cdp_data_destroy); + +} + +METHOD(mem_cred_t, clear_secrets, void, + private_mem_cred_t *this) +{ + this->lock->write_lock(this->lock); + this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); + this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); + this->keys = linked_list_create(); + this->shared = linked_list_create(); +>>>>>>> upstream/4.5.1 this->lock->unlock(this->lock); } @@ -379,6 +626,7 @@ METHOD(mem_cred_t, clear_, void, offsetof(certificate_t, destroy)); this->untrusted->destroy_offset(this->untrusted, offsetof(certificate_t, destroy)); +<<<<<<< HEAD this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); this->trusted = linked_list_create(); @@ -386,6 +634,15 @@ METHOD(mem_cred_t, clear_, void, this->keys = linked_list_create(); this->shared = linked_list_create(); this->lock->unlock(this->lock); +======= + this->cdps->destroy_function(this->cdps, (void*)cdp_destroy); + this->trusted = linked_list_create(); + this->untrusted = linked_list_create(); + this->cdps = linked_list_create(); + this->lock->unlock(this->lock); + + clear_secrets(this); +>>>>>>> upstream/4.5.1 } METHOD(mem_cred_t, destroy, void, @@ -396,6 +653,10 @@ METHOD(mem_cred_t, destroy, void, this->untrusted->destroy(this->untrusted); this->keys->destroy(this->keys); this->shared->destroy(this->shared); +<<<<<<< HEAD +======= + this->cdps->destroy(this->cdps); +>>>>>>> upstream/4.5.1 this->lock->destroy(this->lock); free(this); } @@ -413,6 +674,7 @@ mem_cred_t *mem_cred_create() .create_shared_enumerator = _create_shared_enumerator, .create_private_enumerator = _create_private_enumerator, .create_cert_enumerator = _create_cert_enumerator, +<<<<<<< HEAD .create_cdp_enumerator = (void*)return_null, .cache_cert = (void*)nop, }, @@ -420,12 +682,30 @@ mem_cred_t *mem_cred_create() .add_key = _add_key, .add_shared = _add_shared, .clear = _clear_, +======= + .create_cdp_enumerator = _create_cdp_enumerator, + .cache_cert = (void*)nop, + }, + .add_cert = _add_cert, + .add_cert_ref = _add_cert_ref, + .add_crl = _add_crl, + .add_key = _add_key, + .add_shared = _add_shared, + .add_shared_list = _add_shared_list, + .add_cdp = _add_cdp, + .clear = _clear_, + .clear_secrets = _clear_secrets, +>>>>>>> upstream/4.5.1 .destroy = _destroy, }, .trusted = linked_list_create(), .untrusted = linked_list_create(), .keys = linked_list_create(), .shared = linked_list_create(), +<<<<<<< HEAD +======= + .cdps = linked_list_create(), +>>>>>>> upstream/4.5.1 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h index b26e43d6c..274e07566 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.h +++ b/src/libstrongswan/credentials/sets/mem_cred.h @@ -1,4 +1,9 @@ /* +<<<<<<< HEAD +======= + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil +>>>>>>> upstream/4.5.1 * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -24,6 +29,11 @@ typedef struct mem_cred_t mem_cred_t; #include <credentials/credential_set.h> +<<<<<<< HEAD +======= +#include <credentials/certificates/crl.h> +#include <utils/linked_list.h> +>>>>>>> upstream/4.5.1 /** * Generic in-memory credential set. @@ -44,6 +54,29 @@ struct mem_cred_t { void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert); /** +<<<<<<< HEAD +======= + * Add a certificate to the credential set, returning a reference to it or + * to a cached duplicate. + * + * @param trusted TRUE to serve certificate as trusted + * @param cert certificate, reference gets owned by set + * @return reference to cert or a previously cached duplicate + */ + certificate_t *(*add_cert_ref)(mem_cred_t *this, bool trusted, + certificate_t *cert); + + /** + * Add an X.509 CRL to the credential set. + * + * @param crl CRL, gets owned by set + * @return TRUE, if the CRL is newer than an existing one (or + * new at all) + */ + bool (*add_crl)(mem_cred_t *this, crl_t *crl); + + /** +>>>>>>> upstream/4.5.1 * Add a private key to the credential set. * * @param key key, reference gets owned by set @@ -54,16 +87,50 @@ struct mem_cred_t { * Add a shared key to the credential set. * * @param shared shared key to add, gets owned by set +<<<<<<< HEAD * @param ... NULL terminated list of owners identification_t* +======= + * @param ... NULL terminated list of owners (identification_t*) +>>>>>>> upstream/4.5.1 */ void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...); /** +<<<<<<< HEAD +======= + * Add a shared key to the credential set. + * + * @param shared shared key to add, gets owned by set + * @param owners list of owners (identification_t*), gets owned + */ + void (*add_shared_list)(mem_cred_t *this, shared_key_t *shared, + linked_list_t *owners); + /** + * Add a certificate distribution point to the set. + * + * @param type type of the certificate + * @param id certificate ID CDP has a cert for, gets cloned + * @param uri CDP URI, gets strduped + */ + void (*add_cdp)(mem_cred_t *this, certificate_type_t type, + identification_t *id, char *uri); + + /** +>>>>>>> upstream/4.5.1 * Clear all credentials from the credential set. */ void (*clear)(mem_cred_t *this); /** +<<<<<<< HEAD +======= + * Clear the secrets (private and shared keys, not the certificates) from + * the credential set. + */ + void (*clear_secrets)(mem_cred_t *this); + + /** +>>>>>>> upstream/4.5.1 * Destroy a mem_cred_t. */ void (*destroy)(mem_cred_t *this); |