diff options
Diffstat (limited to 'src/libstrongswan/plugins/openssl')
| -rw-r--r-- | src/libstrongswan/plugins/openssl/Makefile.in | 4 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_crl.c | 11 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_plugin.c | 74 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_x509.c | 100 |
4 files changed, 128 insertions, 61 deletions
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index a32418b16..b43be29f1 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index b9d97a901..58401faa5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -382,6 +382,8 @@ static private_openssl_crl_t *create_empty() }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, + .is_delta_crl = (void*)return_false, + .create_delta_crl_uri_enumerator = (void*)enumerator_create_empty, .create_enumerator = _create_enumerator, }, }, @@ -458,7 +460,14 @@ static bool parse_extensions(private_openssl_crl_t *this) ok = parse_crlNumber_ext(this, ext); break; default: - ok = TRUE; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); + if (!ok) + { + DBG1(DBG_LIB, "found unsupported critical X.509 " + "CRL extension"); + } break; } if (!ok) diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 0ab4eda9c..0050572ee 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -41,6 +41,8 @@ #include "openssl_x509.h" #include "openssl_crl.h" +static const char *plugin_name = "openssl"; + typedef struct private_openssl_plugin_t private_openssl_plugin_t; /** @@ -272,85 +274,85 @@ plugin_t *openssl_plugin_create() } /* crypter */ - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_RC5, + lib->crypto->add_crypter(lib->crypto, ENCR_RC5, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, + lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAST, + lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, + lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_NULL, + lib->crypto->add_crypter(lib->crypto, ENCR_NULL, plugin_name, (crypter_constructor_t)openssl_crypter_create); /* hasher */ - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD2, + lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, + lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)openssl_hasher_create); /* prf */ - lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name, (prf_constructor_t)openssl_sha1_prf_create); /* (ec) diffie hellman */ - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, + lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, + lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); #ifndef OPENSSL_NO_EC - lib->crypto->add_dh(lib->crypto, ECP_256_BIT, + lib->crypto->add_dh(lib->crypto, ECP_256_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_384_BIT, + lib->crypto->add_dh(lib->crypto, ECP_384_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_521_BIT, + lib->crypto->add_dh(lib->crypto, ECP_521_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_224_BIT, + lib->crypto->add_dh(lib->crypto, ECP_224_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_192_BIT, + lib->crypto->add_dh(lib->crypto, ECP_192_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); #endif /* OPENSSL_NO_EC */ - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, + lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); /* rsa */ diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index aa39bc93d..f7495b2ae 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -84,7 +84,7 @@ struct private_openssl_x509_t { /** * Pathlen constraint */ - int pathlen; + u_char pathlen; /** * certificate subject @@ -137,7 +137,7 @@ struct private_openssl_x509_t { linked_list_t *issuerAltNames; /** - * List of CRL URIs + * List of CRL URIs, as x509_cdp_t */ linked_list_t *crl_uris; @@ -153,6 +153,16 @@ struct private_openssl_x509_t { }; /** + * Destroy a CRL URI struct + */ +static void crl_uri_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} + +/** * Convert a GeneralName to an identification_t. */ static identification_t *general_name2id(GENERAL_NAME *name) @@ -240,10 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t, return chunk_empty; } -METHOD(x509_t, get_pathLenConstraint, int, - private_openssl_x509_t *this) +METHOD(x509_t, get_constraint, u_int, + private_openssl_x509_t *this, x509_constraint_t type) { - return this->pathlen; + switch (type) + { + case X509_PATH_LEN: + return this->pathlen; + default: + return X509_NO_CONSTRAINT; + } } METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, @@ -264,13 +280,6 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, return this->ocsp_uris->create_enumerator(this->ocsp_uris); } -METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, - private_openssl_x509_t *this) -{ - /* TODO */ - return enumerator_create_empty(); -} - METHOD(certificate_t, get_type, certificate_type_t, private_openssl_x509_t *this) { @@ -483,7 +492,7 @@ METHOD(certificate_t, destroy, void, offsetof(identification_t, destroy)); this->issuerAltNames->destroy_offset(this->issuerAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, free); + this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); free(this); } @@ -517,18 +526,21 @@ static private_openssl_x509_t *create_empty() .get_serial = _get_serial, .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, .get_authKeyIdentifier = _get_authKeyIdentifier, - .get_pathLenConstraint = _get_pathLenConstraint, + .get_constraint = _get_constraint, .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, .create_crl_uri_enumerator = _create_crl_uri_enumerator, .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, - .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + .create_ipAddrBlock_enumerator = (void*)enumerator_create_empty, + .create_name_constraint_enumerator = (void*)enumerator_create_empty, + .create_cert_policy_enumerator = (void*)enumerator_create_empty, + .create_policy_mapping_enumerator = (void*)enumerator_create_empty, }, }, .subjectAltNames = linked_list_create(), .issuerAltNames = linked_list_create(), .crl_uris = linked_list_create(), .ocsp_uris = linked_list_create(), - .pathlen = X509_NO_PATH_LEN_CONSTRAINT, + .pathlen = X509_NO_CONSTRAINT, .ref = 1, ); @@ -574,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, X509_EXTENSION *ext) { BASIC_CONSTRAINTS *constraints; + long pathlen; constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext); if (constraints) @@ -584,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, } if (constraints->pathlen) { - this->pathlen = ASN1_INTEGER_get(constraints->pathlen); + + pathlen = ASN1_INTEGER_get(constraints->pathlen); + this->pathlen = (pathlen >= 0 && pathlen < 128) ? + pathlen : X509_NO_CONSTRAINT; } BASIC_CONSTRAINTS_free(constraints); return TRUE; @@ -600,9 +616,10 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { CRL_DIST_POINTS *cdps; DIST_POINT *cdp; - identification_t *id; + identification_t *id, *issuer; + x509_cdp_t *entry; char *uri; - int i, j, point_num, name_num; + int i, j, k, point_num, name_num, issuer_num; cdps = X509V3_EXT_d2i(ext); if (!cdps) @@ -627,12 +644,38 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { if (asprintf(&uri, "%Y", id) > 0) { - this->crl_uris->insert_first(this->crl_uris, uri); + if (cdp->CRLissuer) + { + issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer); + for (k = 0; k < issuer_num; k++) + { + issuer = general_name2id( + sk_GENERAL_NAME_value(cdp->CRLissuer, k)); + if (issuer) + { + INIT(entry, + .uri = strdup(uri), + .issuer = issuer, + ); + this->crl_uris->insert_last( + this->crl_uris, entry); + } + } + free(uri); + } + else + { + INIT(entry, + .uri = uri, + ); + this->crl_uris->insert_last(this->crl_uris, entry); + } } id->destroy(id); } } } + DIST_POINT_free(cdp); } } @@ -765,7 +808,13 @@ static bool parse_extensions(private_openssl_x509_t *this) ok = parse_crlDistributionPoints_ext(this, ext); break; default: - ok = TRUE; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); + if (!ok) + { + DBG1(DBG_LIB, "found unsupported critical X.509 extension"); + } break; } if (!ok) @@ -823,6 +872,13 @@ static bool parse_certificate(private_openssl_x509_t *this) { return FALSE; } + if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2) + { + DBG1(DBG_LIB, "unsupported x509 version: %d", + X509_get_version(this->x509) + 1); + return FALSE; + } + this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509)); this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509)); @@ -866,7 +922,7 @@ static bool parse_certificate(private_openssl_x509_t *this) if (!parse_extensions(this)) { - return TRUE; + return FALSE; } parse_extKeyUsage(this); |