Fixed some typos, courtesy of codespell
[strongswan.git] / src / libcharon / plugins / addrblock / addrblock_validator.c
1 /*
2 * Copyright (C) 2010 Martin Willi, revosec AG
3 * Copyright (C) 2009 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "addrblock_validator.h"
17
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20 #include <selectors/traffic_selector.h>
21
22 typedef struct private_addrblock_validator_t private_addrblock_validator_t;
23
24 /**
25 * Private data of an addrblock_validator_t object.
26 */
27 struct private_addrblock_validator_t {
28
29 /**
30 * Public addrblock_validator_t interface.
31 */
32 addrblock_validator_t public;
33
34 /**
35 * Whether to reject subject certificates not having a addrBlock extension
36 */
37 bool strict;
38 };
39
40 /**
41 * Do the addrblock check for two x509 plugins
42 */
43 static bool check_addrblock(private_addrblock_validator_t *this,
44 x509_t *subject, x509_t *issuer)
45 {
46 bool subject_const, issuer_const, contained = TRUE;
47 enumerator_t *subject_enumerator, *issuer_enumerator;
48 traffic_selector_t *subject_ts, *issuer_ts;
49
50 subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
51 issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
52
53 if (!subject_const && !issuer_const)
54 {
55 return TRUE;
56 }
57 if (!subject_const)
58 {
59 DBG1(DBG_CFG, "subject certificate lacks ipAddrBlocks extension");
60 return !this->strict;
61 }
62 if (!issuer_const)
63 {
64 DBG1(DBG_CFG, "issuer certificate lacks ipAddrBlocks extension");
65 return FALSE;
66 }
67 subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
68 while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
69 {
70 contained = FALSE;
71
72 issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
73 while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
74 {
75 if (subject_ts->is_contained_in(subject_ts, issuer_ts))
76 {
77 DBG2(DBG_CFG, " subject address block %R is contained in "
78 "issuer address block %R", subject_ts, issuer_ts);
79 contained = TRUE;
80 break;
81 }
82 }
83 issuer_enumerator->destroy(issuer_enumerator);
84 if (!contained)
85 {
86 DBG1(DBG_CFG, "subject address block %R is not contained in any "
87 "issuer address block", subject_ts);
88 break;
89 }
90 }
91 subject_enumerator->destroy(subject_enumerator);
92 return contained;
93 }
94
95 METHOD(cert_validator_t, validate, bool,
96 private_addrblock_validator_t *this, certificate_t *subject,
97 certificate_t *issuer, bool online, u_int pathlen, bool anchor,
98 auth_cfg_t *auth)
99 {
100 if (subject->get_type(subject) == CERT_X509 &&
101 issuer->get_type(issuer) == CERT_X509)
102 {
103 if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
104 {
105 lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
106 subject);
107 return FALSE;
108 }
109 }
110 return TRUE;
111 }
112
113 METHOD(addrblock_validator_t, destroy, void,
114 private_addrblock_validator_t *this)
115 {
116 free(this);
117 }
118
119 /**
120 * See header
121 */
122 addrblock_validator_t *addrblock_validator_create()
123 {
124 private_addrblock_validator_t *this;
125
126 INIT(this,
127 .public = {
128 .validator = {
129 .validate = _validate,
130 },
131 .destroy = _destroy,
132 },
133 .strict = lib->settings->get_bool(lib->settings,
134 "%s.plugins.addrblock.strict", TRUE, lib->ns),
135 );
136
137 return &this->public;
138 }