Version bump to 5.8.4
[strongswan.git] / src / libstrongswan / utils / identification.c
1 /*
2 * Copyright (C) 2009 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #define _GNU_SOURCE
19 #include <sys/socket.h>
20 #include <netinet/in.h>
21 #include <arpa/inet.h>
22 #include <string.h>
23 #include <stdio.h>
24
25 #include "identification.h"
26
27 #include <asn1/oid.h>
28 #include <asn1/asn1.h>
29 #include <crypto/hashers/hasher.h>
30
31 ENUM_BEGIN(id_match_names, ID_MATCH_NONE, ID_MATCH_MAX_WILDCARDS,
32 "MATCH_NONE",
33 "MATCH_ANY",
34 "MATCH_MAX_WILDCARDS");
35 ENUM_NEXT(id_match_names, ID_MATCH_PERFECT, ID_MATCH_PERFECT, ID_MATCH_MAX_WILDCARDS,
36 "MATCH_PERFECT");
37 ENUM_END(id_match_names, ID_MATCH_PERFECT);
38
39 ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
40 "ID_ANY",
41 "ID_IPV4_ADDR",
42 "ID_FQDN",
43 "ID_RFC822_ADDR",
44 "ID_IPV4_ADDR_SUBNET",
45 "ID_IPV6_ADDR",
46 "ID_IPV6_ADDR_SUBNET",
47 "ID_IPV4_ADDR_RANGE",
48 "ID_IPV6_ADDR_RANGE",
49 "ID_DER_ASN1_DN",
50 "ID_DER_ASN1_GN",
51 "ID_KEY_ID");
52 ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
53 "ID_DER_ASN1_GN_URI",
54 "ID_MYID");
55 ENUM_END(id_type_names, ID_MYID);
56
57 /**
58 * coding of X.501 distinguished name
59 */
60 typedef struct {
61 const u_char *name;
62 int oid;
63 u_char type;
64 } x501rdn_t;
65
66 static const x501rdn_t x501rdns[] = {
67 {"ND", OID_NAME_DISTINGUISHER, ASN1_PRINTABLESTRING},
68 {"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING},
69 {"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING},
70 {"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING},
71 {"S", OID_SURNAME, ASN1_PRINTABLESTRING},
72 {"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
73 {"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
74 {"C", OID_COUNTRY, ASN1_PRINTABLESTRING},
75 {"L", OID_LOCALITY, ASN1_PRINTABLESTRING},
76 {"ST", OID_STATE_OR_PROVINCE, ASN1_PRINTABLESTRING},
77 {"O", OID_ORGANIZATION, ASN1_PRINTABLESTRING},
78 {"OU", OID_ORGANIZATION_UNIT, ASN1_PRINTABLESTRING},
79 {"T", OID_TITLE, ASN1_PRINTABLESTRING},
80 {"D", OID_DESCRIPTION, ASN1_PRINTABLESTRING},
81 {"N", OID_NAME, ASN1_PRINTABLESTRING},
82 {"G", OID_GIVEN_NAME, ASN1_PRINTABLESTRING},
83 {"I", OID_INITIALS, ASN1_PRINTABLESTRING},
84 {"ID", OID_UNIQUE_IDENTIFIER, ASN1_PRINTABLESTRING},
85 {"EN", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING},
86 {"employeeNumber", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING},
87 {"E", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
88 {"Email", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
89 {"emailAddress", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
90 {"UN", OID_UNSTRUCTURED_NAME, ASN1_IA5STRING},
91 {"unstructuredName",OID_UNSTRUCTURED_NAME, ASN1_IA5STRING},
92 {"TCGID", OID_TCGID, ASN1_PRINTABLESTRING}
93 };
94
95 /**
96 * maximum number of RDNs in atodn()
97 */
98 #define RDN_MAX 20
99
100
101 typedef struct private_identification_t private_identification_t;
102
103 /**
104 * Private data of an identification_t object.
105 */
106 struct private_identification_t {
107 /**
108 * Public interface.
109 */
110 identification_t public;
111
112 /**
113 * Encoded representation of this ID.
114 */
115 chunk_t encoded;
116
117 /**
118 * Type of this ID.
119 */
120 id_type_t type;
121 };
122
123 /**
124 * Enumerator over RDNs
125 */
126 typedef struct {
127 /* implements enumerator interface */
128 enumerator_t public;
129 /* next set to parse, if any */
130 chunk_t sets;
131 /* next sequence in set, if any */
132 chunk_t seqs;
133 } rdn_enumerator_t;
134
135 METHOD(enumerator_t, rdn_enumerate, bool,
136 rdn_enumerator_t *this, chunk_t *oid, u_char *type, chunk_t *data)
137 {
138 chunk_t rdn;
139
140 /* a DN contains one or more SET, each containing one or more SEQUENCES,
141 * each containing a OID/value RDN */
142 if (!this->seqs.len)
143 {
144 /* no SEQUENCEs in current SET, parse next SET */
145 if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET)
146 {
147 return FALSE;
148 }
149 }
150 if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE &&
151 asn1_unwrap(&rdn, oid) == ASN1_OID)
152 {
153 int t = asn1_unwrap(&rdn, data);
154
155 if (t != ASN1_INVALID)
156 {
157 *type = t;
158 return TRUE;
159 }
160 }
161 return FALSE;
162 }
163
164 /**
165 * Create an enumerator over all RDNs (oid, string type, data) of a DN
166 */
167 static enumerator_t* create_rdn_enumerator(chunk_t dn)
168 {
169 rdn_enumerator_t *e;
170
171 INIT(e,
172 .public = {
173 .enumerate = (void*)_rdn_enumerate,
174 .destroy = (void*)free,
175 },
176 );
177
178 /* a DN is a SEQUENCE, get the first SET of it */
179 if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE)
180 {
181 e->seqs = chunk_empty;
182 return &e->public;
183 }
184 free(e);
185 return enumerator_create_empty();
186 }
187
188 /**
189 * Part enumerator over RDNs
190 */
191 typedef struct {
192 /* implements enumerator interface */
193 enumerator_t public;
194 /* inner RDN enumerator */
195 enumerator_t *inner;
196 } rdn_part_enumerator_t;
197
198 METHOD(enumerator_t, rdn_part_enumerate, bool,
199 rdn_part_enumerator_t *this, id_part_t *type, chunk_t *data)
200 {
201 int i, known_oid, strtype;
202 chunk_t oid, inner_data;
203 static const struct {
204 int oid;
205 id_part_t type;
206 } oid2part[] = {
207 {OID_COMMON_NAME, ID_PART_RDN_CN},
208 {OID_SURNAME, ID_PART_RDN_S},
209 {OID_SERIAL_NUMBER, ID_PART_RDN_SN},
210 {OID_COUNTRY, ID_PART_RDN_C},
211 {OID_LOCALITY, ID_PART_RDN_L},
212 {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST},
213 {OID_ORGANIZATION, ID_PART_RDN_O},
214 {OID_ORGANIZATION_UNIT, ID_PART_RDN_OU},
215 {OID_TITLE, ID_PART_RDN_T},
216 {OID_DESCRIPTION, ID_PART_RDN_D},
217 {OID_NAME, ID_PART_RDN_N},
218 {OID_GIVEN_NAME, ID_PART_RDN_G},
219 {OID_INITIALS, ID_PART_RDN_I},
220 {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID},
221 {OID_EMAIL_ADDRESS, ID_PART_RDN_E},
222 {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN},
223 };
224
225 while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data))
226 {
227 known_oid = asn1_known_oid(oid);
228 for (i = 0; i < countof(oid2part); i++)
229 {
230 if (oid2part[i].oid == known_oid)
231 {
232 *type = oid2part[i].type;
233 *data = inner_data;
234 return TRUE;
235 }
236 }
237 }
238 return FALSE;
239 }
240
241 METHOD(enumerator_t, rdn_part_enumerator_destroy, void,
242 rdn_part_enumerator_t *this)
243 {
244 this->inner->destroy(this->inner);
245 free(this);
246 }
247
248 METHOD(identification_t, create_part_enumerator, enumerator_t*,
249 private_identification_t *this)
250 {
251 switch (this->type)
252 {
253 case ID_DER_ASN1_DN:
254 {
255 rdn_part_enumerator_t *e;
256
257 INIT(e,
258 .inner = create_rdn_enumerator(this->encoded),
259 .public = {
260 .enumerate = (void*)_rdn_part_enumerate,
261 .destroy = _rdn_part_enumerator_destroy,
262 },
263 );
264 return &e->public;
265 }
266 case ID_RFC822_ADDR:
267 /* TODO */
268 case ID_FQDN:
269 /* TODO */
270 default:
271 return enumerator_create_empty();
272 }
273 }
274
275 /**
276 * Print a DN with all its RDN in a buffer to present it to the user
277 */
278 static void dntoa(chunk_t dn, char *buf, size_t len)
279 {
280 enumerator_t *e;
281 chunk_t oid_data, data, printable;
282 u_char type;
283 int oid, written;
284 bool finished = FALSE;
285
286 e = create_rdn_enumerator(dn);
287 while (e->enumerate(e, &oid_data, &type, &data))
288 {
289 oid = asn1_known_oid(oid_data);
290
291 if (oid == OID_UNKNOWN)
292 {
293 written = snprintf(buf, len, "%#B=", &oid_data);
294 }
295 else
296 {
297 written = snprintf(buf, len,"%s=", oid_names[oid].name);
298 }
299 if (written < 0 || written >= len)
300 {
301 break;
302 }
303 buf += written;
304 len -= written;
305
306 chunk_printable(data, &printable, '?');
307 written = snprintf(buf, len, "%.*s", printable.len, printable.ptr);
308 chunk_free(&printable);
309 if (written < 0 || written >= len)
310 {
311 break;
312 }
313 buf += written;
314 len -= written;
315
316 if (data.ptr + data.len != dn.ptr + dn.len)
317 {
318 written = snprintf(buf, len, ", ");
319 if (written < 0 || written >= len)
320 {
321 break;
322 }
323 buf += written;
324 len -= written;
325 }
326 else
327 {
328 finished = TRUE;
329 break;
330 }
331 }
332 if (!finished)
333 {
334 snprintf(buf, len, "(invalid ID_DER_ASN1_DN)");
335 }
336 e->destroy(e);
337 }
338
339 /**
340 * Converts an LDAP-style human-readable ASCII-encoded
341 * ASN.1 distinguished name into binary DER-encoded format
342 */
343 static status_t atodn(char *src, chunk_t *dn)
344 {
345 /* finite state machine for atodn */
346 typedef enum {
347 SEARCH_OID = 0,
348 READ_OID = 1,
349 SEARCH_NAME = 2,
350 READ_NAME = 3,
351 UNKNOWN_OID = 4
352 } state_t;
353
354 chunk_t oid = chunk_empty;
355 chunk_t name = chunk_empty;
356 chunk_t rdns[RDN_MAX];
357 int rdn_count = 0;
358 int dn_len = 0;
359 int whitespace = 0;
360 int i = 0;
361 asn1_t rdn_type;
362 state_t state = SEARCH_OID;
363 status_t status = SUCCESS;
364
365 do
366 {
367 switch (state)
368 {
369 case SEARCH_OID:
370 if (*src != ' ' && *src != '/' && *src != ',')
371 {
372 oid.ptr = src;
373 oid.len = 1;
374 state = READ_OID;
375 }
376 break;
377 case READ_OID:
378 if (*src != ' ' && *src != '=')
379 {
380 oid.len++;
381 }
382 else
383 {
384 bool found = FALSE;
385
386 for (i = 0; i < countof(x501rdns); i++)
387 {
388 if (strlen(x501rdns[i].name) == oid.len &&
389 strncasecmp(x501rdns[i].name, oid.ptr, oid.len) == 0)
390 {
391 found = TRUE;
392 break;
393 }
394 }
395 if (!found)
396 {
397 status = NOT_SUPPORTED;
398 state = UNKNOWN_OID;
399 break;
400 }
401 /* reset oid and change state */
402 oid = chunk_empty;
403 state = SEARCH_NAME;
404 }
405 break;
406 case SEARCH_NAME:
407 if (*src != ' ' && *src != '=')
408 {
409 name.ptr = src;
410 name.len = 1;
411 whitespace = 0;
412 state = READ_NAME;
413 }
414 break;
415 case READ_NAME:
416 if (*src != ',' && *src != '/' && *src != '\0')
417 {
418 name.len++;
419 if (*src == ' ')
420 whitespace++;
421 else
422 whitespace = 0;
423 }
424 else
425 {
426 name.len -= whitespace;
427 rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING
428 && !asn1_is_printablestring(name))
429 ? ASN1_T61STRING : x501rdns[i].type;
430
431 if (rdn_count < RDN_MAX)
432 {
433 chunk_t rdn_oid;
434
435 rdn_oid = asn1_build_known_oid(x501rdns[i].oid);
436 if (rdn_oid.len)
437 {
438 rdns[rdn_count] =
439 asn1_wrap(ASN1_SET, "m",
440 asn1_wrap(ASN1_SEQUENCE, "mm",
441 rdn_oid,
442 asn1_wrap(rdn_type, "c", name)
443 )
444 );
445 dn_len += rdns[rdn_count++].len;
446 }
447 else
448 {
449 status = INVALID_ARG;
450 }
451 }
452 else
453 {
454 status = OUT_OF_RES;
455 }
456 /* reset name and change state */
457 name = chunk_empty;
458 state = SEARCH_OID;
459 }
460 break;
461 case UNKNOWN_OID:
462 break;
463 }
464 } while (*src++ != '\0');
465
466 /* build the distinguished name sequence */
467 {
468 int i;
469 u_char *pos = asn1_build_object(dn, ASN1_SEQUENCE, dn_len);
470
471 for (i = 0; i < rdn_count; i++)
472 {
473 memcpy(pos, rdns[i].ptr, rdns[i].len);
474 pos += rdns[i].len;
475 free(rdns[i].ptr);
476 }
477 }
478
479 if (status != SUCCESS)
480 {
481 free(dn->ptr);
482 *dn = chunk_empty;
483 }
484 return status;
485 }
486
487 METHOD(identification_t, get_encoding, chunk_t,
488 private_identification_t *this)
489 {
490 return this->encoded;
491 }
492
493 METHOD(identification_t, get_type, id_type_t,
494 private_identification_t *this)
495 {
496 return this->type;
497 }
498
499 METHOD(identification_t, contains_wildcards_dn, bool,
500 private_identification_t *this)
501 {
502 enumerator_t *enumerator;
503 bool contains = FALSE;
504 id_part_t type;
505 chunk_t data;
506
507 enumerator = create_part_enumerator(this);
508 while (enumerator->enumerate(enumerator, &type, &data))
509 {
510 if (data.len == 1 && data.ptr[0] == '*')
511 {
512 contains = TRUE;
513 break;
514 }
515 }
516 enumerator->destroy(enumerator);
517 return contains;
518 }
519
520 METHOD(identification_t, contains_wildcards_memchr, bool,
521 private_identification_t *this)
522 {
523 return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
524 }
525
526 METHOD(identification_t, equals_binary, bool,
527 private_identification_t *this, identification_t *other)
528 {
529 if (this->type == other->get_type(other))
530 {
531 if (this->type == ID_ANY)
532 {
533 return TRUE;
534 }
535 return chunk_equals(this->encoded, other->get_encoding(other));
536 }
537 return FALSE;
538 }
539
540 /**
541 * Compare to DNs, for equality if wc == NULL, for match otherwise
542 */
543 static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
544 {
545 enumerator_t *t, *o;
546 chunk_t t_oid, o_oid, t_data, o_data;
547 u_char t_type, o_type;
548 bool t_next, o_next, finished = FALSE;
549
550 if (wc)
551 {
552 *wc = 0;
553 }
554 else
555 {
556 if (t_dn.len != o_dn.len)
557 {
558 return FALSE;
559 }
560 }
561 /* try a binary compare */
562 if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len))
563 {
564 return TRUE;
565 }
566
567 t = create_rdn_enumerator(t_dn);
568 o = create_rdn_enumerator(o_dn);
569 while (TRUE)
570 {
571 t_next = t->enumerate(t, &t_oid, &t_type, &t_data);
572 o_next = o->enumerate(o, &o_oid, &o_type, &o_data);
573
574 if (!o_next && !t_next)
575 {
576 break;
577 }
578 finished = FALSE;
579 if (o_next != t_next)
580 {
581 break;
582 }
583 if (!chunk_equals(t_oid, o_oid))
584 {
585 break;
586 }
587 if (wc && o_data.len == 1 && o_data.ptr[0] == '*')
588 {
589 (*wc)++;
590 }
591 else
592 {
593 if (t_data.len != o_data.len)
594 {
595 break;
596 }
597 if (t_type == o_type &&
598 (t_type == ASN1_PRINTABLESTRING ||
599 (t_type == ASN1_IA5STRING &&
600 asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS)))
601 { /* ignore case for printableStrings and email RDNs */
602 if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0)
603 {
604 break;
605 }
606 }
607 else
608 { /* respect case and length for everything else */
609 if (!memeq(t_data.ptr, o_data.ptr, t_data.len))
610 {
611 break;
612 }
613 }
614 }
615 /* the enumerator returns FALSE on parse error, we are finished
616 * if we have reached the end of the DN only */
617 if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) &&
618 (o_data.ptr + o_data.len == o_dn.ptr + o_dn.len))
619 {
620 finished = TRUE;
621 }
622 }
623 t->destroy(t);
624 o->destroy(o);
625 return finished;
626 }
627
628 METHOD(identification_t, equals_dn, bool,
629 private_identification_t *this, identification_t *other)
630 {
631 return compare_dn(this->encoded, other->get_encoding(other), NULL);
632 }
633
634 METHOD(identification_t, equals_strcasecmp, bool,
635 private_identification_t *this, identification_t *other)
636 {
637 chunk_t encoded = other->get_encoding(other);
638
639 /* we do some extra sanity checks to check for invalid IDs with a
640 * terminating null in it. */
641 if (this->encoded.len == encoded.len &&
642 memchr(this->encoded.ptr, 0, this->encoded.len) == NULL &&
643 memchr(encoded.ptr, 0, encoded.len) == NULL &&
644 strncasecmp(this->encoded.ptr, encoded.ptr, this->encoded.len) == 0)
645 {
646 return TRUE;
647 }
648 return FALSE;
649 }
650
651 METHOD(identification_t, matches_binary, id_match_t,
652 private_identification_t *this, identification_t *other)
653 {
654 if (other->get_type(other) == ID_ANY)
655 {
656 return ID_MATCH_ANY;
657 }
658 if (this->type == other->get_type(other) &&
659 chunk_equals(this->encoded, other->get_encoding(other)))
660 {
661 return ID_MATCH_PERFECT;
662 }
663 return ID_MATCH_NONE;
664 }
665
666 METHOD(identification_t, matches_string, id_match_t,
667 private_identification_t *this, identification_t *other)
668 {
669 chunk_t encoded = other->get_encoding(other);
670 u_int len = encoded.len;
671
672 if (other->get_type(other) == ID_ANY)
673 {
674 return ID_MATCH_ANY;
675 }
676 if (this->type != other->get_type(other))
677 {
678 return ID_MATCH_NONE;
679 }
680 /* try a equals check first */
681 if (equals_strcasecmp(this, other))
682 {
683 return ID_MATCH_PERFECT;
684 }
685 if (len == 0 || this->encoded.len < len)
686 {
687 return ID_MATCH_NONE;
688 }
689
690 /* check for single wildcard at the head of the string */
691 if (*encoded.ptr == '*')
692 {
693 /* single asterisk matches any string */
694 if (len-- == 1)
695 { /* not better than ID_ANY */
696 return ID_MATCH_ANY;
697 }
698 if (strncasecmp(this->encoded.ptr + this->encoded.len - len,
699 encoded.ptr + 1, len) == 0)
700 {
701 return ID_MATCH_ONE_WILDCARD;
702 }
703 }
704 return ID_MATCH_NONE;
705 }
706
707 METHOD(identification_t, matches_any, id_match_t,
708 private_identification_t *this, identification_t *other)
709 {
710 if (other->get_type(other) == ID_ANY)
711 {
712 return ID_MATCH_ANY;
713 }
714 return ID_MATCH_NONE;
715 }
716
717 METHOD(identification_t, matches_dn, id_match_t,
718 private_identification_t *this, identification_t *other)
719 {
720 int wc;
721
722 if (other->get_type(other) == ID_ANY)
723 {
724 return ID_MATCH_ANY;
725 }
726
727 if (this->type == other->get_type(other))
728 {
729 if (compare_dn(this->encoded, other->get_encoding(other), &wc))
730 {
731 wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
732 return ID_MATCH_PERFECT - wc;
733 }
734 }
735 return ID_MATCH_NONE;
736 }
737
738 /**
739 * Described in header.
740 */
741 int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
742 const void *const *args)
743 {
744 private_identification_t *this = *((private_identification_t**)(args[0]));
745 chunk_t proper;
746 char buf[512];
747
748 if (this == NULL)
749 {
750 return print_in_hook(dst, len, "%*s", spec->width, "(null)");
751 }
752
753 switch (this->type)
754 {
755 case ID_ANY:
756 snprintf(buf, sizeof(buf), "%%any");
757 break;
758 case ID_IPV4_ADDR:
759 if (this->encoded.len < sizeof(struct in_addr) ||
760 inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
761 {
762 snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)");
763 }
764 break;
765 case ID_IPV6_ADDR:
766 if (this->encoded.len < sizeof(struct in6_addr) ||
767 inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
768 {
769 snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)");
770 }
771 break;
772 case ID_FQDN:
773 case ID_RFC822_ADDR:
774 case ID_DER_ASN1_GN_URI:
775 chunk_printable(this->encoded, &proper, '?');
776 snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
777 chunk_free(&proper);
778 break;
779 case ID_DER_ASN1_DN:
780 dntoa(this->encoded, buf, sizeof(buf));
781 break;
782 case ID_DER_ASN1_GN:
783 snprintf(buf, sizeof(buf), "(ASN.1 general Name");
784 break;
785 case ID_KEY_ID:
786 if (chunk_printable(this->encoded, NULL, '?') &&
787 this->encoded.len != HASH_SIZE_SHA1)
788 { /* fully printable, use ascii version */
789 snprintf(buf, sizeof(buf), "%.*s",
790 this->encoded.len, this->encoded.ptr);
791 }
792 else
793 { /* not printable, hex dump */
794 snprintf(buf, sizeof(buf), "%#B", &this->encoded);
795 }
796 break;
797 case ID_MYID:
798 snprintf(buf, sizeof(buf), "%%myid");
799 break;
800 default:
801 snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
802 break;
803 }
804 if (spec->minus)
805 {
806 return print_in_hook(dst, len, "%-*s", spec->width, buf);
807 }
808 return print_in_hook(dst, len, "%*s", spec->width, buf);
809 }
810
811 METHOD(identification_t, clone_, identification_t*,
812 private_identification_t *this)
813 {
814 private_identification_t *clone = malloc_thing(private_identification_t);
815
816 memcpy(clone, this, sizeof(private_identification_t));
817 if (this->encoded.len)
818 {
819 clone->encoded = chunk_clone(this->encoded);
820 }
821 return &clone->public;
822 }
823
824 METHOD(identification_t, destroy, void,
825 private_identification_t *this)
826 {
827 chunk_free(&this->encoded);
828 free(this);
829 }
830
831 /**
832 * Generic constructor used for the other constructors.
833 */
834 static private_identification_t *identification_create(id_type_t type)
835 {
836 private_identification_t *this;
837
838 INIT(this,
839 .public = {
840 .get_encoding = _get_encoding,
841 .get_type = _get_type,
842 .create_part_enumerator = _create_part_enumerator,
843 .clone = _clone_,
844 .destroy = _destroy,
845 },
846 .type = type,
847 );
848
849 switch (type)
850 {
851 case ID_ANY:
852 this->public.matches = _matches_any;
853 this->public.equals = _equals_binary;
854 this->public.contains_wildcards = return_true;
855 break;
856 case ID_FQDN:
857 case ID_RFC822_ADDR:
858 this->public.matches = _matches_string;
859 this->public.equals = _equals_strcasecmp;
860 this->public.contains_wildcards = _contains_wildcards_memchr;
861 break;
862 case ID_DER_ASN1_DN:
863 this->public.equals = _equals_dn;
864 this->public.matches = _matches_dn;
865 this->public.contains_wildcards = _contains_wildcards_dn;
866 break;
867 default:
868 this->public.equals = _equals_binary;
869 this->public.matches = _matches_binary;
870 this->public.contains_wildcards = return_false;
871 break;
872 }
873 return this;
874 }
875
876 /*
877 * Described in header.
878 */
879 identification_t *identification_create_from_string(char *string)
880 {
881 private_identification_t *this;
882 chunk_t encoded;
883
884 if (string == NULL)
885 {
886 string = "%any";
887 }
888 if (strchr(string, '=') != NULL)
889 {
890 /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
891 * convert from LDAP style or openssl x509 -subject style to ASN.1 DN
892 */
893 if (atodn(string, &encoded) == SUCCESS)
894 {
895 this = identification_create(ID_DER_ASN1_DN);
896 this->encoded = encoded;
897 }
898 else
899 {
900 this = identification_create(ID_KEY_ID);
901 this->encoded = chunk_clone(chunk_create(string, strlen(string)));
902 }
903 return &this->public;
904 }
905 else if (strchr(string, '@') == NULL)
906 {
907 if (streq(string, "%any")
908 || streq(string, "%any6")
909 || streq(string, "0.0.0.0")
910 || streq(string, "*")
911 || streq(string, "::")
912 || streq(string, "0::0"))
913 {
914 /* any ID will be accepted */
915 this = identification_create(ID_ANY);
916 return &this->public;
917 }
918 else
919 {
920 if (strchr(string, ':') == NULL)
921 {
922 struct in_addr address;
923 chunk_t chunk = {(void*)&address, sizeof(address)};
924
925 if (inet_pton(AF_INET, string, &address) > 0)
926 { /* is IPv4 */
927 this = identification_create(ID_IPV4_ADDR);
928 this->encoded = chunk_clone(chunk);
929 }
930 else
931 { /* not IPv4, mostly FQDN */
932 this = identification_create(ID_FQDN);
933 this->encoded.len = strlen(string);
934 if (this->encoded.len)
935 {
936 this->encoded.ptr = strdup(string);
937 }
938 }
939 return &this->public;
940 }
941 else
942 {
943 struct in6_addr address;
944 chunk_t chunk = {(void*)&address, sizeof(address)};
945
946 if (inet_pton(AF_INET6, string, &address) > 0)
947 { /* is IPv6 */
948 this = identification_create(ID_IPV6_ADDR);
949 this->encoded = chunk_clone(chunk);
950 }
951 else
952 { /* not IPv4/6 fallback to KEY_ID */
953 this = identification_create(ID_KEY_ID);
954 this->encoded.len = strlen(string);
955 if (this->encoded.len)
956 {
957 this->encoded.ptr = strdup(string);
958 }
959 }
960 return &this->public;
961 }
962 }
963 }
964 else
965 {
966 if (*string == '@')
967 {
968 if (*(string + 1) == '#')
969 {
970 this = identification_create(ID_KEY_ID);
971 string += 2;
972 this->encoded = chunk_from_hex(
973 chunk_create(string, strlen(string)), NULL);
974 return &this->public;
975 }
976 else
977 {
978 this = identification_create(ID_FQDN);
979 string += 1;
980 this->encoded.len = strlen(string);
981 if (this->encoded.len)
982 {
983 this->encoded.ptr = strdup(string);
984 }
985 return &this->public;
986 }
987 }
988 else
989 {
990 this = identification_create(ID_RFC822_ADDR);
991 this->encoded.len = strlen(string);
992 if (this->encoded.len)
993 {
994 this->encoded.ptr = strdup(string);
995 }
996 return &this->public;
997 }
998 }
999 }
1000
1001 /*
1002 * Described in header.
1003 */
1004 identification_t * identification_create_from_data(chunk_t data)
1005 {
1006 char buf[data.len + 1];
1007
1008 /* use string constructor */
1009 snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
1010 return identification_create_from_string(buf);
1011 }
1012
1013 /*
1014 * Described in header.
1015 */
1016 identification_t *identification_create_from_encoding(id_type_t type,
1017 chunk_t encoded)
1018 {
1019 private_identification_t *this = identification_create(type);
1020
1021 /* apply encoded chunk */
1022 if (type != ID_ANY)
1023 {
1024 this->encoded = chunk_clone(encoded);
1025 }
1026 return &(this->public);
1027 }
1028
1029 /*
1030 * Described in header.
1031 */
1032 identification_t *identification_create_from_sockaddr(sockaddr_t *sockaddr)
1033 {
1034 switch (sockaddr->sa_family)
1035 {
1036 case AF_INET:
1037 {
1038 struct in_addr *addr = &(((struct sockaddr_in*)sockaddr)->sin_addr);
1039
1040 return identification_create_from_encoding(ID_IPV4_ADDR,
1041 chunk_create((u_char*)addr, sizeof(struct in_addr)));
1042 }
1043 case AF_INET6:
1044 {
1045 struct in6_addr *addr = &(((struct sockaddr_in6*)sockaddr)->sin6_addr);
1046
1047 return identification_create_from_encoding(ID_IPV6_ADDR,
1048 chunk_create((u_char*)addr, sizeof(struct in6_addr)));
1049 }
1050 default:
1051 {
1052 private_identification_t *this = identification_create(ID_ANY);
1053
1054 return &(this->public);
1055 }
1056 }
1057 }
1058