projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
made backtrace() calls optional to support uClibc
[strongswan.git] / src / libstrongswan / utils / identification.c
1 /**
2 * @file identification.c
3 *
4 * @brief Implementation of identification_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #define _GNU_SOURCE
25 #include <sys/socket.h>
26 #include <netinet/in.h>
27 #include <arpa/inet.h>
28 #include <string.h>
29 #include <stdio.h>
30 #include <ctype.h>
31 #include <printf.h>
32
33 #include "identification.h"
34
35 #include <asn1/asn1.h>
36
37 ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
38 "ID_ANY",
39 "ID_IPV4_ADDR",
40 "ID_FQDN",
41 "ID_RFC822_ADDR",
42 "ID_IPV4_ADDR_SUBNET",
43 "ID_IPV6_ADDR",
44 "ID_IPV6_ADDR_SUBNET",
45 "ID_IPV4_ADDR_RANGE",
46 "ID_IPV6_ADDR_RANGE",
47 "ID_DER_ASN1_DN",
48 "ID_DER_ASN1_GN",
49 "ID_KEY_ID");
50 ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_DER_ASN1_GN_URI, ID_KEY_ID,
51 "ID_DER_ASN1_GN_URI");
52 ENUM_END(id_type_names, ID_DER_ASN1_GN_URI);
53
54
55 /**
56 * X.501 acronyms for well known object identifiers (OIDs)
57 */
58 static u_char oid_ND[] = {
59 0x02, 0x82, 0x06, 0x01, 0x0A, 0x07, 0x14
60 };
61 static u_char oid_UID[] = {
62 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x01
63 };
64 static u_char oid_DC[] = {
65 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19
66 };
67 static u_char oid_CN[] = {
68 0x55, 0x04, 0x03
69 };
70 static u_char oid_S[] = {
71 0x55, 0x04, 0x04
72 };
73 static u_char oid_SN[] = {
74 0x55, 0x04, 0x05
75 };
76 static u_char oid_C[] = {
77 0x55, 0x04, 0x06
78 };
79 static u_char oid_L[] = {
80 0x55, 0x04, 0x07
81 };
82 static u_char oid_ST[] = {
83 0x55, 0x04, 0x08
84 };
85 static u_char oid_O[] = {
86 0x55, 0x04, 0x0A
87 };
88 static u_char oid_OU[] = {
89 0x55, 0x04, 0x0B
90 };
91 static u_char oid_T[] = {
92 0x55, 0x04, 0x0C
93 };
94 static u_char oid_D[] = {
95 0x55, 0x04, 0x0D
96 };
97 static u_char oid_N[] = {
98 0x55, 0x04, 0x29
99 };
100 static u_char oid_G[] = {
101 0x55, 0x04, 0x2A
102 };
103 static u_char oid_I[] = {
104 0x55, 0x04, 0x2B
105 };
106 static u_char oid_ID[] = {
107 0x55, 0x04, 0x2D
108 };
109 static u_char oid_EN[] = {
110 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x42, 0x03, 0x01, 0x03
111 };
112 static u_char oid_E[] = {
113 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01
114 };
115 static u_char oid_UN[] = {
116 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x02
117 };
118 static u_char oid_TCGID[] = {
119 0x2B, 0x06, 0x01, 0x04, 0x01, 0x89, 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B
120 };
121
122 /**
123 * coding of X.501 distinguished name
124 */
125 typedef struct {
126 const u_char *name;
127 chunk_t oid;
128 u_char type;
129 } x501rdn_t;
130
131 static const x501rdn_t x501rdns[] = {
132 {"ND", {oid_ND, 7}, ASN1_PRINTABLESTRING},
133 {"UID", {oid_UID, 10}, ASN1_PRINTABLESTRING},
134 {"DC", {oid_DC, 10}, ASN1_PRINTABLESTRING},
135 {"CN", {oid_CN, 3}, ASN1_PRINTABLESTRING},
136 {"S", {oid_S, 3}, ASN1_PRINTABLESTRING},
137 {"SN", {oid_SN, 3}, ASN1_PRINTABLESTRING},
138 {"serialNumber", {oid_SN, 3}, ASN1_PRINTABLESTRING},
139 {"C", {oid_C, 3}, ASN1_PRINTABLESTRING},
140 {"L", {oid_L, 3}, ASN1_PRINTABLESTRING},
141 {"ST", {oid_ST, 3}, ASN1_PRINTABLESTRING},
142 {"O", {oid_O, 3}, ASN1_PRINTABLESTRING},
143 {"OU", {oid_OU, 3}, ASN1_PRINTABLESTRING},
144 {"T", {oid_T, 3}, ASN1_PRINTABLESTRING},
145 {"D", {oid_D, 3}, ASN1_PRINTABLESTRING},
146 {"N", {oid_N, 3}, ASN1_PRINTABLESTRING},
147 {"G", {oid_G, 3}, ASN1_PRINTABLESTRING},
148 {"I", {oid_I, 3}, ASN1_PRINTABLESTRING},
149 {"ID", {oid_ID, 3}, ASN1_PRINTABLESTRING},
150 {"EN", {oid_EN, 10}, ASN1_PRINTABLESTRING},
151 {"employeeNumber", {oid_EN, 10}, ASN1_PRINTABLESTRING},
152 {"E", {oid_E, 9}, ASN1_IA5STRING},
153 {"Email", {oid_E, 9}, ASN1_IA5STRING},
154 {"emailAddress", {oid_E, 9}, ASN1_IA5STRING},
155 {"UN", {oid_UN, 9}, ASN1_IA5STRING},
156 {"unstructuredName",{oid_UN, 9}, ASN1_IA5STRING},
157 {"TCGID", {oid_TCGID, 12}, ASN1_PRINTABLESTRING}
158 };
159 #define X501_RDN_ROOF 26
160
161 /**
162 * maximum number of RDNs in atodn()
163 */
164 #define RDN_MAX 20
165
166
167 typedef struct private_identification_t private_identification_t;
168
169 /**
170 * Private data of an identification_t object.
171 */
172 struct private_identification_t {
173 /**
174 * Public interface.
175 */
176 identification_t public;
177
178 /**
179 * Encoded representation of this ID.
180 */
181 chunk_t encoded;
182
183 /**
184 * Type of this ID.
185 */
186 id_type_t type;
187 };
188
189 static private_identification_t *identification_create(void);
190
191 /**
192 * updates a chunk (!????)
193 * TODO: We should reconsider this stuff, its not really clear
194 */
195 static void update_chunk(chunk_t *ch, int n)
196 {
197 n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
198 ch->ptr += n; ch->len -= n;
199 }
200
201 /**
202 * Prints a binary string in hexadecimal form
203 */
204 void hex_str(chunk_t bin, chunk_t *str)
205 {
206 u_int i;
207 update_chunk(str, snprintf(str->ptr,str->len,"0x"));
208 for (i = 0; i < bin.len; i++)
209 {
210 update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
211 }
212 }
213
214 /**
215 * Remove any malicious characters from a chunk. We are very restrictive, but
216 * whe use these strings only to present it to the user.
217 */
218 static chunk_t sanitize_chunk(chunk_t chunk)
219 {
220 char *pos;
221 chunk_t clone = chunk_clone(chunk);
222
223 for (pos = clone.ptr; pos < (char*)(clone.ptr + clone.len); pos++)
224 {
225 switch (*pos)
226 {
227 case '\0':
228 case ' ':
229 case '*':
230 case '-':
231 case '.':
232 case '/':
233 case '0' ... '9':
234 case ':':
235 case '=':
236 case '@':
237 case 'A' ... 'Z':
238 case '_':
239 case 'a' ... 'z':
240 break;
241 default:
242 *pos = '?';
243 }
244 }
245 return clone;
246 }
247
248 /**
249 * Pointer is set to the first RDN in a DN
250 */
251 static status_t init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
252 {
253 *rdn = chunk_empty;
254 *attribute = chunk_empty;
255
256 /* a DN is a SEQUENCE OF RDNs */
257 if (*dn.ptr != ASN1_SEQUENCE)
258 {
259 /* DN is not a SEQUENCE */
260 return FAILED;
261 }
262
263 rdn->len = asn1_length(&dn);
264
265 if (rdn->len == ASN1_INVALID_LENGTH)
266 {
267 /* Invalid RDN length */
268 return FAILED;
269 }
270
271 rdn->ptr = dn.ptr;
272
273 /* are there any RDNs ? */
274 *next = rdn->len > 0;
275
276 return SUCCESS;
277 }
278
279 /**
280 * Fetches the next RDN in a DN
281 */
282 static status_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value, asn1_t *type, bool *next)
283 {
284 chunk_t body;
285
286 /* initialize return values */
287 *oid = chunk_empty;
288 *value = chunk_empty;
289
290 /* if all attributes have been parsed, get next rdn */
291 if (attribute->len <= 0)
292 {
293 /* an RDN is a SET OF attributeTypeAndValue */
294 if (*rdn->ptr != ASN1_SET)
295 {
296 /* RDN is not a SET */
297 return FAILED;
298 }
299 attribute->len = asn1_length(rdn);
300 if (attribute->len == ASN1_INVALID_LENGTH)
301 {
302 /* Invalid attribute length */
303 return FAILED;
304 }
305 attribute->ptr = rdn->ptr;
306 /* advance to start of next RDN */
307 rdn->ptr += attribute->len;
308 rdn->len -= attribute->len;
309 }
310
311 /* an attributeTypeAndValue is a SEQUENCE */
312 if (*attribute->ptr != ASN1_SEQUENCE)
313 {
314 /* attributeTypeAndValue is not a SEQUENCE */
315 return FAILED;
316 }
317
318 /* extract the attribute body */
319 body.len = asn1_length(attribute);
320
321 if (body.len == ASN1_INVALID_LENGTH)
322 {
323 /* Invalid attribute body length */
324 return FAILED;
325 }
326
327 body.ptr = attribute->ptr;
328
329 /* advance to start of next attribute */
330 attribute->ptr += body.len;
331 attribute->len -= body.len;
332
333 /* attribute type is an OID */
334 if (*body.ptr != ASN1_OID)
335 {
336 /* attributeType is not an OID */
337 return FAILED;
338 }
339 /* extract OID */
340 oid->len = asn1_length(&body);
341
342 if (oid->len == ASN1_INVALID_LENGTH)
343 {
344 /* Invalid attribute OID length */
345 return FAILED;
346 }
347 oid->ptr = body.ptr;
348
349 /* advance to the attribute value */
350 body.ptr += oid->len;
351 body.len -= oid->len;
352
353 /* extract string type */
354 *type = *body.ptr;
355
356 /* extract string value */
357 value->len = asn1_length(&body);
358
359 if (value->len == ASN1_INVALID_LENGTH)
360 {
361 /* Invalid attribute string length */
362 return FAILED;
363 }
364 value->ptr = body.ptr;
365
366 /* are there any RDNs left? */
367 *next = rdn->len > 0 || attribute->len > 0;
368 return SUCCESS;
369 }
370
371 /**
372 * Parses an ASN.1 distinguished name int its OID/value pairs
373 */
374 static status_t dntoa(chunk_t dn, chunk_t *str)
375 {
376 chunk_t rdn, oid, attribute, value, proper;
377 asn1_t type;
378 int oid_code;
379 bool next;
380 bool first = TRUE;
381
382 status_t status = init_rdn(dn, &rdn, &attribute, &next);
383
384 if (status != SUCCESS)
385 return status;
386
387 while (next)
388 {
389 status = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
390
391 if (status != SUCCESS)
392 return status;
393
394 if (first)
395 { /* first OID/value pair */
396 first = FALSE;
397 }
398 else
399 { /* separate OID/value pair by a comma */
400 update_chunk(str, snprintf(str->ptr,str->len,", "));
401 }
402
403 /* print OID */
404 oid_code = known_oid(oid);
405 if (oid_code == OID_UNKNOWN)
406 { /* OID not found in list */
407 hex_str(oid, str);
408 }
409 else
410 {
411 update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
412 }
413 /* print value */
414 proper = sanitize_chunk(value);
415 update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
416 chunk_free(&proper);
417 }
418 return SUCCESS;
419 }
420
421 /**
422 * compare two distinguished names by
423 * comparing the individual RDNs
424 */
425 static bool same_dn(chunk_t a, chunk_t b)
426 {
427 chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
428 chunk_t oid_a, oid_b, value_a, value_b;
429 asn1_t type_a, type_b;
430 bool next_a, next_b;
431
432 /* same lengths for the DNs */
433 if (a.len != b.len)
434 return FALSE;
435
436 /* try a binary comparison first */
437 if (memeq(a.ptr, b.ptr, b.len))
438 return TRUE;
439
440 /* initialize DN parsing */
441 if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != SUCCESS
442 || init_rdn(b, &rdn_b, &attribute_b, &next_b) != SUCCESS)
443 {
444 return FALSE;
445 }
446
447 /* fetch next RDN pair */
448 while (next_a && next_b)
449 {
450 /* parse next RDNs and check for errors */
451 if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != SUCCESS
452 || get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != SUCCESS)
453 {
454 return FALSE;
455 }
456
457 /* OIDs must agree */
458 if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
459 return FALSE;
460
461 /* same lengths for values */
462 if (value_a.len != value_b.len)
463 return FALSE;
464
465 /* printableStrings and email RDNs require uppercase comparison */
466 if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING
467 || (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
468 {
469 if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
470 return FALSE;
471 }
472 else
473 {
474 if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
475 return FALSE;
476 }
477 }
478 /* both DNs must have same number of RDNs */
479 if (next_a || next_b)
480 return FALSE;
481
482 /* the two DNs are equal! */
483 return TRUE;
484 }
485
486
487 /**
488 * compare two distinguished names by comparing the individual RDNs.
489 * A single'*' character designates a wildcard RDN in DN b.
490 * TODO: Add support for different RDN order in DN !!
491 */
492 bool match_dn(chunk_t a, chunk_t b, int *wildcards)
493 {
494 chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
495 chunk_t oid_a, oid_b, value_a, value_b;
496 asn1_t type_a, type_b;
497 bool next_a, next_b;
498
499 /* initialize wildcard counter */
500 *wildcards = 0;
501
502 /* initialize DN parsing */
503 if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != SUCCESS
504 || init_rdn(b, &rdn_b, &attribute_b, &next_b) != SUCCESS)
505 {
506 return FALSE;
507 }
508
509 /* fetch next RDN pair */
510 while (next_a && next_b)
511 {
512 /* parse next RDNs and check for errors */
513 if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != SUCCESS
514 || get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != SUCCESS)
515 {
516 return FALSE;
517 }
518 /* OIDs must agree */
519 if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
520 return FALSE;
521
522 /* does rdn_b contain a wildcard? */
523 if (value_b.len == 1 && *value_b.ptr == '*')
524 {
525 (*wildcards)++;
526 continue;
527 }
528 /* same lengths for values */
529 if (value_a.len != value_b.len)
530 return FALSE;
531
532 /* printableStrings and email RDNs require uppercase comparison */
533 if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING
534 || (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
535 {
536 if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
537 return FALSE;
538 }
539 else
540 {
541 if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
542 return FALSE;
543 }
544 }
545 /* both DNs must have same number of RDNs */
546 if (next_a || next_b)
547 {
548 return FALSE;
549 }
550
551 /* the two DNs match! */
552 *wildcards = min(*wildcards, MAX_WILDCARDS);
553 return TRUE;
554 }
555
556 /**
557 * Converts an LDAP-style human-readable ASCII-encoded
558 * ASN.1 distinguished name into binary DER-encoded format
559 */
560 static status_t atodn(char *src, chunk_t *dn)
561 {
562 /* finite state machine for atodn */
563 typedef enum {
564 SEARCH_OID = 0,
565 READ_OID = 1,
566 SEARCH_NAME = 2,
567 READ_NAME = 3,
568 UNKNOWN_OID = 4
569 } state_t;
570
571 chunk_t oid = chunk_empty;
572 chunk_t name = chunk_empty;
573 chunk_t rdns[RDN_MAX];
574 int rdn_count = 0;
575 int dn_len = 0;
576 int whitespace = 0;
577 int i = 0;
578 asn1_t rdn_type;
579 state_t state = SEARCH_OID;
580 status_t status = SUCCESS;
581
582 do
583 {
584 switch (state)
585 {
586 case SEARCH_OID:
587 if (*src != ' ' && *src != '/' && *src != ',')
588 {
589 oid.ptr = src;
590 oid.len = 1;
591 state = READ_OID;
592 }
593 break;
594 case READ_OID:
595 if (*src != ' ' && *src != '=')
596 {
597 oid.len++;
598 }
599 else
600 {
601 for (i = 0; i < X501_RDN_ROOF; i++)
602 {
603 if (strlen(x501rdns[i].name) == oid.len
604 && strncasecmp(x501rdns[i].name, oid.ptr, oid.len) == 0)
605 {
606 break; /* found a valid OID */
607 }
608 }
609 if (i == X501_RDN_ROOF)
610 {
611 status = NOT_SUPPORTED;
612 state = UNKNOWN_OID;
613 break;
614 }
615 /* reset oid and change state */
616 oid = chunk_empty;
617 state = SEARCH_NAME;
618 }
619 break;
620 case SEARCH_NAME:
621 if (*src != ' ' && *src != '=')
622 {
623 name.ptr = src;
624 name.len = 1;
625 whitespace = 0;
626 state = READ_NAME;
627 }
628 break;
629 case READ_NAME:
630 if (*src != ',' && *src != '/' && *src != '\0')
631 {
632 name.len++;
633 if (*src == ' ')
634 whitespace++;
635 else
636 whitespace = 0;
637 }
638 else
639 {
640 name.len -= whitespace;
641 rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING
642 && !is_printablestring(name))? ASN1_T61STRING : x501rdns[i].type;
643
644 if (rdn_count < RDN_MAX)
645 {
646 rdns[rdn_count] =
647 asn1_wrap(ASN1_SET, "m",
648 asn1_wrap(ASN1_SEQUENCE, "mm",
649 asn1_wrap(ASN1_OID, "c", x501rdns[i].oid),
650 asn1_wrap(rdn_type, "c", name)
651 )
652 );
653 dn_len += rdns[rdn_count++].len;
654 }
655 else
656 {
657 status = OUT_OF_RES;
658 }
659 /* reset name and change state */
660 name = chunk_empty;
661 state = SEARCH_OID;
662 }
663 break;
664 case UNKNOWN_OID:
665 break;
666 }
667 } while (*src++ != '\0');
668
669 /* build the distinguished name sequence */
670 {
671 int i;
672 u_char *pos = build_asn1_object(dn, ASN1_SEQUENCE, dn_len);
673
674 for (i = 0; i < rdn_count; i++)
675 {
676 memcpy(pos, rdns[i].ptr, rdns[i].len);
677 pos += rdns[i].len;
678 free(rdns[i].ptr);
679 }
680 }
681
682 if (status != SUCCESS)
683 {
684 free(dn->ptr);
685 *dn = chunk_empty;
686 }
687 return status;
688 }
689
690 /**
691 * Implementation of identification_t.get_encoding.
692 */
693 static chunk_t get_encoding(private_identification_t *this)
694 {
695 return this->encoded;
696 }
697
698 /**
699 * Implementation of identification_t.get_type.
700 */
701 static id_type_t get_type(private_identification_t *this)
702 {
703 return this->type;
704 }
705
706 /**
707 * Implementation of identification_t.contains_wildcards.
708 */
709 static bool contains_wildcards(private_identification_t *this)
710 {
711 switch (this->type)
712 {
713 case ID_ANY:
714 return TRUE;
715 case ID_FQDN:
716 case ID_RFC822_ADDR:
717 return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
718 case ID_DER_ASN1_DN:
719 /* TODO */
720 default:
721 return FALSE;
722
723 }
724 }
725
726 /**
727 * Default implementation of identification_t.equals.
728 * compares encoded chunk for equality.
729 */
730 static bool equals_binary(private_identification_t *this, private_identification_t *other)
731 {
732 return this->type == other->type &&
733 chunk_equals(this->encoded, other->encoded);
734 }
735
736 /**
737 * Special implementation of identification_t.equals for ID_DER_ASN1_DN.
738 */
739 static bool equals_dn(private_identification_t *this,
740 private_identification_t *other)
741 {
742 return same_dn(this->encoded, other->encoded);
743 }
744
745 /**
746 * Default implementation of identification_t.matches.
747 */
748 static bool matches_binary(private_identification_t *this,
749 private_identification_t *other, int *wildcards)
750 {
751 if (other->type == ID_ANY)
752 {
753 *wildcards = MAX_WILDCARDS;
754 return TRUE;
755 }
756 *wildcards = 0;
757 return this->type == other->type &&
758 chunk_equals(this->encoded, other->encoded);
759 }
760
761 /**
762 * Special implementation of identification_t.matches for ID_RFC822_ADDR/ID_FQDN.
763 * Checks for a wildcard in other-string, and compares it against this-string.
764 */
765 static bool matches_string(private_identification_t *this,
766 private_identification_t *other, int *wildcards)
767 {
768 u_int len = other->encoded.len;
769
770 if (other->type == ID_ANY)
771 {
772 *wildcards = MAX_WILDCARDS;
773 return TRUE;
774 }
775
776 if (this->type != other->type)
777 return FALSE;
778
779 /* try a binary comparison first */
780 if (equals_binary(this, other))
781 {
782 *wildcards = 0;
783 return TRUE;
784 }
785
786 if (len == 0 || this->encoded.len < len)
787 return FALSE;
788
789 /* check for single wildcard at the head of the string */
790 if (*other->encoded.ptr == '*')
791 {
792 *wildcards = 1;
793
794 /* single asterisk matches any string */
795 if (len-- == 1)
796 return TRUE;
797
798 if (memeq(this->encoded.ptr + this->encoded.len - len, other->encoded.ptr + 1, len))
799 return TRUE;
800 }
801
802 return FALSE;
803 }
804
805 /**
806 * Special implementation of identification_t.matches for ID_ANY.
807 * ANY matches only another ANY, but nothing other
808 */
809 static bool matches_any(private_identification_t *this,
810 private_identification_t *other, int *wildcards)
811 {
812 *wildcards = 0;
813 return other->type == ID_ANY;
814 }
815
816 /**
817 * Special implementation of identification_t.matches for ID_DER_ASN1_DN.
818 * ANY matches any, even ANY, thats why its there...
819 */
820 static bool matches_dn(private_identification_t *this,
821 private_identification_t *other, int *wildcards)
822 {
823 if (other->type == ID_ANY)
824 {
825 *wildcards = MAX_WILDCARDS;
826 return TRUE;
827 }
828
829 if (this->type == other->type)
830 {
831 return match_dn(this->encoded, other->encoded, wildcards);
832 }
833 return FALSE;
834 }
835
836 /**
837 * output handler in printf()
838 */
839 static int print(FILE *stream, const struct printf_info *info,
840 const void *const *args)
841 {
842 private_identification_t *this = *((private_identification_t**)(args[0]));
843 char buf[BUF_LEN];
844 chunk_t proper, buf_chunk = chunk_from_buf(buf);
845 int written;
846
847 if (this == NULL)
848 {
849 return fprintf(stream, "(null)");
850 }
851
852 switch (this->type)
853 {
854 case ID_ANY:
855 return fprintf(stream, "%%any");
856 case ID_IPV4_ADDR:
857 if (this->encoded.len < sizeof(struct in_addr) ||
858 inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
859 {
860 return fprintf(stream, "(invalid ID_IPV4_ADDR)");
861 }
862 else
863 {
864 return fprintf(stream, "%s", buf);
865 }
866 case ID_IPV6_ADDR:
867 if (this->encoded.len < sizeof(struct in6_addr) ||
868 inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
869 {
870 return fprintf(stream, "(invalid ID_IPV6_ADDR)");
871 }
872 else
873 {
874 return fprintf(stream, "%s", buf);
875 }
876 case ID_FQDN:
877 {
878 proper = sanitize_chunk(this->encoded);
879 written = fprintf(stream, "@%.*s", proper.len, proper.ptr);
880 chunk_free(&proper);
881 return written;
882 }
883 case ID_RFC822_ADDR:
884 {
885 proper = sanitize_chunk(this->encoded);
886 written = fprintf(stream, "%.*s", proper.len, proper.ptr);
887 chunk_free(&proper);
888 return written;
889 }
890 case ID_DER_ASN1_DN:
891 {
892 snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr);
893 /* TODO: whats returned on failure?*/
894 dntoa(this->encoded, &buf_chunk);
895 return fprintf(stream, "%s", buf);
896 }
897 case ID_DER_ASN1_GN:
898 return fprintf(stream, "(ASN.1 general Name");
899 case ID_KEY_ID:
900 return fprintf(stream, "(KEY_ID)");
901 case ID_DER_ASN1_GN_URI:
902 {
903 proper = sanitize_chunk(this->encoded);
904 written = fprintf(stream, "%.*s", proper.len, proper.ptr);
905 chunk_free(&proper);
906 return written;
907 }
908 default:
909 return fprintf(stream, "(unknown ID type: %d)", this->type);
910 }
911 }
912
913 /**
914 * register printf() handlers
915 */
916 static void __attribute__ ((constructor))print_register()
917 {
918 register_printf_function(PRINTF_IDENTIFICATION, print, arginfo_ptr);
919 }
920
921 /**
922 * Implementation of identification_t.clone.
923 */
924 static identification_t *clone(private_identification_t *this)
925 {
926 private_identification_t *clone = identification_create();
927
928 clone->type = this->type;
929 clone->encoded = chunk_clone(this->encoded);
930 clone->public.equals = this->public.equals;
931 clone->public.matches = this->public.matches;
932
933 return &clone->public;
934 }
935
936 /**
937 * Implementation of identification_t.destroy.
938 */
939 static void destroy(private_identification_t *this)
940 {
941 chunk_free(&this->encoded);
942 free(this);
943 }
944
945 /**
946 * Generic constructor used for the other constructors.
947 */
948 static private_identification_t *identification_create(void)
949 {
950 private_identification_t *this = malloc_thing(private_identification_t);
951
952 this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
953 this->public.get_type = (id_type_t (*) (identification_t*))get_type;
954 this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
955 this->public.clone = (identification_t* (*) (identification_t*))clone;
956 this->public.destroy = (void (*) (identification_t*))destroy;
957 /* we use these as defaults, the may be overloaded for special ID types */
958 this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
959 this->public.matches = (bool (*) (identification_t*,identification_t*,int*))matches_binary;
960
961 this->encoded = chunk_empty;
962
963 return this;
964 }
965
966 /*
967 * Described in header.
968 */
969 identification_t *identification_create_from_string(char *string)
970 {
971 private_identification_t *this = identification_create();
972
973 if (string == NULL)
974 {
975 string = "%any";
976 }
977 if (strchr(string, '=') != NULL)
978 {
979 /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
980 * convert from LDAP style or openssl x509 -subject style to ASN.1 DN
981 */
982 if (atodn(string, &this->encoded) != SUCCESS)
983 {
984 free(this);
985 return NULL;
986 }
987 this->type = ID_DER_ASN1_DN;
988 this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn;
989 this->public.matches = (bool (*) (identification_t*,identification_t*,int*))matches_dn;
990 return &this->public;
991 }
992 else if (strchr(string, '@') == NULL)
993 {
994 if (streq(string, "%any")
995 || streq(string, "0.0.0.0")
996 || streq(string, "*")
997 || streq(string, "::")
998 || streq(string, "0::0"))
999 {
1000 /* any ID will be accepted */
1001 this->type = ID_ANY;
1002 this->public.matches = (bool (*)
1003 (identification_t*,identification_t*,int*))matches_any;
1004 return &this->public;
1005 }
1006 else
1007 {
1008 if (strchr(string, ':') == NULL)
1009 {
1010 /* try IPv4 */
1011 struct in_addr address;
1012 chunk_t chunk = {(void*)&address, sizeof(address)};
1013
1014 if (inet_pton(AF_INET, string, &address) <= 0)
1015 {
1016 free(this);
1017 return NULL;
1018 }
1019 this->encoded = chunk_clone(chunk);
1020 this->type = ID_IPV4_ADDR;
1021 return &(this->public);
1022 }
1023 else
1024 {
1025 /* try IPv6 */
1026 struct in6_addr address;
1027 chunk_t chunk = {(void*)&address, sizeof(address)};
1028
1029 if (inet_pton(AF_INET6, string, &address) <= 0)
1030 {
1031 free(this);
1032 return NULL;
1033 }
1034 this->encoded = chunk_clone(chunk);
1035 this->type = ID_IPV6_ADDR;
1036 return &(this->public);
1037 }
1038 }
1039 }
1040 else
1041 {
1042 if (*string == '@')
1043 {
1044 if (*(string + 1) == '#')
1045 {
1046 /* TODO: Pluto handles '#' as hex encoded ID_KEY_ID. */
1047 free(this);
1048 return NULL;
1049 }
1050 else
1051 {
1052 this->type = ID_FQDN;
1053 this->encoded.ptr = strdup(string + 1);
1054 this->encoded.len = strlen(string + 1);
1055 this->public.matches = (bool (*)
1056 (identification_t*,identification_t*,int*))matches_string;
1057 return &(this->public);
1058 }
1059 }
1060 else
1061 {
1062 this->type = ID_RFC822_ADDR;
1063 this->encoded.ptr = strdup(string);
1064 this->encoded.len = strlen(string);
1065 this->public.matches = (bool (*)
1066 (identification_t*,identification_t*,int*))matches_string;
1067 return &(this->public);
1068 }
1069 }
1070 }
1071
1072 /*
1073 * Described in header.
1074 */
1075 identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded)
1076 {
1077 private_identification_t *this = identification_create();
1078 this->type = type;
1079 switch (type)
1080 {
1081 case ID_ANY:
1082 this->public.matches = (bool (*)
1083 (identification_t*,identification_t*,int*))matches_any;
1084 break;
1085 case ID_FQDN:
1086 this->public.matches = (bool (*)
1087 (identification_t*,identification_t*,int*))matches_string;
1088 break;
1089 case ID_RFC822_ADDR:
1090 this->public.matches = (bool (*)
1091 (identification_t*,identification_t*,int*))matches_string;
1092 break;
1093 case ID_DER_ASN1_DN:
1094 this->public.equals = (bool (*)
1095 (identification_t*,identification_t*))equals_dn;
1096 this->public.matches = (bool (*)
1097 (identification_t*,identification_t*,int*))matches_dn;
1098 break;
1099 case ID_IPV4_ADDR:
1100 case ID_IPV6_ADDR:
1101 case ID_DER_ASN1_GN:
1102 case ID_KEY_ID:
1103 case ID_DER_ASN1_GN_URI:
1104 default:
1105 break;
1106 }
1107
1108 /* apply encoded chunk */
1109 if (type != ID_ANY)
1110 {
1111 this->encoded = chunk_clone(encoded);
1112 }
1113 return &(this->public);
1114 }
strongSwan - IPsec VPN