Use the group constraint in a more generic fashion, not only for attribute certificates
authorMartin Willi <martin@revosec.ch>
Mon, 28 Jun 2010 13:46:13 +0000 (15:46 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 5 Jul 2010 07:41:04 +0000 (09:41 +0200)
src/libcharon/config/auth_cfg.c
src/libcharon/config/auth_cfg.h
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/stroke/stroke_list.c
src/libstrongswan/utils/identification.c
src/libstrongswan/utils/identification.h

index 94362c7..6f249e8 100644 (file)
@@ -32,7 +32,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
        "RULE_SUBJECT_CERT",
        "RULE_CRL_VALIDATION",
        "RULE_OCSP_VALIDATION",
-       "RULE_AC_GROUP",
+       "RULE_GROUP",
        "HELPER_IM_CERT",
        "HELPER_SUBJECT_CERT",
        "HELPER_IM_HASH_URL",
@@ -128,7 +128,7 @@ static void destroy_entry_value(entry_t *entry)
        {
                case AUTH_RULE_IDENTITY:
                case AUTH_RULE_EAP_IDENTITY:
-               case AUTH_RULE_AC_GROUP:
+               case AUTH_RULE_GROUP:
                {
                        identification_t *id = (identification_t*)entry->value;
                        id->destroy(id);
@@ -185,7 +185,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
                                break;
                        case AUTH_RULE_IDENTITY:
                        case AUTH_RULE_EAP_IDENTITY:
-                       case AUTH_RULE_AC_GROUP:
+                       case AUTH_RULE_GROUP:
                        case AUTH_RULE_CA_CERT:
                        case AUTH_RULE_IM_CERT:
                        case AUTH_RULE_SUBJECT_CERT:
@@ -250,7 +250,7 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
                        return (void*)VALIDATION_FAILED;
                case AUTH_RULE_IDENTITY:
                case AUTH_RULE_EAP_IDENTITY:
-               case AUTH_RULE_AC_GROUP:
+               case AUTH_RULE_GROUP:
                case AUTH_RULE_CA_CERT:
                case AUTH_RULE_IM_CERT:
                case AUTH_RULE_SUBJECT_CERT:
@@ -285,7 +285,7 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
                        break;
                case AUTH_RULE_IDENTITY:
                case AUTH_RULE_EAP_IDENTITY:
-               case AUTH_RULE_AC_GROUP:
+               case AUTH_RULE_GROUP:
                case AUTH_RULE_CA_CERT:
                case AUTH_RULE_IM_CERT:
                case AUTH_RULE_SUBJECT_CERT:
@@ -459,13 +459,20 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
                                }
                                break;
                        }
-                       case AUTH_RULE_AC_GROUP:
+                       case AUTH_RULE_GROUP:
                        {
-                               success = FALSE;
-                               if (log_error)
+                               identification_t *id1, *id2;
+
+                               id1 = (identification_t*)value;
+                               id2 = get(this, t1);
+                               if (!id2 || !id2->matches(id2, id1))
                                {
-                                       DBG1(DBG_CFG, "constraint check %N not implemented!",
-                                                auth_rule_names, t1);
+                                       success = FALSE;
+                                       if (log_error)
+                                       {
+                                               DBG1(DBG_CFG, "constraint check failed: membership to "
+                                                        "group '%Y' required", id1);
+                                       }
                                }
                                break;
                        }
@@ -527,7 +534,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
                                }
                                case AUTH_RULE_IDENTITY:
                                case AUTH_RULE_EAP_IDENTITY:
-                               case AUTH_RULE_AC_GROUP:
+                               case AUTH_RULE_GROUP:
                                {
                                        identification_t *id = (identification_t*)value;
 
@@ -614,7 +621,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
                                        }
                                        case AUTH_RULE_IDENTITY:
                                        case AUTH_RULE_EAP_IDENTITY:
-                                       case AUTH_RULE_AC_GROUP:
+                                       case AUTH_RULE_GROUP:
                                        {
                                                identification_t *id1, *id2;
 
@@ -698,7 +705,7 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
                {
                        case AUTH_RULE_IDENTITY:
                        case AUTH_RULE_EAP_IDENTITY:
-                       case AUTH_RULE_AC_GROUP:
+                       case AUTH_RULE_GROUP:
                        {
                                identification_t *id = (identification_t*)entry->value;
                                clone->add(clone, entry->type, id->clone(id));
index 5e6215a..6bee5fc 100644 (file)
@@ -62,8 +62,8 @@ enum auth_rule_t {
        AUTH_RULE_CRL_VALIDATION,
        /** result of a OCSP validation, cert_validation_t */
        AUTH_RULE_OCSP_VALIDATION,
-       /** subject is in attribute certificate group, identification_t* */
-       AUTH_RULE_AC_GROUP,
+       /** subject is member of a group, identification_t* */
+       AUTH_RULE_GROUP,
 
        /** intermediate certificate, certificate_t* */
        AUTH_HELPER_IM_CERT,
index 41bf5d1..ded7ac4 100644 (file)
@@ -413,7 +413,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
                }
        }
 
-       /* AC groups */
+       /* groups */
        if (end->groups)
        {
                enumerator_t *enumerator;
@@ -422,9 +422,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
                enumerator = enumerator_create_token(end->groups, ",", " ");
                while (enumerator->enumerate(enumerator, &group))
                {
-                       identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
-                                                                                       chunk_create(group, strlen(group)));
-                       cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+                       cfg->add(cfg, AUTH_RULE_GROUP,
+                                        identification_create_from_string(group));
                }
                enumerator->destroy(enumerator);
        }
index 153828a..9981d45 100644 (file)
@@ -373,7 +373,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
                rules = auth->create_enumerator(auth);
                while (rules->enumerate(rules, &rule, &id))
                {
-                       if (rule == AUTH_RULE_AC_GROUP)
+                       if (rule == AUTH_RULE_GROUP)
                        {
                                fprintf(out, "%12s:    group: %Y\n", name, id);
                        }
index 6a3c393..3968b62 100644 (file)
@@ -50,8 +50,7 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
        "ID_DER_ASN1_GN",
        "ID_KEY_ID");
 ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
-       "ID_DER_ASN1_GN_URI"
-       "ID_IETF_ATTR_STRING"
+       "ID_DER_ASN1_GN_URI",
        "ID_MYID");
 ENUM_END(id_type_names, ID_MYID);
 
@@ -761,7 +760,6 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
                case ID_FQDN:
                case ID_RFC822_ADDR:
                case ID_DER_ASN1_GN_URI:
-               case ID_IETF_ATTR_STRING:
                        chunk_printable(this->encoded, &proper, '?');
                        snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
                        chunk_free(&proper);
index fe5c7d0..c463b02 100644 (file)
@@ -131,11 +131,6 @@ enum id_type_t {
        ID_DER_ASN1_GN_URI = 201,
 
        /**
-        * IETF Attribute Syntax String (RFC 3281)
-        */
-       ID_IETF_ATTR_STRING = 202,
-
-       /**
         * Private ID used by the pluto daemon for opportunistic encryption
         */
        ID_MYID = 203,