Moved X509 addrBlock validation to a separate addrblock plugin
authorMartin Willi <martin@revosec.ch>
Mon, 5 Jul 2010 12:36:05 +0000 (14:36 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 13 Jul 2010 08:26:07 +0000 (10:26 +0200)
configure.in
src/libstrongswan/Android.mk
src/libstrongswan/Makefile.am
src/libstrongswan/credentials/cert_validator.h
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/plugins/addrblock/Makefile.am [new file with mode: 0644]
src/libstrongswan/plugins/addrblock/addrblock_plugin.c [new file with mode: 0644]
src/libstrongswan/plugins/addrblock/addrblock_plugin.h [new file with mode: 0644]
src/libstrongswan/plugins/addrblock/addrblock_validator.c [new file with mode: 0644]
src/libstrongswan/plugins/addrblock/addrblock_validator.h [new file with mode: 0644]

index ef682ce..5ddd062 100644 (file)
@@ -142,6 +142,7 @@ ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_ENABL_SET([android],        [enable Android specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
@@ -758,6 +759,9 @@ fi
 if test x$agent = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" agent"
 fi
+if test x$addrblock = xtrue; then
+       libstrongswan_plugins=${libstrongswan_plugins}" addrblock"
+fi
 if test x$gmp = xtrue; then
        libstrongswan_plugins=${libstrongswan_plugins}" gmp"
        pluto_plugins=${pluto_plugins}" gmp"
@@ -812,6 +816,7 @@ AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
 AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
+AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
 
 dnl charon plugins
 dnl ==============
@@ -936,6 +941,7 @@ AC_OUTPUT(
        src/libstrongswan/plugins/openssl/Makefile
        src/libstrongswan/plugins/gcrypt/Makefile
        src/libstrongswan/plugins/agent/Makefile
+       src/libstrongswan/plugins/addrblock/Makefile
        src/libstrongswan/plugins/test_vectors/Makefile
        src/libhydra/Makefile
        src/libhydra/plugins/attr/Makefile
index 96d7891..34bd5e5 100644 (file)
@@ -44,6 +44,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
 selectors/traffic_selector.c selectors/traffic_selector.h \
index 0b93dc4..d90773d 100644 (file)
@@ -42,6 +42,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
 selectors/traffic_selector.c selectors/traffic_selector.h \
@@ -306,6 +307,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_ADDRBLOCK
+  SUBDIRS += plugins/addrblock
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/addrblock/libstrongswan-addrblock.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
index 1f192e1..0a65185 100644 (file)
@@ -23,6 +23,8 @@
 
 typedef struct cert_validator_t cert_validator_t;
 
+#include <library.h>
+
 /**
  * Certificate validator interface.
  *
index c5a6816..709c5e2 100644 (file)
@@ -944,60 +944,6 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 }
 
 /**
- * check a certificate for optional IP address block constraints
- */
-static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
-{
-       bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
-       bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
-       bool contained = TRUE;
-
-       enumerator_t *subject_enumerator, *issuer_enumerator;
-       traffic_selector_t *subject_ts, *issuer_ts;
-
-       if (!subject_constraint && !issuer_constraint)
-       {
-               return TRUE;
-       }
-       if (!subject_constraint)
-       {
-               DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-               return FALSE;
-       }
-       if (!issuer_constraint)
-       {
-               DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
-               return FALSE;
-       }
-       subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
-       while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
-       {
-               contained = FALSE;
-
-               issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
-               while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
-               {
-                       if (subject_ts->is_contained_in(subject_ts, issuer_ts))
-                       {
-                               DBG2(DBG_CFG, "  subject address block %R is contained in "
-                                                         "issuer address block %R", subject_ts, issuer_ts);
-                               contained = TRUE;
-                               break;
-                       }
-               }
-               issuer_enumerator->destroy(issuer_enumerator);
-               if (!contained)
-               {
-                       DBG1(DBG_CFG, "subject address block %R is not contained in any "
-                                                 "issuer address block", subject_ts);
-                       break;
-               }
-       }
-       subject_enumerator->destroy(subject_enumerator);
-       return contained;
-}
-
-/**
  * check a certificate for its lifetime
  */
 static bool check_certificate(private_credential_manager_t *this,
@@ -1026,11 +972,6 @@ static bool check_certificate(private_credential_manager_t *this,
                int pathlen_constraint;
                x509_t *x509;
 
-               if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
-               {
-                       return FALSE;
-               }
-
                /* check path length constraint */
                x509 = (x509_t*)issuer;
                pathlen_constraint = x509->get_pathLenConstraint(x509);
diff --git a/src/libstrongswan/plugins/addrblock/Makefile.am b/src/libstrongswan/plugins/addrblock/Makefile.am
new file mode 100644 (file)
index 0000000..159d2e7
--- /dev/null
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-addrblock.la
+else
+plugin_LTLIBRARIES = libstrongswan-addrblock.la
+endif
+
+libstrongswan_addrblock_la_SOURCES = \
+       addrblock_plugin.h addrblock_plugin.c \
+       addrblock_validator.h addrblock_validator.c
+
+libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_plugin.c b/src/libstrongswan/plugins/addrblock/addrblock_plugin.c
new file mode 100644 (file)
index 0000000..6c1ef73
--- /dev/null
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_plugin.h"
+
+#include <library.h>
+#include "addrblock_validator.h"
+
+typedef struct private_addrblock_plugin_t private_addrblock_plugin_t;
+
+/**
+ * private data of addrblock_plugin
+ */
+struct private_addrblock_plugin_t {
+
+       /**
+        * public functions
+        */
+       addrblock_plugin_t public;
+
+       /**
+        * Validator implementation instance.
+        */
+       addrblock_validator_t *validator;
+};
+
+METHOD(plugin_t, destroy, void,
+       private_addrblock_plugin_t *this)
+{
+       lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+       this->validator->destroy(this->validator);
+       free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *addrblock_plugin_create()
+{
+       private_addrblock_plugin_t *this;
+
+       INIT(this,
+               .public.plugin.destroy = _destroy,
+               .validator = addrblock_validator_create(),
+       );
+       lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+       return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_plugin.h b/src/libstrongswan/plugins/addrblock/addrblock_plugin.h
new file mode 100644 (file)
index 0000000..e7c3a72
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock addrblock
+ * @ingroup plugins
+ *
+ * @defgroup addrblock_plugin addrblock_plugin
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_PLUGIN_H_
+#define ADDRBLOCK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct addrblock_plugin_t addrblock_plugin_t;
+
+/**
+ * RFC 3779 address block checking.
+ */
+struct addrblock_plugin_t {
+
+       /**
+        * Implements plugin_t. interface.
+        */
+       plugin_t plugin;
+};
+
+#endif /** ADDRBLOCK_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_validator.c b/src/libstrongswan/plugins/addrblock/addrblock_validator.c
new file mode 100644 (file)
index 0000000..44ef38d
--- /dev/null
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_validator.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct private_addrblock_validator_t private_addrblock_validator_t;
+
+/**
+ * Private data of an addrblock_validator_t object.
+ */
+struct private_addrblock_validator_t {
+
+       /**
+        * Public addrblock_validator_t interface.
+        */
+       addrblock_validator_t public;
+};
+
+/**
+ * Do the addrblock check for two x509 plugins
+ */
+static bool check_addrblock(x509_t *subject, x509_t *issuer)
+{
+       bool subject_const, issuer_const, contained = TRUE;
+       enumerator_t *subject_enumerator, *issuer_enumerator;
+       traffic_selector_t *subject_ts, *issuer_ts;
+
+       subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+       issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+
+       if (!subject_const && !issuer_const)
+       {
+               return TRUE;
+       }
+       if (!subject_const)
+       {
+               DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+               return FALSE;
+       }
+       if (!issuer_const)
+       {
+               DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+               return FALSE;
+       }
+       subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+       while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+       {
+               contained = FALSE;
+
+               issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+               while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+               {
+                       if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+                       {
+                               DBG2(DBG_CFG, "  subject address block %R is contained in "
+                                                         "issuer address block %R", subject_ts, issuer_ts);
+                               contained = TRUE;
+                               break;
+                       }
+               }
+               issuer_enumerator->destroy(issuer_enumerator);
+               if (!contained)
+               {
+                       DBG1(DBG_CFG, "subject address block %R is not contained in any "
+                                                 "issuer address block", subject_ts);
+                       break;
+               }
+       }
+       subject_enumerator->destroy(subject_enumerator);
+       return contained;
+}
+
+METHOD(cert_validator_t, validate, bool,
+       private_addrblock_validator_t *this, certificate_t *subject,
+       certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+{
+       if (subject->get_type(subject) == CERT_X509 &&
+               issuer->get_type(issuer) == CERT_X509)
+       {
+               return check_addrblock((x509_t*)subject, (x509_t*)issuer);
+       }
+       return TRUE;
+}
+
+METHOD(addrblock_validator_t, destroy, void,
+       private_addrblock_validator_t *this)
+{
+       free(this);
+}
+
+/**
+ * See header
+ */
+addrblock_validator_t *addrblock_validator_create()
+{
+       private_addrblock_validator_t *this;
+
+       INIT(this,
+               .public = {
+                       .validator.validate = _validate,
+                       .destroy = _destroy,
+               },
+       );
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/plugins/addrblock/addrblock_validator.h b/src/libstrongswan/plugins/addrblock/addrblock_validator.h
new file mode 100644 (file)
index 0000000..423f0d4
--- /dev/null
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock_validator addrblock_validator
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_VALIDATOR_H_
+#define ADDRBLOCK_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct addrblock_validator_t addrblock_validator_t;
+
+/**
+ * RFC 3779 address block X509 certificate validator.
+ */
+struct addrblock_validator_t {
+
+       /**
+        * Implements cert_validator_t interface.
+        */
+       cert_validator_t validator;
+
+       /**
+        * Destroy a addrblock_validator_t.
+        */
+       void (*destroy)(addrblock_validator_t *this);
+};
+
+/**
+ * Create a addrblock_validator instance.
+ */
+addrblock_validator_t *addrblock_validator_create();
+
+#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/