ARG_ENABL_SET([openssl], [enables the OpenSSL crypto plugin.])
ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.])
ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.])
ARG_ENABL_SET([android], [enable Android specific plugin.])
ARG_ENABL_SET([nm], [enable NetworkManager plugin.])
if test x$agent = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" agent"
fi
+if test x$addrblock = xtrue; then
+ libstrongswan_plugins=${libstrongswan_plugins}" addrblock"
+fi
if test x$gmp = xtrue; then
libstrongswan_plugins=${libstrongswan_plugins}" gmp"
pluto_plugins=${pluto_plugins}" gmp"
AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
+AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
dnl charon plugins
dnl ==============
src/libstrongswan/plugins/openssl/Makefile
src/libstrongswan/plugins/gcrypt/Makefile
src/libstrongswan/plugins/agent/Makefile
+ src/libstrongswan/plugins/addrblock/Makefile
src/libstrongswan/plugins/test_vectors/Makefile
src/libhydra/Makefile
src/libhydra/plugins/attr/Makefile
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
selectors/traffic_selector.c selectors/traffic_selector.h \
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
+credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
selectors/traffic_selector.c selectors/traffic_selector.h \
endif
endif
+if USE_ADDRBLOCK
+ SUBDIRS += plugins/addrblock
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/addrblock/libstrongswan-addrblock.la
+endif
+endif
+
if USE_TEST_VECTORS
SUBDIRS += plugins/test_vectors
if MONOLITHIC
typedef struct cert_validator_t cert_validator_t;
+#include <library.h>
+
/**
* Certificate validator interface.
*
}
/**
- * check a certificate for optional IP address block constraints
- */
-static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer)
-{
- bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
- bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
- bool contained = TRUE;
-
- enumerator_t *subject_enumerator, *issuer_enumerator;
- traffic_selector_t *subject_ts, *issuer_ts;
-
- if (!subject_constraint && !issuer_constraint)
- {
- return TRUE;
- }
- if (!subject_constraint)
- {
- DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
- return FALSE;
- }
- if (!issuer_constraint)
- {
- DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
- return FALSE;
- }
- subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
- while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
- {
- contained = FALSE;
-
- issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
- while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
- {
- if (subject_ts->is_contained_in(subject_ts, issuer_ts))
- {
- DBG2(DBG_CFG, " subject address block %R is contained in "
- "issuer address block %R", subject_ts, issuer_ts);
- contained = TRUE;
- break;
- }
- }
- issuer_enumerator->destroy(issuer_enumerator);
- if (!contained)
- {
- DBG1(DBG_CFG, "subject address block %R is not contained in any "
- "issuer address block", subject_ts);
- break;
- }
- }
- subject_enumerator->destroy(subject_enumerator);
- return contained;
-}
-
-/**
* check a certificate for its lifetime
*/
static bool check_certificate(private_credential_manager_t *this,
int pathlen_constraint;
x509_t *x509;
- if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer))
- {
- return FALSE;
- }
-
/* check path length constraint */
x509 = (x509_t*)issuer;
pathlen_constraint = x509->get_pathLenConstraint(x509);
--- /dev/null
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-addrblock.la
+else
+plugin_LTLIBRARIES = libstrongswan-addrblock.la
+endif
+
+libstrongswan_addrblock_la_SOURCES = \
+ addrblock_plugin.h addrblock_plugin.c \
+ addrblock_validator.h addrblock_validator.c
+
+libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_plugin.h"
+
+#include <library.h>
+#include "addrblock_validator.h"
+
+typedef struct private_addrblock_plugin_t private_addrblock_plugin_t;
+
+/**
+ * private data of addrblock_plugin
+ */
+struct private_addrblock_plugin_t {
+
+ /**
+ * public functions
+ */
+ addrblock_plugin_t public;
+
+ /**
+ * Validator implementation instance.
+ */
+ addrblock_validator_t *validator;
+};
+
+METHOD(plugin_t, destroy, void,
+ private_addrblock_plugin_t *this)
+{
+ lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+ this->validator->destroy(this->validator);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *addrblock_plugin_create()
+{
+ private_addrblock_plugin_t *this;
+
+ INIT(this,
+ .public.plugin.destroy = _destroy,
+ .validator = addrblock_validator_create(),
+ );
+ lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+ return &this->public.plugin;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock addrblock
+ * @ingroup plugins
+ *
+ * @defgroup addrblock_plugin addrblock_plugin
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_PLUGIN_H_
+#define ADDRBLOCK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct addrblock_plugin_t addrblock_plugin_t;
+
+/**
+ * RFC 3779 address block checking.
+ */
+struct addrblock_plugin_t {
+
+ /**
+ * Implements plugin_t. interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** ADDRBLOCK_PLUGIN_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_validator.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct private_addrblock_validator_t private_addrblock_validator_t;
+
+/**
+ * Private data of an addrblock_validator_t object.
+ */
+struct private_addrblock_validator_t {
+
+ /**
+ * Public addrblock_validator_t interface.
+ */
+ addrblock_validator_t public;
+};
+
+/**
+ * Do the addrblock check for two x509 plugins
+ */
+static bool check_addrblock(x509_t *subject, x509_t *issuer)
+{
+ bool subject_const, issuer_const, contained = TRUE;
+ enumerator_t *subject_enumerator, *issuer_enumerator;
+ traffic_selector_t *subject_ts, *issuer_ts;
+
+ subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
+ issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
+
+ if (!subject_const && !issuer_const)
+ {
+ return TRUE;
+ }
+ if (!subject_const)
+ {
+ DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
+ return FALSE;
+ }
+ if (!issuer_const)
+ {
+ DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
+ return FALSE;
+ }
+ subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
+ while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
+ {
+ contained = FALSE;
+
+ issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
+ while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
+ {
+ if (subject_ts->is_contained_in(subject_ts, issuer_ts))
+ {
+ DBG2(DBG_CFG, " subject address block %R is contained in "
+ "issuer address block %R", subject_ts, issuer_ts);
+ contained = TRUE;
+ break;
+ }
+ }
+ issuer_enumerator->destroy(issuer_enumerator);
+ if (!contained)
+ {
+ DBG1(DBG_CFG, "subject address block %R is not contained in any "
+ "issuer address block", subject_ts);
+ break;
+ }
+ }
+ subject_enumerator->destroy(subject_enumerator);
+ return contained;
+}
+
+METHOD(cert_validator_t, validate, bool,
+ private_addrblock_validator_t *this, certificate_t *subject,
+ certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+{
+ if (subject->get_type(subject) == CERT_X509 &&
+ issuer->get_type(issuer) == CERT_X509)
+ {
+ return check_addrblock((x509_t*)subject, (x509_t*)issuer);
+ }
+ return TRUE;
+}
+
+METHOD(addrblock_validator_t, destroy, void,
+ private_addrblock_validator_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+addrblock_validator_t *addrblock_validator_create()
+{
+ private_addrblock_validator_t *this;
+
+ INIT(this,
+ .public = {
+ .validator.validate = _validate,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock_validator addrblock_validator
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_VALIDATOR_H_
+#define ADDRBLOCK_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct addrblock_validator_t addrblock_validator_t;
+
+/**
+ * RFC 3779 address block X509 certificate validator.
+ */
+struct addrblock_validator_t {
+
+ /**
+ * Implements cert_validator_t interface.
+ */
+ cert_validator_t validator;
+
+ /**
+ * Destroy a addrblock_validator_t.
+ */
+ void (*destroy)(addrblock_validator_t *this);
+};
+
+/**
+ * Create a addrblock_validator instance.
+ */
+addrblock_validator_t *addrblock_validator_create();
+
+#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/