implemented path length constraint checking for IKEv1
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 4 Nov 2009 17:10:31 +0000 (18:10 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 4 Nov 2009 17:10:31 +0000 (18:10 +0100)
src/pluto/x509.c
testing/tests/ikev1/multi-level-ca-loop/evaltest.dat

index 25b4e14..37d0b01 100644 (file)
@@ -344,11 +344,11 @@ chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
  */
 bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 {
-       int pathlen;
+       int pathlen, pathlen_constraint;
 
        *until = 0;
 
-       for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+       for (pathlen = -1; pathlen < MAX_CA_PATH_LEN; pathlen++)
        {
                certificate_t *certificate = cert->cert;
                identification_t *subject = certificate->get_subject(certificate);
@@ -407,11 +407,22 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
                )
                unlock_authcert_list("verify_x509cert");
 
+               /* check path length constraint */
+               pathlen_constraint = x509->get_pathLenConstraint(x509);
+               if (pathlen_constraint != NO_PATH_LEN_CONSTRAINT &&
+                       pathlen > pathlen_constraint)
+               {
+                       plog("path length of %d violates constraint of %d",
+                                pathlen, pathlen_constraint);
+                       return FALSE;
+               }
+
                /* check if cert is a self-signed root ca */
-               if (pathlen > 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
+               if (pathlen >= 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
                {
                        DBG(DBG_CONTROL,
-                               DBG_log("reached self-signed root ca")
+                               DBG_log("reached self-signed root ca with a path length of %d",
+                                                pathlen)
                        )
                        return TRUE;
                }
@@ -479,7 +490,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
                /* go up one step in the trust chain */
                cert = issuer_cert;
        }
-       plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+       plog("maximum path length of %d exceeded", MAX_CA_PATH_LEN);
        return FALSE;
 }
 
index 781a7b4..5248461 100644 (file)
@@ -1,3 +1,3 @@
-moon::cat /var/log/auth.log::maximum ca path length of 7 levels exceeded::YES
+moon::cat /var/log/auth.log::maximum path length of 7 exceeded::YES
 carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
 moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO