[people/ms/strongswan.git] / src / libcharon / plugins / addrblock / addrblock_narrow.c

/*
 * Copyright (C) 2010 Martin Willi
 * Copyright (C) 2010 revosec AG
 * Copyright (C) 2009 Andreas Steffen
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "addrblock_narrow.h"

#include <daemon.h>
#include <credentials/certificates/x509.h>

typedef struct private_addrblock_narrow_t private_addrblock_narrow_t;

/**
 * Private data of an addrblock_narrow_t object.
 */
struct private_addrblock_narrow_t {

	/**
	 * Public addrblock_narrow_t interface.
	 */
	addrblock_narrow_t public;
};

static void narrow_addrblock(private_addrblock_narrow_t *this, ike_sa_t *ike_sa,
							 linked_list_t *list)
{
	certificate_t *cert = NULL;
	enumerator_t *enumerator;
	auth_cfg_t *auth;

	enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
	while (enumerator->enumerate(enumerator, &auth))
	{
		cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
		if (cert)
		{
			break;
		}
	}
	enumerator->destroy(enumerator);

	if (cert && cert->get_type(cert) == CERT_X509)
	{
		x509_t *x509 = (x509_t*)cert;

		if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
		{
			traffic_selector_t *ts, *block, *subset;
			linked_list_t *original;

			original = linked_list_create();
			while (list->remove_last(list, (void**)&ts) == SUCCESS)
			{
				original->insert_first(original, ts);
			}

			DBG1(DBG_IKE, "checking certificate-based traffic selector "
				 "constraints [RFC 3779]");
			while (original->remove_first(original, (void**)&ts) == SUCCESS)
			{
				bool contained = FALSE;

				enumerator = x509->create_ipAddrBlock_enumerator(x509);
				while (enumerator->enumerate(enumerator, &block))
				{
					subset = ts->get_subset(ts, block);
					if (subset)
					{
						DBG1(DBG_IKE, "  TS %R is contained in address block"
							 " constraint %R (subset %R)", ts, block, subset);
						list->insert_last(list, subset);
						contained = TRUE;
					}
				}
				enumerator->destroy(enumerator);

				if (!contained)
				{
					DBG1(DBG_IKE, "  TS %R is not contained in any"
						 " address block constraint", ts);
				}
				ts->destroy(ts);
			}
			original->destroy(original);
		}
	}
}

METHOD(listener_t, narrow, bool,
	private_addrblock_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
	narrow_hook_t type, linked_list_t *local, linked_list_t *remote)
{
	switch (type)
	{
		case NARROW_RESPONDER:
		case NARROW_INITIATOR_PRE_AUTH:
		case NARROW_INITIATOR_POST_AUTH:
		case NARROW_INITIATOR_POST_NOAUTH:
			narrow_addrblock(this, ike_sa, remote);
			break;
		default:
			break;
	}
	return TRUE;
}

METHOD(addrblock_narrow_t, destroy, void,
	private_addrblock_narrow_t *this)
{
	free(this);
}

/**
 * See header
 */
addrblock_narrow_t *addrblock_narrow_create()
{
	private_addrblock_narrow_t *this;

	INIT(this,
		.public = {
			.listener.narrow = _narrow,
			.destroy = _destroy,
		},
	);

	return &this->public;
}
Commit	Line	Data
e57a29c7 MW	1	/*
	2	* Copyright (C) 2010 Martin Willi
	3	* Copyright (C) 2010 revosec AG
	4	* Copyright (C) 2009 Andreas Steffen
	5	* Hochschule fuer Technik Rapperswil
	6	*
	7	* This program is free software; you can redistribute it and/or modify it
	8	* under the terms of the GNU General Public License as published by the
	9	* Free Software Foundation; either version 2 of the License, or (at your
	10	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	11	*
	12	* This program is distributed in the hope that it will be useful, but
	13	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	14	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	15	* for more details.
	16	*/
	17
	18	#include "addrblock_narrow.h"
	19
	20	#include <daemon.h>
	21	#include <credentials/certificates/x509.h>
	22
	23	typedef struct private_addrblock_narrow_t private_addrblock_narrow_t;
	24
	25	/**
	26	* Private data of an addrblock_narrow_t object.
	27	*/
	28	struct private_addrblock_narrow_t {
	29
	30	/**
	31	* Public addrblock_narrow_t interface.
	32	*/
	33	addrblock_narrow_t public;
	34	};
	35
d536b94e MW	36	static void narrow_addrblock(private_addrblock_narrow_t this, ike_sa_t ike_sa,
d536b94e MW	37	linked_list_t *list)
e57a29c7	38	{
e57a29c7	39	certificate_t *cert = NULL;
d536b94e MW	40	enumerator_t *enumerator;
d536b94e MW	41	auth_cfg_t *auth;
e57a29c7	42
d536b94e MW	43	enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
d536b94e MW	44	while (enumerator->enumerate(enumerator, &auth))
e57a29c7 MW	45	{
	46	cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
	47	if (cert)
	48	{
	49	break;
	50	}
	51	}
d536b94e	52	enumerator->destroy(enumerator);
e57a29c7 MW	53
	54	if (cert && cert->get_type(cert) == CERT_X509)
	55	{
	56	x509_t x509 = (x509_t)cert;
	57
	58	if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
	59	{
d536b94e MW	60	traffic_selector_t ts, block, *subset;
	61	linked_list_t *original;
	62
	63	original = linked_list_create();
	64	while (list->remove_last(list, (void**)&ts) == SUCCESS)
	65	{
	66	original->insert_first(original, ts);
	67	}
e57a29c7 MW	68
e57a29c7 MW	69	DBG1(DBG_IKE, "checking certificate-based traffic selector "
d536b94e MW	70	"constraints [RFC 3779]");
d536b94e MW	71	while (original->remove_first(original, (void**)&ts) == SUCCESS)
e57a29c7 MW	72	{
	73	bool contained = FALSE;
	74
d536b94e MW	75	enumerator = x509->create_ipAddrBlock_enumerator(x509);
d536b94e MW	76	while (enumerator->enumerate(enumerator, &block))
e57a29c7	77	{
d536b94e MW	78	subset = ts->get_subset(ts, block);
d536b94e MW	79	if (subset)
e57a29c7 MW	80	{
e57a29c7 MW	81	DBG1(DBG_IKE, " TS %R is contained in address block"
d536b94e MW	82	" constraint %R (subset %R)", ts, block, subset);
d536b94e MW	83	list->insert_last(list, subset);
e57a29c7	84	contained = TRUE;
e57a29c7 MW	85	}
e57a29c7 MW	86	}
d536b94e	87	enumerator->destroy(enumerator);
e57a29c7 MW	88
	89	if (!contained)
	90	{
	91	DBG1(DBG_IKE, " TS %R is not contained in any"
d536b94e	92	" address block constraint", ts);
e57a29c7	93	}
d536b94e	94	ts->destroy(ts);
e57a29c7	95	}
d536b94e	96	original->destroy(original);
e57a29c7 MW	97	}
e57a29c7 MW	98	}
e57a29c7 MW	99	}
	100
	101	METHOD(listener_t, narrow, bool,
	102	private_addrblock_narrow_t this, ike_sa_t ike_sa, child_sa_t *child_sa,
	103	narrow_hook_t type, linked_list_t local, linked_list_t remote)
	104	{
	105	switch (type)
	106	{
	107	case NARROW_RESPONDER:
3610d760	108	case NARROW_INITIATOR_PRE_AUTH:
e57a29c7 MW	109	case NARROW_INITIATOR_POST_AUTH:
e57a29c7 MW	110	case NARROW_INITIATOR_POST_NOAUTH:
d536b94e	111	narrow_addrblock(this, ike_sa, remote);
e57a29c7 MW	112	break;
	113	default:
	114	break;
	115	}
	116	return TRUE;
	117	}
	118
	119	METHOD(addrblock_narrow_t, destroy, void,
	120	private_addrblock_narrow_t *this)
	121	{
	122	free(this);
	123	}
	124
	125	/**
	126	* See header
	127	*/
	128	addrblock_narrow_t *addrblock_narrow_create()
	129	{
	130	private_addrblock_narrow_t *this;
	131
	132	INIT(this,
	133	.public = {
	134	.listener.narrow = _narrow,
	135	.destroy = _destroy,
	136	},
	137	);
	138
	139	return &this->public;
	140	}