]>
Commit | Line | Data |
---|---|---|
e57a29c7 MW |
1 | /* |
2 | * Copyright (C) 2010 Martin Willi | |
3 | * Copyright (C) 2010 revosec AG | |
4 | * Copyright (C) 2009 Andreas Steffen | |
5 | * Hochschule fuer Technik Rapperswil | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify it | |
8 | * under the terms of the GNU General Public License as published by the | |
9 | * Free Software Foundation; either version 2 of the License, or (at your | |
10 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, but | |
13 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
14 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
15 | * for more details. | |
16 | */ | |
17 | ||
18 | #include "addrblock_narrow.h" | |
19 | ||
20 | #include <daemon.h> | |
21 | #include <credentials/certificates/x509.h> | |
22 | ||
23 | typedef struct private_addrblock_narrow_t private_addrblock_narrow_t; | |
24 | ||
25 | /** | |
26 | * Private data of an addrblock_narrow_t object. | |
27 | */ | |
28 | struct private_addrblock_narrow_t { | |
29 | ||
30 | /** | |
31 | * Public addrblock_narrow_t interface. | |
32 | */ | |
33 | addrblock_narrow_t public; | |
34 | }; | |
35 | ||
d536b94e MW |
36 | static void narrow_addrblock(private_addrblock_narrow_t *this, ike_sa_t *ike_sa, |
37 | linked_list_t *list) | |
e57a29c7 | 38 | { |
e57a29c7 | 39 | certificate_t *cert = NULL; |
d536b94e MW |
40 | enumerator_t *enumerator; |
41 | auth_cfg_t *auth; | |
e57a29c7 | 42 | |
d536b94e MW |
43 | enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); |
44 | while (enumerator->enumerate(enumerator, &auth)) | |
e57a29c7 MW |
45 | { |
46 | cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT); | |
47 | if (cert) | |
48 | { | |
49 | break; | |
50 | } | |
51 | } | |
d536b94e | 52 | enumerator->destroy(enumerator); |
e57a29c7 MW |
53 | |
54 | if (cert && cert->get_type(cert) == CERT_X509) | |
55 | { | |
56 | x509_t *x509 = (x509_t*)cert; | |
57 | ||
58 | if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) | |
59 | { | |
d536b94e MW |
60 | traffic_selector_t *ts, *block, *subset; |
61 | linked_list_t *original; | |
62 | ||
63 | original = linked_list_create(); | |
64 | while (list->remove_last(list, (void**)&ts) == SUCCESS) | |
65 | { | |
66 | original->insert_first(original, ts); | |
67 | } | |
e57a29c7 MW |
68 | |
69 | DBG1(DBG_IKE, "checking certificate-based traffic selector " | |
d536b94e MW |
70 | "constraints [RFC 3779]"); |
71 | while (original->remove_first(original, (void**)&ts) == SUCCESS) | |
e57a29c7 MW |
72 | { |
73 | bool contained = FALSE; | |
74 | ||
d536b94e MW |
75 | enumerator = x509->create_ipAddrBlock_enumerator(x509); |
76 | while (enumerator->enumerate(enumerator, &block)) | |
e57a29c7 | 77 | { |
d536b94e MW |
78 | subset = ts->get_subset(ts, block); |
79 | if (subset) | |
e57a29c7 MW |
80 | { |
81 | DBG1(DBG_IKE, " TS %R is contained in address block" | |
d536b94e MW |
82 | " constraint %R (subset %R)", ts, block, subset); |
83 | list->insert_last(list, subset); | |
e57a29c7 | 84 | contained = TRUE; |
e57a29c7 MW |
85 | } |
86 | } | |
d536b94e | 87 | enumerator->destroy(enumerator); |
e57a29c7 MW |
88 | |
89 | if (!contained) | |
90 | { | |
91 | DBG1(DBG_IKE, " TS %R is not contained in any" | |
d536b94e | 92 | " address block constraint", ts); |
e57a29c7 | 93 | } |
d536b94e | 94 | ts->destroy(ts); |
e57a29c7 | 95 | } |
d536b94e | 96 | original->destroy(original); |
e57a29c7 MW |
97 | } |
98 | } | |
e57a29c7 MW |
99 | } |
100 | ||
101 | METHOD(listener_t, narrow, bool, | |
102 | private_addrblock_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, | |
103 | narrow_hook_t type, linked_list_t *local, linked_list_t *remote) | |
104 | { | |
105 | switch (type) | |
106 | { | |
107 | case NARROW_RESPONDER: | |
3610d760 | 108 | case NARROW_INITIATOR_PRE_AUTH: |
e57a29c7 MW |
109 | case NARROW_INITIATOR_POST_AUTH: |
110 | case NARROW_INITIATOR_POST_NOAUTH: | |
d536b94e | 111 | narrow_addrblock(this, ike_sa, remote); |
e57a29c7 MW |
112 | break; |
113 | default: | |
114 | break; | |
115 | } | |
116 | return TRUE; | |
117 | } | |
118 | ||
119 | METHOD(addrblock_narrow_t, destroy, void, | |
120 | private_addrblock_narrow_t *this) | |
121 | { | |
122 | free(this); | |
123 | } | |
124 | ||
125 | /** | |
126 | * See header | |
127 | */ | |
128 | addrblock_narrow_t *addrblock_narrow_create() | |
129 | { | |
130 | private_addrblock_narrow_t *this; | |
131 | ||
132 | INIT(this, | |
133 | .public = { | |
134 | .listener.narrow = _narrow, | |
135 | .destroy = _destroy, | |
136 | }, | |
137 | ); | |
138 | ||
139 | return &this->public; | |
140 | } |