src/libcharon/plugins/addrblock/addrblock_validator.c

   1 /*
   2  * Copyright (C) 2010 Martin Willi, revosec AG
   3  * Copyright (C) 2009 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 #include "addrblock_validator.h"
  17
  18 #include <utils/debug.h>
  19 #include <credentials/certificates/x509.h>
  20 #include <selectors/traffic_selector.h>
  21
  22 typedef struct private_addrblock_validator_t private_addrblock_validator_t;
  23
  24 /**
  25  * Private data of an addrblock_validator_t object.
  26  */
  27 struct private_addrblock_validator_t {
  28
  29         /**
  30          * Public addrblock_validator_t interface.
  31          */
  32         addrblock_validator_t public;
  33 };
  34
  35 /**
  36  * Do the addrblock check for two x509 plugins
  37  */
  38 static bool check_addrblock(x509_t *subject, x509_t *issuer)
  39 {
  40         bool subject_const, issuer_const, contained = TRUE;
  41         enumerator_t *subject_enumerator, *issuer_enumerator;
  42         traffic_selector_t *subject_ts, *issuer_ts;
  43
  44         subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
  45         issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
  46
  47         if (!subject_const && !issuer_const)
  48         {
  49                 return TRUE;
  50         }
  51         if (!subject_const)
  52         {
  53                 DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
  54                 return FALSE;
  55         }
  56         if (!issuer_const)
  57         {
  58                 DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
  59                 return FALSE;
  60         }
  61         subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
  62         while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
  63         {
  64                 contained = FALSE;
  65
  66                 issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
  67                 while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
  68                 {
  69                         if (subject_ts->is_contained_in(subject_ts, issuer_ts))
  70                         {
  71                                 DBG2(DBG_CFG, "  subject address block %R is contained in "
  72                                                           "issuer address block %R", subject_ts, issuer_ts);
  73                                 contained = TRUE;
  74                                 break;
  75                         }
  76                 }
  77                 issuer_enumerator->destroy(issuer_enumerator);
  78                 if (!contained)
  79                 {
  80                         DBG1(DBG_CFG, "subject address block %R is not contained in any "
  81                                                   "issuer address block", subject_ts);
  82                         break;
  83                 }
  84         }
  85         subject_enumerator->destroy(subject_enumerator);
  86         return contained;
  87 }
  88
  89 METHOD(cert_validator_t, validate, bool,
  90         private_addrblock_validator_t *this, certificate_t *subject,
  91         certificate_t *issuer, bool online, u_int pathlen, bool anchor,
  92         auth_cfg_t *auth)
  93 {
  94         if (subject->get_type(subject) == CERT_X509 &&
  95                 issuer->get_type(issuer) == CERT_X509)
  96         {
  97                 if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
  98                 {
  99                         lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
 100                                                                         subject);
 101                         return FALSE;
 102                 }
 103         }
 104         return TRUE;
 105 }
 106
 107 METHOD(addrblock_validator_t, destroy, void,
 108         private_addrblock_validator_t *this)
 109 {
 110         free(this);
 111 }
 112
 113 /**
 114  * See header
 115  */
 116 addrblock_validator_t *addrblock_validator_create()
 117 {
 118         private_addrblock_validator_t *this;
 119
 120         INIT(this,
 121                 .public = {
 122                         .validator = {
 123                                 .validate = _validate,
 124                         },
 125                         .destroy = _destroy,
 126                 },
 127         );
 128
 129         return &this->public;
 130 }