2 * Copyright (C) 2010 Martin Willi, revosec AG
3 * Copyright (C) 2009 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include "addrblock_validator.h"
18 #include <utils/debug.h>
19 #include <credentials/certificates/x509.h>
20 #include <selectors/traffic_selector.h>
22 typedef struct private_addrblock_validator_t private_addrblock_validator_t
;
25 * Private data of an addrblock_validator_t object.
27 struct private_addrblock_validator_t
{
30 * Public addrblock_validator_t interface.
32 addrblock_validator_t
public;
36 * Do the addrblock check for two x509 plugins
38 static bool check_addrblock(x509_t
*subject
, x509_t
*issuer
)
40 bool subject_const
, issuer_const
, contained
= TRUE
;
41 enumerator_t
*subject_enumerator
, *issuer_enumerator
;
42 traffic_selector_t
*subject_ts
, *issuer_ts
;
44 subject_const
= subject
->get_flags(subject
) & X509_IP_ADDR_BLOCKS
;
45 issuer_const
= issuer
->get_flags(issuer
) & X509_IP_ADDR_BLOCKS
;
47 if (!subject_const
&& !issuer_const
)
53 DBG1(DBG_CFG
, "subject certficate lacks ipAddrBlocks extension");
58 DBG1(DBG_CFG
, "issuer certficate lacks ipAddrBlocks extension");
61 subject_enumerator
= subject
->create_ipAddrBlock_enumerator(subject
);
62 while (subject_enumerator
->enumerate(subject_enumerator
, &subject_ts
))
66 issuer_enumerator
= issuer
->create_ipAddrBlock_enumerator(issuer
);
67 while (issuer_enumerator
->enumerate(issuer_enumerator
, &issuer_ts
))
69 if (subject_ts
->is_contained_in(subject_ts
, issuer_ts
))
71 DBG2(DBG_CFG
, " subject address block %R is contained in "
72 "issuer address block %R", subject_ts
, issuer_ts
);
77 issuer_enumerator
->destroy(issuer_enumerator
);
80 DBG1(DBG_CFG
, "subject address block %R is not contained in any "
81 "issuer address block", subject_ts
);
85 subject_enumerator
->destroy(subject_enumerator
);
89 METHOD(cert_validator_t
, validate
, bool,
90 private_addrblock_validator_t
*this, certificate_t
*subject
,
91 certificate_t
*issuer
, bool online
, u_int pathlen
, bool anchor
,
94 if (subject
->get_type(subject
) == CERT_X509
&&
95 issuer
->get_type(issuer
) == CERT_X509
)
97 if (!check_addrblock((x509_t
*)subject
, (x509_t
*)issuer
))
99 lib
->credmgr
->call_hook(lib
->credmgr
, CRED_HOOK_POLICY_VIOLATION
,
107 METHOD(addrblock_validator_t
, destroy
, void,
108 private_addrblock_validator_t
*this)
116 addrblock_validator_t
*addrblock_validator_create()
118 private_addrblock_validator_t
*this;
123 .validate
= _validate
,
129 return &this->public;