Pass an additional anchor flag to validate() hook if we reach the root CA

author Martin Willi <martin@revosec.ch>

Wed, 22 Dec 2010 09:43:06 +0000 (10:43 +0100)

committer Martin Willi <martin@revosec.ch>

Wed, 5 Jan 2011 15:46:04 +0000 (16:46 +0100)
author Martin Willi <martin@revosec.ch>
Wed, 22 Dec 2010 09:43:06 +0000 (10:43 +0100)
committer Martin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:04 +0000 (16:46 +0100)
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h

index 1e67c23ab2009d4653b0ece87b48dfd797b7a2a3..3c1ebc9f2d19856b3c809ff646295ef9d65a2986 100644 (file)
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -40,12 +40,13 @@ struct cert_validator_t {
          * @param subject               subject certificate to check
          * @param issuer                issuer of subject
          * @param online                wheter to do online revocation checking
-        * @param pathlen               the current length of the path up to the root CA
+        * @param pathlen               the current length of the path bottom-up
+        * @param anchor                is issuer trusted root anchor
          * @param auth                  container for resulting authentication info
          */
         bool (*validate)(cert_validator_t *this, certificate_t *subject,
                                          certificate_t *issuer, bool online, int pathlen,
-                                        auth_cfg_t *auth);
+                                        bool anchor, auth_cfg_t *auth);
  };
  
  #endif /** CERT_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c

index c32eb442222b270e0d81f41851c4c80d6765b2da..3cca0b2e8cee8cb7ee0568f23814f4d7c05b3433 100644 (file)
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this)
   * check a certificate for its lifetime
   */
  static bool check_certificate(private_credential_manager_t *this,
-                                                         certificate_t *subject, certificate_t *issuer,
-                                                         bool online, int pathlen, auth_cfg_t *auth)
+                               certificate_t *subject, certificate_t *issuer, bool online,
+                               int pathlen, bool trusted, auth_cfg_t *auth)
  {
         time_t not_before, not_after;
         cert_validator_t *validator;
@@ -476,7 +476,7 @@ static bool check_certificate(private_credential_manager_t *this,
         while (enumerator->enumerate(enumerator, &validator))
         {
                 if (!validator->validate(validator, subject, issuer,
-                                                                online, pathlen, auth))
+                                                                online, pathlen, trusted, auth))
                 {
                         enumerator->destroy(enumerator);
                         return FALSE;
@@ -622,7 +622,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                                 break;
                         }
                 }
-               if (!check_certificate(this, current, issuer, online, pathlen, auth))
+               if (!check_certificate(this, current, issuer, online,
+                                                          pathlen, trusted, auth))
                 {
                         trusted = FALSE;
                         issuer->destroy(issuer);
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c

index 36a622d6b053cb84105d99ee99fecd2fd381022a..fa045273fcbfb3e4357dbdb9bbca785585b047c1 100644 (file)
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -346,7 +346,8 @@ static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen,
  
  METHOD(cert_validator_t, validate, bool,
         private_constraints_validator_t *this, certificate_t *subject,
-       certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+       certificate_t *issuer, bool online, int pathlen, bool anchor,
+       auth_cfg_t *auth)
  {
         if (issuer->get_type(issuer) == CERT_X509 &&
                 subject->get_type(subject) == CERT_X509)
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c

index 0fe97225ff497264c4813bbf8e888331d7759b9e..be6d3a9a63e15d1a9ff10551ff2d240747dabc99 100644 (file)
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -568,7 +568,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
  
  METHOD(cert_validator_t, validate, bool,
         private_revocation_validator_t *this, certificate_t *subject,
-       certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+       certificate_t *issuer, bool online, int pathlen, bool anchor,
+       auth_cfg_t *auth)
  {
         if (subject->get_type(subject) == CERT_X509 &&
                 issuer->get_type(issuer) == CERT_X509 &&
author	Martin Willi <martin@revosec.ch>
	Wed, 22 Dec 2010 09:43:06 +0000 (10:43 +0100)
committer	Martin Willi <martin@revosec.ch>
	Wed, 5 Jan 2011 15:46:04 +0000 (16:46 +0100)
src/libstrongswan/credentials/cert_validator.h		patch \| blob \| blame \| history
src/libstrongswan/credentials/credential_manager.c		patch \| blob \| blame \| history
src/libstrongswan/plugins/constraints/constraints_validator.c		patch \| blob \| blame \| history
src/libstrongswan/plugins/revocation/revocation_validator.c		patch \| blob \| blame \| history