libstrongswan_addrblock_la_SOURCES = \
addrblock_plugin.h addrblock_plugin.c \
+ addrblock_narrow.h addrblock_narrow.c \
addrblock_validator.h addrblock_validator.c
libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "addrblock_narrow.h"
+
+#include <daemon.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_addrblock_narrow_t private_addrblock_narrow_t;
+
+/**
+ * Private data of an addrblock_narrow_t object.
+ */
+struct private_addrblock_narrow_t {
+
+ /**
+ * Public addrblock_narrow_t interface.
+ */
+ addrblock_narrow_t public;
+};
+
+/**
+ * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints
+ */
+static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
+{
+ auth_cfg_t *auth;
+ enumerator_t *auth_enum;
+ certificate_t *cert = NULL;
+
+ auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+ while (auth_enum->enumerate(auth_enum, &auth))
+ {
+ cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
+ if (cert)
+ {
+ break;
+ }
+ }
+ auth_enum->destroy(auth_enum);
+
+ if (cert && cert->get_type(cert) == CERT_X509)
+ {
+ x509_t *x509 = (x509_t*)cert;
+
+ if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+ {
+ enumerator_t *enumerator, *block_enum;
+ traffic_selector_t *ts, *block_ts;
+
+ DBG1(DBG_IKE, "checking certificate-based traffic selector "
+ "constraints [RFC 3779]");
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ bool contained = FALSE;
+
+ block_enum = x509->create_ipAddrBlock_enumerator(x509);
+ while (block_enum->enumerate(block_enum, &block_ts))
+ {
+ if (ts->is_contained_in(ts, block_ts))
+ {
+ DBG1(DBG_IKE, " TS %R is contained in address block"
+ " constraint %R", ts, block_ts);
+ contained = TRUE;
+ break;
+ }
+ }
+ block_enum->destroy(block_enum);
+
+ if (!contained)
+ {
+ DBG1(DBG_IKE, " TS %R is not contained in any"
+ " address block constraint", ts);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ }
+ return TRUE;
+}
+
+/**
+ * Delete all traffic selectors in a list
+ */
+static void flush_ts_list(linked_list_t *list)
+{
+ traffic_selector_t *ts;
+
+ while (list->remove_last(list, (void**)&ts) == SUCCESS)
+ {
+ ts->destroy(ts);
+ }
+}
+
+METHOD(listener_t, narrow, bool,
+ private_addrblock_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ narrow_hook_t type, linked_list_t *local, linked_list_t *remote)
+{
+ switch (type)
+ {
+ case NARROW_RESPONDER:
+ case NARROW_INITIATOR_POST_AUTH:
+ case NARROW_INITIATOR_POST_NOAUTH:
+ if (!check_constraints(ike_sa, remote))
+ {
+ flush_ts_list(local);
+ flush_ts_list(remote);
+ }
+ break;
+ default:
+ break;
+ }
+ return TRUE;
+}
+
+METHOD(addrblock_narrow_t, destroy, void,
+ private_addrblock_narrow_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+addrblock_narrow_t *addrblock_narrow_create()
+{
+ private_addrblock_narrow_t *this;
+
+ INIT(this,
+ .public = {
+ .listener.narrow = _narrow,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup addrblock_narrow addrblock_narrow
+ * @{ @ingroup addrblock
+ */
+
+#ifndef ADDRBLOCK_NARROW_H_
+#define ADDRBLOCK_NARROW_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct addrblock_narrow_t addrblock_narrow_t;
+
+/**
+ * Listener that checks traffic selectors against addrblock constraints.
+ */
+struct addrblock_narrow_t {
+
+ /**
+ * Implements listener_t.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy a addrblock_narrow_t.
+ */
+ void (*destroy)(addrblock_narrow_t *this);
+};
+
+/**
+ * Create a addrblock_narrow instance.
+ */
+addrblock_narrow_t *addrblock_narrow_create();
+
+#endif /** ADDRBLOCK_NARROW_H_ @}*/
#include "addrblock_plugin.h"
-#include <library.h>
+#include <daemon.h>
+
#include "addrblock_validator.h"
+#include "addrblock_narrow.h"
typedef struct private_addrblock_plugin_t private_addrblock_plugin_t;
* Validator implementation instance.
*/
addrblock_validator_t *validator;
+
+ /**
+ * Listener to check TS list
+ */
+ addrblock_narrow_t *narrower;
};
METHOD(plugin_t, destroy, void,
private_addrblock_plugin_t *this)
{
+ charon->bus->remove_listener(charon->bus, &this->narrower->listener);
lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+ this->narrower->destroy(this->narrower);
this->validator->destroy(this->validator);
free(this);
}
INIT(this,
.public.plugin.destroy = _destroy,
.validator = addrblock_validator_create(),
+ .narrower = addrblock_narrow_create(),
);
lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+ charon->bus->add_listener(charon->bus, &this->narrower->listener);
return &this->public.plugin;
}
}
}
- /* check for any certificate-based IP address block constraints */
- if (this->mode == MODE_BEET || this->mode == MODE_TUNNEL)
- {
- auth_cfg_t *auth;
- enumerator_t *auth_enum;
- certificate_t *cert = NULL;
-
- auth_enum = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
- while (auth_enum->enumerate(auth_enum, &auth))
- {
- cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
- if (cert)
- {
- break;
- }
- }
- auth_enum->destroy(auth_enum);
-
- if (cert && cert->get_type(cert) == CERT_X509)
- {
- x509_t *x509 = (x509_t*)cert;
-
- if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
- {
- enumerator_t *enumerator, *block_enum;
- traffic_selector_t *ts, *block_ts;
-
- DBG1(DBG_IKE, "checking certificate-based traffic selector "
- "constraints [RFC 3779]");
- enumerator = other_ts->create_enumerator(other_ts);
- while (enumerator->enumerate(enumerator, &ts))
- {
- bool contained = FALSE;
-
- block_enum = x509->create_ipAddrBlock_enumerator(x509);
- while (block_enum->enumerate(block_enum, &block_ts))
- {
- if (ts->is_contained_in(ts, block_ts))
- {
- DBG1(DBG_IKE, " TS %R is contained in address block"
- " constraint %R", ts, block_ts);
- contained = TRUE;
- break;
- }
- }
- block_enum->destroy(block_enum);
-
- if (!contained)
- {
- DBG1(DBG_IKE, " TS %R is not contained in any"
- " address block constraint", ts);
- enumerator->destroy(enumerator);
- return FAILED;
- }
- }
- enumerator->destroy(enumerator);
- }
- }
- }
-
this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
this->child_sa->set_mode(this->child_sa, this->mode);
projects / thirdparty / strongswan.git / commitdiff
