From: Martin Willi Date: Wed, 22 Dec 2010 09:43:06 +0000 (+0100) Subject: Pass an additional anchor flag to validate() hook if we reach the root CA X-Git-Tag: 4.5.1~168 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6aba6ff061875a8b834b70826219ccb8dfebb063;p=thirdparty%2Fstrongswan.git Pass an additional anchor flag to validate() hook if we reach the root CA --- diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 1e67c23ab2..3c1ebc9f2d 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -40,12 +40,13 @@ struct cert_validator_t { * @param subject subject certificate to check * @param issuer issuer of subject * @param online wheter to do online revocation checking - * @param pathlen the current length of the path up to the root CA + * @param pathlen the current length of the path bottom-up + * @param anchor is issuer trusted root anchor * @param auth container for resulting authentication info */ bool (*validate)(cert_validator_t *this, certificate_t *subject, certificate_t *issuer, bool online, int pathlen, - auth_cfg_t *auth); + bool anchor, auth_cfg_t *auth); }; #endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index c32eb44222..3cca0b2e8c 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this) * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, - certificate_t *subject, certificate_t *issuer, - bool online, int pathlen, auth_cfg_t *auth) + certificate_t *subject, certificate_t *issuer, bool online, + int pathlen, bool trusted, auth_cfg_t *auth) { time_t not_before, not_after; cert_validator_t *validator; @@ -476,7 +476,7 @@ static bool check_certificate(private_credential_manager_t *this, while (enumerator->enumerate(enumerator, &validator)) { if (!validator->validate(validator, subject, issuer, - online, pathlen, auth)) + online, pathlen, trusted, auth)) { enumerator->destroy(enumerator); return FALSE; @@ -622,7 +622,8 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } - if (!check_certificate(this, current, issuer, online, pathlen, auth)) + if (!check_certificate(this, current, issuer, online, + pathlen, trusted, auth)) { trusted = FALSE; issuer->destroy(issuer); diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c index 36a622d6b0..fa045273fc 100644 --- a/src/libstrongswan/plugins/constraints/constraints_validator.c +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -346,7 +346,8 @@ static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen, METHOD(cert_validator_t, validate, bool, private_constraints_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, int pathlen, bool anchor, + auth_cfg_t *auth) { if (issuer->get_type(issuer) == CERT_X509 && subject->get_type(subject) == CERT_X509) diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 0fe97225ff..be6d3a9a63 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -568,7 +568,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, METHOD(cert_validator_t, validate, bool, private_revocation_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, int pathlen, bool anchor, + auth_cfg_t *auth) { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509 &&