From: Martin Willi <martin@revosec.ch>
Date: Tue, 9 Jul 2013 12:21:40 +0000 (+0200)
Subject: bus: raise certificate validation alerts using credential manager hook
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9650758f01edc051e100769bb08b62ac94b5640b;p=thirdparty%2Fstrongswan.git

bus: raise certificate validation alerts using credential manager hook
---

diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 34d4678d3a..b46184809f 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -833,10 +833,37 @@ METHOD(bus_t, assign_vips, void,
 	this->mutex->unlock(this->mutex);
 }
 
+/**
+ * Credential manager hook function to forward bus alerts
+ */
+static void hook_creds(private_bus_t *this, credential_hook_type_t type,
+					   certificate_t *cert)
+{
+	switch (type)
+	{
+		case CRED_HOOK_EXPIRED:
+			return alert(this, ALERT_CERT_EXPIRED, cert);
+		case CRED_HOOK_REVOKED:
+			return alert(this, ALERT_CERT_REVOKED, cert);
+		case CRED_HOOK_VALIDATION_FAILED:
+			return alert(this, ALERT_CERT_VALIDATION_FAILED, cert);
+		case CRED_HOOK_NO_ISSUER:
+			return alert(this, ALERT_CERT_NO_ISSUER, cert);
+		case CRED_HOOK_UNTRUSTED_ROOT:
+			return alert(this, ALERT_CERT_UNTRUSTED_ROOT, cert);
+		case CRED_HOOK_EXCEEDED_PATH_LEN:
+			return alert(this, ALERT_CERT_EXCEEDED_PATH_LEN, cert);
+		case CRED_HOOK_POLICY_VIOLATION:
+			return alert(this, ALERT_CERT_POLICY_VIOLATION, cert);
+	}
+}
+
 METHOD(bus_t, destroy, void,
 	private_bus_t *this)
 {
 	debug_t group;
+
+	lib->credmgr->set_hook(lib->credmgr, NULL, NULL);
 	for (group = 0; group < DBG_MAX; group++)
 	{
 		this->loggers[group]->destroy(this->loggers[group]);
@@ -897,5 +924,7 @@ bus_t *bus_create()
 		this->max_vlevel[group] = LEVEL_SILENT;
 	}
 
+	lib->credmgr->set_hook(lib->credmgr, (credential_hook_t)hook_creds, this);
+
 	return &this->public;
 }
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index cc2eb01678..4a0ac68e36 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -136,6 +136,20 @@ enum alert_t {
 	ALERT_AUTHORIZATION_FAILED,
 	/** IKE_SA hit the hard lifetime limit before it could be rekeyed */
 	ALERT_IKE_SA_EXPIRED,
+	/** Certificate rejected; it has expired, certificate_t */
+	ALERT_CERT_EXPIRED,
+	/** Certificate rejected; it has been revoked, certificate_t */
+	ALERT_CERT_REVOKED,
+	/** Validating certificate status failed, certificate_t */
+	ALERT_CERT_VALIDATION_FAILED,
+	/** Certificate rejected; no trusted issuer found, certificate_t */
+	ALERT_CERT_NO_ISSUER,
+	/** Certificate rejected; root not trusted, certificate_t */
+	ALERT_CERT_UNTRUSTED_ROOT,
+	/** Certificate rejected; trustchain length exceeds limit, certificate_t */
+	ALERT_CERT_EXCEEDED_PATH_LEN,
+	/** Certificate rejected; other policy violation, certificate_t */
+	ALERT_CERT_POLICY_VIOLATION,
 };
 
 /**