From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Wed, 4 Nov 2009 17:10:31 +0000 (+0100)
Subject: implemented path length constraint checking for IKEv1
X-Git-Tag: 4.3.6~268
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c95671cec2cad250e1205fdec162f3a8280823c3;p=thirdparty%2Fstrongswan.git

implemented path length constraint checking for IKEv1
---

diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index 25b4e148c9..37d0b016a2 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -344,11 +344,11 @@ chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
  */
 bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 {
-	int pathlen;
+	int pathlen, pathlen_constraint;
 
 	*until = 0;
 
-	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+	for (pathlen = -1; pathlen < MAX_CA_PATH_LEN; pathlen++)
 	{
 		certificate_t *certificate = cert->cert;
 		identification_t *subject = certificate->get_subject(certificate);
@@ -407,11 +407,22 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 		)
 		unlock_authcert_list("verify_x509cert");
 
+		/* check path length constraint */
+		pathlen_constraint = x509->get_pathLenConstraint(x509);
+		if (pathlen_constraint != NO_PATH_LEN_CONSTRAINT &&
+			pathlen > pathlen_constraint)
+		{
+			plog("path length of %d violates constraint of %d",
+				 pathlen, pathlen_constraint);
+			return FALSE;
+		}
+
 		/* check if cert is a self-signed root ca */
-		if (pathlen > 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
+		if (pathlen >= 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
 		{
 			DBG(DBG_CONTROL,
-				DBG_log("reached self-signed root ca")
+				DBG_log("reached self-signed root ca with a path length of %d",
+						 pathlen)
 			)
 			return TRUE;
 		}
@@ -479,7 +490,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 		/* go up one step in the trust chain */
 		cert = issuer_cert;
 	}
-	plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	plog("maximum path length of %d exceeded", MAX_CA_PATH_LEN);
 	return FALSE;
 }
 
diff --git a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
index 781a7b4acc..5248461090 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
@@ -1,3 +1,3 @@
-moon::cat /var/log/auth.log::maximum ca path length of 7 levels exceeded::YES
+moon::cat /var/log/auth.log::maximum path length of 7 exceeded::YES
 carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
 moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO