2
* Copyright (C) 2010 Martin Willi
3
* Copyright (C) 2010 revosec AG
4
* Copyright (C) 2009 Andreas Steffen
5
* Hochschule fuer Technik Rapperswil
7
* This program is free software; you can redistribute it and/or modify it
8
* under the terms of the GNU General Public License as published by the
9
* Free Software Foundation; either version 2 of the License, or (at your
10
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12
* This program is distributed in the hope that it will be useful, but
13
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18
#include "addrblock_validator.h"
21
#include <credentials/certificates/x509.h>
22
#include <selectors/traffic_selector.h>
24
typedef struct private_addrblock_validator_t private_addrblock_validator_t;
27
* Private data of an addrblock_validator_t object.
29
struct private_addrblock_validator_t {
32
* Public addrblock_validator_t interface.
34
addrblock_validator_t public;
38
* Do the addrblock check for two x509 plugins
40
static bool check_addrblock(x509_t *subject, x509_t *issuer)
42
bool subject_const, issuer_const, contained = TRUE;
43
enumerator_t *subject_enumerator, *issuer_enumerator;
44
traffic_selector_t *subject_ts, *issuer_ts;
46
subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS;
47
issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS;
49
if (!subject_const && !issuer_const)
55
DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
60
DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension");
63
subject_enumerator = subject->create_ipAddrBlock_enumerator(subject);
64
while (subject_enumerator->enumerate(subject_enumerator, &subject_ts))
68
issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer);
69
while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts))
71
if (subject_ts->is_contained_in(subject_ts, issuer_ts))
73
DBG2(DBG_CFG, " subject address block %R is contained in "
74
"issuer address block %R", subject_ts, issuer_ts);
79
issuer_enumerator->destroy(issuer_enumerator);
82
DBG1(DBG_CFG, "subject address block %R is not contained in any "
83
"issuer address block", subject_ts);
87
subject_enumerator->destroy(subject_enumerator);
91
METHOD(cert_validator_t, validate, bool,
92
private_addrblock_validator_t *this, certificate_t *subject,
93
certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
95
if (subject->get_type(subject) == CERT_X509 &&
96
issuer->get_type(issuer) == CERT_X509)
98
return check_addrblock((x509_t*)subject, (x509_t*)issuer);
103
METHOD(addrblock_validator_t, destroy, void,
104
private_addrblock_validator_t *this)
112
addrblock_validator_t *addrblock_validator_create()
114
private_addrblock_validator_t *this;
118
.validator.validate = _validate,
123
return &this->public;