Logo Search packages:      
Sourcecode: strongswan version File versions  Download package

ca.c

/* Certification Authority (CA) support for IKE authentication
 * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * RCSID $Id: ca.c,v 1.10 2005/12/25 12:29:55 as Exp $
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
#include <time.h>
#include <sys/types.h>

#include <freeswan.h>
#include <freeswan/ipsec_policy.h>

#include "constants.h"
#include "defs.h"
#include "log.h"
#include "x509.h"
#include "ca.h"
#include "certs.h"
#include "whack.h"
#include "fetch.h"

/* chained list of X.509 authority certificates (ca, aa, and ocsp) */

static x509cert_t *x509authcerts = NULL;

const ca_info_t empty_ca_info = {
      NULL    ,  /* next */
      NULL    ,  /* name */
    UNDEFINED_TIME,
    { NULL, 0 }     ,  /* authName */
    { NULL, 0 }     ,  /* authKeyID */
    { NULL, 0 }     ,  /* authKey SerialNumber */
      NULL    ,  /* ldaphost */
      NULL    ,  /* ldapbase */
      NULL    ,  /* ocspori */
      NULL    ,  /* crluri */
      FALSE      /* strictcrlpolicy */
};

/* chained list of X.509 certification authority information records */

static ca_info_t *ca_infos = NULL;

/*
 * Checks if CA a is trusted by CA b
 */
bool
trusted_ca(chunk_t a, chunk_t b, int *pathlen)
{
    bool match = FALSE;

    /* no CA b specified -> any CA a is accepted */
    if (b.ptr == NULL)
    {
      *pathlen = (a.ptr == NULL)? 0 : MAX_CA_PATH_LEN;
      return TRUE;
    }

    /* no CA a specified -> trust cannot be established */
    if (a.ptr == NULL)
    {
      *pathlen = MAX_CA_PATH_LEN;
      return FALSE;
    }

    *pathlen = 0;

    /* CA a equals CA b -> we have a match */
    if (same_dn(a, b))
      return TRUE;

    /* CA a might be a subordinate CA of b */
    lock_authcert_list("trusted_ca");

    while ((*pathlen)++ < MAX_CA_PATH_LEN)
    {
      x509cert_t *cacert = get_authcert(a, empty_chunk, empty_chunk, AUTH_CA);

      /* cacert not found or self-signed root cacert-> exit */
      if (cacert == NULL || same_dn(cacert->issuer, a))
          break;

      /* does the issuer of CA a match CA b? */
      match = same_dn(cacert->issuer, b);

      /* we have a match and exit the loop */
      if (match)
          break;

      /* go one level up in the CA chain */
      a = cacert->issuer;
    }
    
    unlock_authcert_list("trusted_ca");
    return match;
}

/*
 * does our CA match one of the requested CAs?
 */
bool
match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen)
{
    /* if no ca is requested than any ca will match */
    if (requested_ca == NULL)
    {
      *our_pathlen = 0;
      return TRUE;
    }

    *our_pathlen = MAX_CA_PATH_LEN + 1;

    while (requested_ca != NULL)
    {
      int pathlen;

      if (trusted_ca(our_ca, requested_ca->name, &pathlen)
      && pathlen < *our_pathlen)
          *our_pathlen = pathlen;
      requested_ca = requested_ca->next;
    }

    return *our_pathlen <= MAX_CA_PATH_LEN;
}

/*
 *  free the first authority certificate in the chain
 */
static void
free_first_authcert(void)
{
    x509cert_t *first = x509authcerts;
    x509authcerts = first->next;
    free_x509cert(first);
}

/*
 *  free  all CA certificates
 */
void
free_authcerts(void)
{
    lock_authcert_list("free_authcerts");

    while (x509authcerts != NULL)
        free_first_authcert();

    unlock_authcert_list("free_authcerts");
}

/*
 *  get a X.509 authority certificate with a given subject or keyid
 */
x509cert_t*
get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags)
{
    x509cert_t *cert = x509authcerts;
    x509cert_t *prev_cert = NULL;

    while (cert != NULL)
    {
      if (cert->authority_flags & auth_flags
      && ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
          : (same_dn(subject, cert->subject)
             && same_serial(serial, cert->serialNumber))))
      {
          if (cert != x509authcerts)
          {
            /* bring the certificate up front */
            prev_cert->next = cert->next;
            cert->next = x509authcerts;
            x509authcerts = cert;
          }
          return cert;
      }
      prev_cert = cert;
      cert = cert->next;
    }
    return NULL;
}

/*
 * add an authority certificate to the chained list
 */
bool
add_authcert(x509cert_t *cert, u_char auth_flags)
{
    x509cert_t *old_cert;

    /* set authority flags */
    cert->authority_flags |= auth_flags;

    lock_authcert_list("add_authcert");

    old_cert = get_authcert(cert->subject, cert->serialNumber
      , cert->subjectKeyID, auth_flags);

    if (old_cert != NULL)
    {
      if (same_x509cert(cert, old_cert))
      {
          /* cert is already present, just add additional authority flags */
          old_cert->authority_flags |= cert->authority_flags;
          DBG(DBG_CONTROL | DBG_PARSING ,
            DBG_log("  authcert is already present and identical")
          )
          unlock_authcert_list("add_authcert");

          free_x509cert(cert);
          return FALSE;
      }
      else
      {
          /* cert is already present but will be replaced by new cert */
          free_first_authcert();
          DBG(DBG_CONTROL | DBG_PARSING ,
            DBG_log("  existing authcert deleted")
          )
      }
    }

    /* add new authcert to chained list */
    cert->next = x509authcerts;
    x509authcerts = cert;
    share_x509cert(cert);  /* set count to one */
    DBG(DBG_CONTROL | DBG_PARSING,
      DBG_log("  authcert inserted")
    )
    unlock_authcert_list("add_authcert");
    return TRUE;
}

/*
 *  Loads authority certificates
 */
void
load_authcerts(const char *type, const char *path, u_char auth_flags)
{
    struct dirent **filelist;
    u_char buf[BUF_LEN];
    u_char *save_dir;
    int n;

    /* change directory to specified path */
    save_dir = getcwd(buf, BUF_LEN);

    if (chdir(path))
    {
      plog("Could not change to directory '%s'", path);
    }
    else
    {
      plog("Changing to directory '%s'", path);
      n = scandir(path, &filelist, file_select, alphasort);

      if (n < 0)
          plog("  scandir() error");
      else
      {
          while (n--)
          {
            cert_t cert;

            if (load_cert(filelist[n]->d_name, type, &cert))
                add_authcert(cert.u.x509, auth_flags);

            free(filelist[n]);
          }
          free(filelist);
      }
    }
    /* restore directory path */
    chdir(save_dir);
}

/*
 *  list all X.509 authcerts with given auth flags in a chained list
 */
void
list_authcerts(const char *caption, u_char auth_flags, bool utc)
{
    lock_authcert_list("list_authcerts");
    list_x509cert_chain(caption, x509authcerts, auth_flags, utc);
    unlock_authcert_list("list_authcerts");
}

/*
 * get a cacert with a given subject or keyid from an alternative list
 */
static const x509cert_t*
get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid
    , const x509cert_t *cert)
{
    while (cert != NULL)
    {
      if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
          : (same_dn(subject, cert->subject)
             && same_serial(serial, cert->serialNumber)))
      {
          return cert;
      }
      cert = cert->next;
    }
    return NULL;
}

/* establish trust into a candidate authcert by going up the trust chain.
 * validity and revocation status are not checked.
 */
bool
trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
{
    int pathlen;

    lock_authcert_list("trust_authcert_candidate");

    for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
    {
      const x509cert_t *authcert = NULL;
      u_char buf[BUF_LEN];

      DBG(DBG_CONTROL,
          dntoa(buf, BUF_LEN, cert->subject);
          DBG_log("subject: '%s'",buf);
          dntoa(buf, BUF_LEN, cert->issuer);
          DBG_log("issuer:  '%s'",buf);
          if (cert->authKeyID.ptr != NULL)
          {
            datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
                , buf, BUF_LEN);
            DBG_log("authkey:  %s", buf);
          }
      )

      /* search in alternative chain first */
      authcert = get_alt_cacert(cert->issuer, cert->authKeySerialNumber
          , cert->authKeyID, alt_chain);

      if (authcert != NULL)
      {
          DBG(DBG_CONTROL,
            DBG_log("issuer cacert found in alternative chain")
          )
      }
      else
      {
          /* search in trusted chain */
          authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
            , cert->authKeyID, AUTH_CA);

          if (authcert != NULL)
          {
            DBG(DBG_CONTROL,
                DBG_log("issuer cacert found")
            )
          }
          else
          {
            plog("issuer cacert not found");
            unlock_authcert_list("trust_authcert_candidate");
            return FALSE;
          }
      }

      if (!check_signature(cert->tbsCertificate, cert->signature
                     , cert->algorithm, cert->algorithm, authcert))
      {
          plog("certificate signature is invalid");
          unlock_authcert_list("trust_authcert_candidate");
          return FALSE;
      }
      DBG(DBG_CONTROL,
          DBG_log("certificate signature is valid")
      )

      /* check if cert is a self-signed root ca */
      if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
      {
          DBG(DBG_CONTROL,
            DBG_log("reached self-signed root ca")
          )
          unlock_authcert_list("trust_authcert_candidate");
          return TRUE;
      }

      /* go up one step in the trust chain */
      cert = authcert;
    }
    plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
    unlock_authcert_list("trust_authcert_candidate");
    return FALSE;
}

/*
 *  get a CA info record with a given authName or authKeyID
 */
ca_info_t*
get_ca_info(chunk_t authname, chunk_t serial, chunk_t keyid)
{
    ca_info_t *ca= ca_infos;

    while (ca!= NULL)
    {
      if ((keyid.ptr != NULL) ? same_keyid(keyid, ca->authKeyID)
          : (same_dn(authname, ca->authName)
             && same_serial(serial, ca->authKeySerialNumber)))
      {
          return ca;
      }
      ca = ca->next;
    }
    return NULL;
}


/*
 *  free the dynamic memory used by a ca_info record
 */
static void
free_ca_info(ca_info_t* ca_info)
{
    if (ca_info == NULL)
      return;

    pfreeany(ca_info->name);
    pfreeany(ca_info->ldaphost);
    pfreeany(ca_info->ldapbase);
    pfreeany(ca_info->ocspuri);

    freeanychunk(ca_info->authName);
    freeanychunk(ca_info->authKeyID);
    freeanychunk(ca_info->authKeySerialNumber);

    free_generalNames(ca_info->crluri, TRUE);

    pfree(ca_info);
}

/*
 *  free  all CA certificates
 */
void
free_ca_infos(void)
{
    while (ca_infos != NULL)
    {
      ca_info_t *ca = ca_infos;

      ca_infos = ca_infos->next;
      free_ca_info(ca);
    }
}

/*
 * find a CA information record by name and optionally delete it
 */
bool
find_ca_info_by_name(const char *name, bool delete)
{
    ca_info_t **ca_p = &ca_infos;
    ca_info_t *ca = *ca_p;

    while (ca != NULL)
    {
      /* is there already an entry? */
      if (streq(name, ca->name))
      {
          if (delete)
          {
            lock_ca_info_list("find_ca_info_by_name");
            *ca_p = ca->next;
            free_ca_info(ca);
            plog("deleting ca description \"%s\"", name);
            unlock_ca_info_list("find_ca_info_by_name");
          }
          return TRUE;
      }
      ca_p = &ca->next;
      ca = *ca_p;
    }
    return FALSE;
}


 /*
 * adds a CA description to a chained list
 */
void
add_ca_info(const whack_message_t *msg)
{
    smartcard_t *sc = NULL;
    cert_t cert;
    bool valid_cert = FALSE;
    bool cached_cert = FALSE;

    if (find_ca_info_by_name(msg->name, FALSE))
    {
      loglog(RC_DUPNAME, "attempt to redefine ca record \"%s\"", msg->name);
      return;
    }

    if (scx_on_smartcard(msg->cacert))
    {
      /* load CA cert from smartcard */
      valid_cert = scx_load_cert(msg->cacert, &sc, &cert, &cached_cert);
    }
    else
    {
      /* load CA cert from file */
      valid_cert = load_ca_cert(msg->cacert, &cert);
    }

    if (valid_cert)
    {
      char buf[BUF_LEN];
      x509cert_t *cacert = cert.u.x509;
      ca_info_t *ca = NULL;

      /* does the authname already exist? */
      ca = get_ca_info(cacert->subject, cacert->serialNumber
            , cacert->subjectKeyID);
      
      if (ca != NULL)
      {
          /* ca_info is already present */
          loglog(RC_DUPNAME, "  duplicate ca information in record \"%s\" found,"
                         "ignoring \"%s\"", ca->name, msg->name);
          free_x509cert(cacert);
          return;
      }

      plog("added ca description \"%s\"", msg->name);

      /* create and initialize new ca_info record */
      ca = alloc_thing(ca_info_t, "ca info");
      *ca = empty_ca_info;

      /* name */
      ca->name = clone_str(msg->name, "ca name");
          
      /* authName */
      clonetochunk(ca->authName, cacert->subject.ptr
          , cacert->subject.len, "authName");
      dntoa(buf, BUF_LEN, ca->authName);
      DBG(DBG_CONTROL,
          DBG_log("authname: '%s'", buf)
      )

      /* authSerialNumber */
      clonetochunk(ca->authKeySerialNumber, cacert->serialNumber.ptr
          , cacert->serialNumber.len, "authKeySerialNumber");

      /* authKeyID */
      if (cacert->subjectKeyID.ptr != NULL)
      {
          clonetochunk(ca->authKeyID, cacert->subjectKeyID.ptr
            , cacert->subjectKeyID.len, "authKeyID");
          datatot(cacert->subjectKeyID.ptr, cacert->subjectKeyID.len, ':'
            , buf, BUF_LEN);
          DBG(DBG_CONTROL | DBG_PARSING ,
            DBG_log("authkey:  %s", buf)
          )
      }

      /* ldaphost */
      ca->ldaphost = clone_str(msg->ldaphost, "ldaphost");

      /* ldapbase */
      ca->ldapbase = clone_str(msg->ldapbase, "ldapbase");

      /* ocspuri */
      if (msg->ocspuri != NULL)
      {
          if (strncasecmp(msg->ocspuri, "http", 4) == 0)
            ca->ocspuri = clone_str(msg->ocspuri, "ocspuri");
          else
            plog("  ignoring ocspuri with unkown protocol");
      }

      /* crluri2*/
      if (msg->crluri2 != NULL)
      {
          generalName_t gn =
            { NULL, GN_URI, {msg->crluri2, strlen(msg->crluri2)} };

          add_distribution_points(&gn, &ca->crluri);
      }

      /* crluri */
      if (msg->crluri != NULL)
      {
          generalName_t gn =
            { NULL, GN_URI, {msg->crluri, strlen(msg->crluri)} };

          add_distribution_points(&gn, &ca->crluri);
      }

      /* strictrlpolicy */
      ca->strictcrlpolicy = msg->whack_strict;

      /* insert ca_info record into the chained list */
      lock_ca_info_list("add_ca_info");

      ca->next = ca_infos;
      ca_infos = ca;
      ca->installed = time(NULL);
      
      unlock_ca_info_list("add_ca_info");

      /* add cacert to list of authcerts */
      if (!cached_cert)
      {
          if (add_authcert(cacert, AUTH_CA) && sc != NULL)
          {
            if (sc->last_cert.type == CERT_X509_SIGNATURE)
                sc->last_cert.u.x509->count--;
            sc->last_cert = cert;
            share_cert(sc->last_cert);
          }
      }
      if (sc != NULL)
          time(&sc->last_load);
    }
}

/*
 * list all ca_info records in the chained list
 */
void
list_ca_infos(bool utc)
{
    ca_info_t *ca = ca_infos;
    
    if (ca != NULL)
    {
      whack_log(RC_COMMENT, " ");
      whack_log(RC_COMMENT, "List of X.509 CA Information Records:");
      whack_log(RC_COMMENT, " ");
    }

    while (ca != NULL)
    {
      u_char buf[BUF_LEN];

      /* strictpolicy per CA not supported yet
       *
      whack_log(RC_COMMENT, "%s, \"%s\", strictcrlpolicy: %s"
            , timetoa(&ca->installed, utc), ca->name
            , ca->strictcrlpolicy? "yes":"no");
      */
      whack_log(RC_COMMENT, "%s, \"%s\"", timetoa(&ca->installed, utc), ca->name);
      dntoa(buf, BUF_LEN, ca->authName);
      whack_log(RC_COMMENT, "       authname: '%s'", buf);
      if (ca->ldaphost != NULL)
          whack_log(RC_COMMENT, "       ldaphost: '%s'", ca->ldaphost);
      if (ca->ldapbase != NULL)
          whack_log(RC_COMMENT, "       ldapbase: '%s'", ca->ldapbase);
      if (ca->ocspuri != NULL)
          whack_log(RC_COMMENT, "       ocspuri:  '%s'", ca->ocspuri);

      list_distribution_points(ca->crluri);

      if (ca->authKeyID.ptr != NULL)
      {
          datatot(ca->authKeyID.ptr, ca->authKeyID.len, ':'
            , buf, BUF_LEN);
          whack_log(RC_COMMENT, "       authkey:   %s", buf);
      }
      if (ca->authKeySerialNumber.ptr != NULL)
      {
          datatot(ca->authKeySerialNumber.ptr, ca->authKeySerialNumber.len, ':'
            , buf, BUF_LEN);
          whack_log(RC_COMMENT, "       aserial:   %s", buf);
      }
      ca = ca->next;
    }
}



Generated by  Doxygen 1.6.0   Back to index