Exemplo n.º 1
0
/* compare two struct id values, DNs can contain wildcards */
bool match_id(const struct id *a, const struct id *b, int *wildcards)
{

	bool match;

	if (b->kind == ID_NONE) {
		*wildcards = MAX_WILDCARDS;
		match = TRUE;
	} else if (a->kind != b->kind) {
		match = FALSE;
	} else if (a->kind == ID_DER_ASN1_DN) {
		match = match_dn(a->name, b->name, wildcards);
	} else {
		*wildcards = 0;
		match = same_id(a, b);
	}

	DBG(DBG_CONTROLMORE, {
			char abuf[IDTOA_BUF];
			char bbuf[IDTOA_BUF];
			idtoa(a, abuf, IDTOA_BUF);
			idtoa(b, bbuf, IDTOA_BUF);
			DBG_log("   match_id a=%s", abuf);
			DBG_log("            b=%s", bbuf);
			DBG_log("   results  %s", match ? "matched" : "fail");
		});
Exemplo n.º 2
0
stf_status
ikev2_verify_rsa_sha1(struct state *st
                      , enum phase1_role role
                      , unsigned char *idhash
                      , const struct pubkey_list *keys_from_dns
                      , const struct gw_info *gateways_from_dns
                      , pb_stream *sig_pbs)
{
    struct pubkey_list *p, **pp;
    struct connection *c = st->st_connection;
    int pathlen;

    pp = &pluto_pubkeys;

    {

        DBG(DBG_CONTROL,
            char buf[IDTOA_BUF];
            dntoa_or_null(buf, IDTOA_BUF, c->spd.that.ca, "%any");
            DBG_log("ikev2 verify required CA is '%s'", buf));
    }

    {
        time_t n;
        n = 1438262454;   /* Thu Jul 30 09:21:01 EDT 2015 in seconds */
        list_certs(n);
    }

    for (p = pluto_pubkeys; p != NULL; p = *pp)
    {
        char keyname[IDTOA_BUF];
        struct pubkey *key = p->key;
        pp = &p->next;

        idtoa(&key->id, keyname, IDTOA_BUF);
        DBG_log("checking alg=%d == %d, keyid=%s same_id=%u\n"
                , key->alg, PUBKEY_ALG_RSA
                , keyname
                , same_id(&st->ikev2.st_peer_id, &key->id));
        if (key->alg == PUBKEY_ALG_RSA
                && same_id(&st->ikev2.st_peer_id, &key->id)
                && trusted_ca(key->issuer, c->spd.that.ca, &pathlen))
        {
            time_t tnow;

            DBG(DBG_CONTROL,
                char buf[IDTOA_BUF];
                dntoa_or_null(buf, IDTOA_BUF, key->issuer, "%any");
                DBG_log("key issuer CA is '%s'", buf));

            /* check if found public key has expired */
            time(&tnow);
            if (key->until_time != UNDEFINED_TIME && key->until_time < tnow)
            {
                loglog(RC_LOG_SERIOUS,
                       "cached RSA public key has expired and has been deleted");
                *pp = free_public_keyentry(p);
                continue; /* continue with next public key */
            }

            return STF_OK;
        }
    }