Added support for trustchain key strength checking to rightauth option

2 files changed, 20 insertions, 4 deletions

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index a75b5566e..48eb136aa 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA),
 .B psk
 for pre-shared key authentication and
 .B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
+to (require the) use of the Extensible Authentication Protocol.
+To require a trustchain public key strength for the remote side, specify the
+key type followed by the strength in bits (for example
+.BR rsa-2048
+or
+.BR ecdsa-256 ).
+For
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index dc2c57e9c..ea7d17592 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -445,11 +445,22 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 
 	/* authentication metod (class, actually) */
 	if (streq(auth, "pubkey") ||
-		streq(auth, "rsasig") || streq(auth, "rsa") ||
-		streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
+		strneq(auth, "rsa", strlen("rsa")) ||
+		strneq(auth, "ecdsa", strlen("ecdsa")))
 	{
+		u_int strength;
+
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+
+		if (sscanf(auth, "rsa-%d", &strength) == 1)
+		{
+			cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
+		}
+		if (sscanf(auth, "ecdsa-%d", &strength) == 1)
+		{
+			cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
+		}
 	}
 	else if (streq(auth, "psk") || streq(auth, "secret"))
 	{