diff options
| author | Martin Willi <martin@revosec.ch> | 2012-06-12 14:19:11 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2012-06-12 14:24:49 +0200 |
| commit | 918e92c4c9dc11b8db0f5a85d38e9326288c9849 (patch) | |
| tree | c68a7378da47d7cede167b6c89f52bb321a3c3ed /src | |
| parent | fd4ff118586ca4cad4dc1cfe15a42857897fa5e0 (diff) | |
| download | strongswan-918e92c4c9dc11b8db0f5a85d38e9326288c9849.tar.bz2 strongswan-918e92c4c9dc11b8db0f5a85d38e9326288c9849.tar.xz | |
Support multiple different public key strength types in constraints
Diffstat (limited to 'src')
| -rw-r--r-- | src/libstrongswan/credentials/auth_cfg.c | 79 |
1 files changed, 38 insertions, 41 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 16b83d5d0..f196d9363 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -497,6 +497,7 @@ METHOD(auth_cfg_t, complies, bool, enumerator_t *e1, *e2; bool success = TRUE, has_group = FALSE, group_match = FALSE; signature_scheme_t scheme = SIGN_UNKNOWN; + u_int strength = 0; auth_rule_t t1, t2; void *value; @@ -677,47 +678,7 @@ METHOD(auth_cfg_t, complies, bool, case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: { - uintptr_t strength; - - e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &strength)) - { - if (t2 == t1) - { - if ((uintptr_t)value > strength) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint requires %d bit " - "public keys, but %d bit key used", - (uintptr_t)value, strength); - } - break; - } - } - else if (t2 == AUTH_RULE_RSA_STRENGTH) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint requires %d bit ECDSA, " - "but RSA used", (uintptr_t)value); - } - break; - } - else if (t2 == AUTH_RULE_ECDSA_STRENGTH) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint requires %d bit RSA, " - "but ECDSA used", (uintptr_t)value); - } - break; - } - } - e2->destroy(e2); + strength = (uintptr_t)value; break; } case AUTH_RULE_SIGNATURE_SCHEME: @@ -800,6 +761,42 @@ METHOD(auth_cfg_t, complies, bool, e2->destroy(e2); } + /* Check if we have a matching constraint (or none at all) for used + * public key strength */ + if (success && strength) + { + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &strength)) + { + if (t2 == AUTH_RULE_RSA_STRENGTH || + t2 == AUTH_RULE_ECDSA_STRENGTH) + { + success = FALSE; + e1 = constraints->create_enumerator(constraints); + while (e1->enumerate(e1, &t1, &value)) + { + if (t1 == t2 && (uintptr_t)value <= strength) + { + success = TRUE; + break; + } + } + e1->destroy(e1); + if (!success) + { + if (log_error) + { + DBG1(DBG_CFG, "%s-%d signatures not acceptable", + t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA", + strength); + } + break; + } + } + } + e2->destroy(e2); + } + if (has_group && !group_match) { if (log_error) |