aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/plugins/stroke/stroke_config.c7
-rw-r--r--src/libcharon/plugins/vici/vici_config.c5
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c96
-rw-r--r--src/libstrongswan/credentials/auth_cfg.h4
-rw-r--r--src/libstrongswan/tests/Makefile.am1
-rw-r--r--src/libstrongswan/tests/suites/test_auth_cfg.c122
-rw-r--r--src/libstrongswan/tests/tests.h1
7 files changed, 194 insertions, 42 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 134abb955..d0eb2aac3 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -506,14 +506,15 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
}
/* authentication metod (class, actually) */
- if (strpfx(auth, "pubkey") ||
+ if (strpfx(auth, "ike:") ||
+ strpfx(auth, "pubkey") ||
strpfx(auth, "rsa") ||
strpfx(auth, "ecdsa") ||
strpfx(auth, "bliss"))
{
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
build_crl_policy(cfg, local, msg->add_conn.crl_policy);
- cfg->add_pubkey_constraints(cfg, auth);
+ cfg->add_pubkey_constraints(cfg, auth, TRUE);
}
else if (streq(auth, "psk") || streq(auth, "secret"))
{
@@ -546,7 +547,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
if (pos)
{
*pos = 0;
- cfg->add_pubkey_constraints(cfg, pos + 1);
+ cfg->add_pubkey_constraints(cfg, pos + 1, FALSE);
}
type = eap_vendor_type_from_string(auth);
if (type)
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 6cbe5012e..7711fa0cb 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -955,13 +955,14 @@ CALLBACK(parse_auth, bool,
{
return FALSE;
}
- if (strpfx(buf, "pubkey") ||
+ if (strpfx(buf, "ike:") ||
+ strpfx(buf, "pubkey") ||
strpfx(buf, "rsa") ||
strpfx(buf, "ecdsa") ||
strpfx(buf, "bliss"))
{
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
- cfg->add_pubkey_constraints(cfg, buf);
+ cfg->add_pubkey_constraints(cfg, buf, TRUE);
return TRUE;
}
if (strcaseeq(buf, "psk"))
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 2f18cb6cd..5466a2e08 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -518,13 +518,16 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
}
METHOD(auth_cfg_t, add_pubkey_constraints, void,
- private_auth_cfg_t *this, char* constraints)
+ private_auth_cfg_t *this, char* constraints, bool ike)
{
enumerator_t *enumerator;
- bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE,
- rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE;
+ bool is_ike = FALSE, ike_added = FALSE;
+ key_type_t expected_type = -1;
+ auth_rule_t expected_strength = AUTH_RULE_MAX;
int strength;
char *token;
+ auth_rule_t type;
+ void *value;
enumerator = enumerator_create_token(constraints, "-", "");
while (enumerator->enumerate(enumerator, &token))
@@ -554,46 +557,47 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
{ "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, },
};
- if (rsa_len || ecdsa_len || bliss_strength)
+ if (expected_strength != AUTH_RULE_MAX)
{ /* expecting a key strength token */
strength = atoi(token);
if (strength)
{
- if (rsa_len)
- {
- add(this, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
- }
- else if (ecdsa_len)
- {
- add(this, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
- }
- else if (bliss_strength)
- {
- add(this, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength);
- }
+ add(this, expected_strength, (uintptr_t)strength);
}
- rsa_len = ecdsa_len = bliss_strength = FALSE;
+ expected_strength = AUTH_RULE_MAX;
if (strength)
{
continue;
}
}
- if (streq(token, "rsa"))
+ if (streq(token, "rsa") || streq(token, "ike:rsa"))
+ {
+ expected_type = KEY_RSA;
+ expected_strength = AUTH_RULE_RSA_STRENGTH;
+ is_ike = strpfx(token, "ike:");
+ continue;
+ }
+ if (streq(token, "ecdsa") || streq(token, "ike:ecdsa"))
{
- rsa = rsa_len = TRUE;
+ expected_type = KEY_ECDSA;
+ expected_strength = AUTH_RULE_ECDSA_STRENGTH;
+ is_ike = strpfx(token, "ike:");
continue;
}
- if (streq(token, "ecdsa"))
+ if (streq(token, "bliss") || streq(token, "ike:bliss"))
{
- ecdsa = ecdsa_len = TRUE;
+ expected_type = KEY_BLISS;
+ expected_strength = AUTH_RULE_BLISS_STRENGTH;
+ is_ike = strpfx(token, "ike:");
continue;
}
- if (streq(token, "bliss"))
+ if (streq(token, "pubkey") || streq(token, "ike:pubkey"))
{
- bliss = bliss_strength = TRUE;
+ expected_type = KEY_ANY;
+ is_ike = strpfx(token, "ike:");
continue;
}
- if (streq(token, "pubkey"))
+ if (is_ike && !ike)
{
continue;
}
@@ -602,18 +606,19 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
{
if (streq(schemes[i].name, token))
{
- /* for each matching string, allow the scheme, if:
- * - it is an RSA scheme, and we enforced RSA
- * - it is an ECDSA scheme, and we enforced ECDSA
- * - it is not a key type specific scheme
- */
- if ((rsa && schemes[i].key == KEY_RSA) ||
- (ecdsa && schemes[i].key == KEY_ECDSA) ||
- (bliss && schemes[i].key == KEY_BLISS) ||
- (!rsa && !ecdsa && !bliss))
+ if (expected_type == KEY_ANY || expected_type == schemes[i].key)
{
- add(this, AUTH_RULE_SIGNATURE_SCHEME,
- (uintptr_t)schemes[i].scheme);
+ if (is_ike)
+ {
+ add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+ (uintptr_t)schemes[i].scheme);
+ ike_added = TRUE;
+ }
+ else
+ {
+ add(this, AUTH_RULE_SIGNATURE_SCHEME,
+ (uintptr_t)schemes[i].scheme);
+ }
}
found = TRUE;
}
@@ -624,6 +629,25 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
}
}
enumerator->destroy(enumerator);
+
+ /* if no explicit IKE signature contraints were added we add them for all
+ * configured signature contraints */
+ if (ike && !ike_added &&
+ lib->settings->get_bool(lib->settings,
+ "%s.signature_authentication_constraints", TRUE,
+ lib->ns))
+ {
+ enumerator = create_enumerator(this);
+ while (enumerator->enumerate(enumerator, &type, &value))
+ {
+ if (type == AUTH_RULE_SIGNATURE_SCHEME)
+ {
+ add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+ (uintptr_t)value);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
}
/**
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index f00e64f7e..75bc7e97b 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -187,8 +187,10 @@ struct auth_cfg_t {
* Add public key and signature scheme constraints to the set.
*
* @param constraints constraints string (e.g. "rsa-sha384")
+ * @param ike whether to add/parse constraints for IKE signatures
*/
- void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints);
+ void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints,
+ bool ike);
/**
* Get a rule value.
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index d86584ad1..b2d456035 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -44,6 +44,7 @@ tests_SOURCES = tests.h tests.c \
suites/test_certpolicy.c \
suites/test_certnames.c \
suites/test_host.c \
+ suites/test_auth_cfg.c \
suites/test_hasher.c \
suites/test_crypter.c \
suites/test_crypto_factory.c \
diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c
new file mode 100644
index 000000000..e046725b8
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_auth_cfg.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <credentials/auth_cfg.h>
+
+struct {
+ char *constraints;
+ signature_scheme_t sig[5];
+ signature_scheme_t ike[5];
+} sig_constraints_tests[] = {
+ { "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
+ { "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA512, 0 }, {0}},
+ { "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+ { "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+ { "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}},
+ { "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+ { "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+ { "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+ { "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }},
+ { "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+ { "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+ { "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+ { "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
+ { "rsa4096-sha256", {0}, {0}},
+ { "sha256", {0}, {0}},
+ { "ike:sha256", {0}, {0}},
+};
+
+static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
+ signature_scheme_t expected[])
+{
+ enumerator_t *enumerator;
+ auth_rule_t t;
+ void *value;
+ int i = 0;
+
+ enumerator = cfg->create_enumerator(cfg);
+ while (enumerator->enumerate(enumerator, &t, &value))
+ {
+ if (t == type)
+ {
+ ck_assert(expected[i]);
+ ck_assert_int_eq(expected[i], (signature_scheme_t)value);
+ i++;
+ }
+ }
+ enumerator->destroy(enumerator);
+ ck_assert(!expected[i]);
+}
+
+START_TEST(test_sig_contraints)
+{
+ auth_cfg_t *cfg;
+ signature_scheme_t none[] = {0};
+
+ cfg = auth_cfg_create();
+ cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE);
+ check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+ check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none);
+ cfg->destroy(cfg);
+
+ lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
+ FALSE, lib->ns);
+
+ cfg = auth_cfg_create();
+ cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
+ check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+ check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
+ cfg->destroy(cfg);
+}
+END_TEST
+
+START_TEST(test_ike_contraints_fallback)
+{
+ auth_cfg_t *cfg;
+
+ lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
+ TRUE, lib->ns);
+
+ cfg = auth_cfg_create();
+ cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
+ check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+ if (sig_constraints_tests[_i].ike[0])
+ {
+ check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
+ }
+ else
+ {
+ check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+ }
+ cfg->destroy(cfg);
+}
+END_TEST
+
+Suite *auth_cfg_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("auth_cfg");
+
+ tc = tcase_create("add_pubkey_constraints");
+ tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests));
+ tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index e1074b931..824c88022 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -37,6 +37,7 @@ TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509)
TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509)
TEST_SUITE(host_suite_create)
TEST_SUITE(printf_suite_create)
+TEST_SUITE(auth_cfg_suite_create)
TEST_SUITE(hasher_suite_create)
TEST_SUITE(crypter_suite_create)
TEST_SUITE(crypto_factory_suite_create)
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 20:22:51 +0000