From b67ae0f89cbbbbbef1af1bdf93e4b59d2c5c37a0 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 27 Feb 2015 18:45:56 +0100 Subject: ikev2: Add an option to disable constraints against signature schemes If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains. --- src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index d8c4570dc..52539456e 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -54,6 +54,11 @@ struct private_pubkey_authenticator_t { * Reserved bytes of ID payload */ char reserved[3]; + + /** + * Whether to store signature schemes on remote auth configs. + */ + bool store_signature_scheme; }; /** @@ -325,8 +330,11 @@ METHOD(authenticator_t, process, status_t, auth_method == AUTH_DS ? scheme : auth_method); status = SUCCESS; auth->merge(auth, current_auth, FALSE); - auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + if (this->store_signature_scheme) + { + auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme); + } break; } else @@ -399,6 +407,8 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, .ike_sa = ike_sa, .ike_sa_init = received_init, .nonce = sent_nonce, + .store_signature_scheme = lib->settings->get_bool(lib->settings, + "%s.signature_authentication_constraints", TRUE, lib->ns), ); memcpy(this->reserved, reserved, sizeof(this->reserved)); -- cgit v1.2.3