From c8a0781334a1ebb43b31c613a0538d3ea364bf4c Mon Sep 17 00:00:00 2001 From: Thomas Egerer Date: Mon, 1 Feb 2016 18:15:15 +0100 Subject: ikev2: Diversify signature scheme rule This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer --- .../sa/ikev2/authenticators/pubkey_authenticator.c | 5 +- src/libcharon/sa/ikev2/tasks/ike_init.c | 2 +- src/libstrongswan/credentials/auth_cfg.c | 96 +++++++++++++++------- src/libstrongswan/credentials/auth_cfg.h | 2 + 4 files changed, 72 insertions(+), 33 deletions(-) (limited to 'src') diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 2929033aa..64cd775ad 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -130,7 +130,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, enumerator = auth->create_enumerator(auth); while (enumerator->enumerate(enumerator, &rule, &config)) { - if (rule != AUTH_RULE_SIGNATURE_SCHEME) + if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME) { continue; } @@ -427,7 +427,8 @@ METHOD(authenticator_t, process, status_t, auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); if (this->store_signature_scheme) { - auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme); + auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, + (uintptr_t)scheme); } break; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 5cfb51807..78579be95 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -171,7 +171,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this, enumerator = auth->create_enumerator(auth); while (enumerator->enumerate(enumerator, &rule, &config)) { - if (rule == AUTH_RULE_SIGNATURE_SCHEME) + if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME) { hash = hasher_from_signature_scheme(config); if (hasher_algorithm_for_ikev2(hash)) diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index e2047e88f..2f18cb6cd 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -51,6 +51,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT, "RULE_ECDSA_STRENGTH", "RULE_BLISS_STRENGTH", "RULE_SIGNATURE_SCHEME", + "RULE_IKE_SIGNATURE_SCHEME", "RULE_CERT_POLICY", "HELPER_IM_CERT", "HELPER_SUBJECT_CERT", @@ -91,6 +92,7 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_IM_CERT: case AUTH_RULE_CERT_POLICY: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: @@ -211,6 +213,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: /* integer type */ this->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -260,6 +263,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2) case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: { return e1->value == e2->value; } @@ -351,6 +355,7 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_MAX: break; } @@ -383,6 +388,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -459,6 +465,7 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_BLISS_STRENGTH: return (void*)0; case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: return (void*)HASH_UNKNOWN; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: @@ -619,6 +626,50 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, enumerator->destroy(enumerator); } +/** + * Check if signature schemes of a specific type are compliant + */ +static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints, + auth_rule_t type, bool log_error) +{ + enumerator_t *e1, *e2; + auth_rule_t t1, t2; + signature_scheme_t scheme; + void *value; + bool success = TRUE; + + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &scheme)) + { + if (t2 == type) + { + success = FALSE; + e1 = constraints->create_enumerator(constraints); + while (e1->enumerate(e1, &t1, &value)) + { + if (t1 == type && (uintptr_t)value == scheme) + { + success = TRUE; + break; + } + } + e1->destroy(e1); + if (!success) + { + if (log_error) + { + DBG1(DBG_CFG, "%s signature scheme %N not acceptable", + AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE", + signature_scheme_names, (int)scheme); + } + break; + } + } + } + e2->destroy(e2); + return success; +} + METHOD(auth_cfg_t, complies, bool, private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) { @@ -627,7 +678,7 @@ METHOD(auth_cfg_t, complies, bool, bool ca_match = FALSE, cert_match = FALSE; identification_t *require_group = NULL; certificate_t *require_ca = NULL, *require_cert = NULL; - signature_scheme_t scheme = SIGN_UNKNOWN; + signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN; u_int strength = 0; auth_rule_t t1, t2; char *key_type; @@ -823,6 +874,11 @@ METHOD(auth_cfg_t, complies, bool, strength = (uintptr_t)value; break; } + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + ike_scheme = (uintptr_t)value; + break; + } case AUTH_RULE_SIGNATURE_SCHEME: { scheme = (uintptr_t)value; @@ -875,35 +931,13 @@ METHOD(auth_cfg_t, complies, bool, * signature schemes. */ if (success && scheme != SIGN_UNKNOWN) { - e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &scheme)) - { - if (t2 == AUTH_RULE_SIGNATURE_SCHEME) - { - success = FALSE; - e1 = constraints->create_enumerator(constraints); - while (e1->enumerate(e1, &t1, &value)) - { - if (t1 == AUTH_RULE_SIGNATURE_SCHEME && - (uintptr_t)value == scheme) - { - success = TRUE; - break; - } - } - e1->destroy(e1); - if (!success) - { - if (log_error) - { - DBG1(DBG_CFG, "signature scheme %N not acceptable", - signature_scheme_names, (int)scheme); - } - break; - } - } - } - e2->destroy(e2); + success = complies_scheme(this, constraints, + AUTH_RULE_SIGNATURE_SCHEME, log_error); + } + if (success && ike_scheme != SIGN_UNKNOWN) + { + success = complies_scheme(this, constraints, + AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error); } /* Check if we have a matching constraint (or none at all) for used @@ -1027,6 +1061,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: { add(this, type, (uintptr_t)value); break; @@ -1197,6 +1232,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: clone->add(clone, type, (uintptr_t)value); break; case AUTH_RULE_MAX: diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 07e5a6bd3..f00e64f7e 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -106,6 +106,8 @@ enum auth_rule_t { AUTH_RULE_BLISS_STRENGTH, /** required signature scheme, signature_scheme_t */ AUTH_RULE_SIGNATURE_SCHEME, + /** required signature scheme for IKE authentication, signature_scheme_t */ + AUTH_RULE_IKE_SIGNATURE_SCHEME, /** certificatePolicy constraint, numerical OID as char* */ AUTH_RULE_CERT_POLICY, -- cgit v1.2.3