diff options
Diffstat (limited to 'src/libcharon/sa/ikev2/authenticators')
6 files changed, 35 insertions, 10 deletions
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index 3ab59fada..bcf262725 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h index d81ebd562..859a21431 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c index 535581068..c1decb130 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h index 91c534145..7ae86b664 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 65baf8771..652b837fe 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -23,6 +23,7 @@ #include <asn1/asn1.h> #include <asn1/oid.h> #include <collections/array.h> +#include <credentials/certificates/x509.h> typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t; @@ -164,7 +165,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, signature_scheme_t schemes[] = { SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_256, - }, contained; + }; bool found; int i, j; @@ -174,8 +175,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, found = FALSE; for (j = 0; j < array_count(selected); j++) { - array_get(selected, j, &contained); - if (scheme == contained) + array_get(selected, j, &config); + if (scheme == config->scheme) { found = TRUE; break; @@ -414,6 +415,29 @@ METHOD(authenticator_t, build, status_t, return status; } +/** + * Check if the end-entity certificate, if any, is compliant with RFC 4945 + */ +static bool is_compliant_cert(auth_cfg_t *auth) +{ + certificate_t *cert; + x509_t *x509; + + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (!cert || cert->get_type(cert) != CERT_X509) + { + return TRUE; + } + x509 = (x509_t*)cert; + if (x509->get_flags(x509) & X509_IKE_COMPLIANT) + { + return TRUE; + } + DBG1(DBG_IKE, "rejecting certificate without digitalSignature or " + "nonRepudiation keyUsage flags"); + return FALSE; +} + METHOD(authenticator_t, process, status_t, private_pubkey_authenticator_t *this, message_t *message) { @@ -479,7 +503,8 @@ METHOD(authenticator_t, process, status_t, while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { if (public->verify(public, params->scheme, params->params, octets, - auth_data)) + auth_data) && + is_compliant_cert(current_auth)) { if (auth_method != AUTH_DS) { diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h index 82bfea23b..c98e97eb9 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h @@ -1,7 +1,7 @@ /* * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the |