summaryrefslogtreecommitdiff
path: root/src/libstrongswan/credentials/auth_cfg.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials/auth_cfg.c')
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c155
1 files changed, 128 insertions, 27 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index ce718b9cb..23a3f62d9 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -131,11 +131,13 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_REVOCATION_CERT:
{
certificate_t *cert = (certificate_t*)entry->value;
cert->destroy(cert);
break;
}
+ case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -147,6 +149,8 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
break;
}
}
@@ -172,6 +176,8 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
/* integer type */
enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
@@ -182,10 +188,12 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+ case AUTH_HELPER_REVOCATION_CERT:
/* pointer type */
enumerator->current->value = va_arg(args, void*);
break;
@@ -237,6 +245,8 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
case AUTH_RULE_EAP_TYPE:
return (void*)EAP_NAK;
case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
return (void*)0;
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
@@ -248,10 +258,12 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+ case AUTH_HELPER_REVOCATION_CERT:
default:
return NULL;
}
@@ -274,6 +286,8 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
/* integer type */
entry->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
@@ -284,10 +298,12 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+ case AUTH_HELPER_REVOCATION_CERT:
/* pointer type */
entry->value = va_arg(args, void*);
break;
@@ -358,38 +374,45 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
{
- cert_validation_t validated, required;
+ uintptr_t validated;
- required = (uintptr_t)value;
- validated = (uintptr_t)get(this, t1);
- switch (required)
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &validated))
{
- case VALIDATION_FAILED:
- /* no constraint */
- break;
- case VALIDATION_SKIPPED:
- if (validated == VALIDATION_SKIPPED)
- {
- break;
- }
- /* FALL */
- case VALIDATION_GOOD:
- if (validated == VALIDATION_GOOD)
- {
- break;
- }
- /* FALL */
- default:
- success = FALSE;
- if (log_error)
+ if (t2 == t1)
+ {
+ switch ((uintptr_t)value)
{
- DBG1(DBG_CFG, "constraint check failed: %N is %N, "
- "but requires at least %N", auth_rule_names,
- t1, cert_validation_names, validated,
- cert_validation_names, required);
+ case VALIDATION_FAILED:
+ /* no constraint */
+ break;
+ case VALIDATION_SKIPPED:
+ if (validated == VALIDATION_SKIPPED)
+ {
+ break;
+ }
+ /* FALL */
+ case VALIDATION_GOOD:
+ if (validated == VALIDATION_GOOD)
+ {
+ break;
+ }
+ /* FALL */
+ default:
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: "
+ "%N is %N, but requires at least %N",
+ auth_rule_names, t1,
+ cert_validation_names, validated,
+ cert_validation_names, (uintptr_t)value);
+ }
+ break;
}
- break;
+ }
}
+ e2->destroy(e2);
break;
}
case AUTH_RULE_IDENTITY:
@@ -473,10 +496,76 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
e2->destroy(e2);
break;
}
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ {
+ uintptr_t strength;
+
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &strength))
+ {
+ if (t2 == t1)
+ {
+ if ((uintptr_t)value > strength)
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %d bit "
+ "public keys, but %d bit key used",
+ (uintptr_t)value, strength);
+ }
+ }
+ }
+ else if (t2 == AUTH_RULE_RSA_STRENGTH)
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %d bit ECDSA, "
+ "but RSA used", (uintptr_t)value);
+ }
+ }
+ else if (t2 == AUTH_RULE_ECDSA_STRENGTH)
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %d bit RSA, "
+ "but ECDSA used", (uintptr_t)value);
+ }
+ }
+ }
+ e2->destroy(e2);
+ break;
+ }
+ case AUTH_RULE_CERT_POLICY:
+ {
+ char *oid1, *oid2;
+
+ oid1 = (char*)value;
+ success = FALSE;
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &oid2))
+ {
+ if (t2 == t1 && streq(oid1, oid2))
+ {
+ success = TRUE;
+ break;
+ }
+ }
+ e2->destroy(e2);
+ if (!success && log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires cert policy %s", oid1);
+ }
+ break;
+ }
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+ case AUTH_HELPER_REVOCATION_CERT:
/* skip helpers */
continue;
}
@@ -523,6 +612,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_REVOCATION_CERT:
{
certificate_t *cert = (certificate_t*)value;
@@ -534,6 +624,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
{
add(this, type, (uintptr_t)value);
break;
@@ -548,6 +640,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
add(this, type, id->clone(id));
break;
}
+ case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -600,6 +693,8 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
{
if (i1->value == i2->value)
{
@@ -613,6 +708,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_REVOCATION_CERT:
{
certificate_t *c1, *c2;
@@ -643,6 +739,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
}
continue;
}
+ case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -725,11 +822,13 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_REVOCATION_CERT:
{
certificate_t *cert = (certificate_t*)entry->value;
clone->add(clone, entry->type, cert->get_ref(cert));
break;
}
+ case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -741,6 +840,8 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
clone->add(clone, entry->type, (uintptr_t)entry->value);
break;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 10:36:55 +0000