summaryrefslogtreecommitdiff
path: root/src/libstrongswan/credentials/auth_cfg.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials/auth_cfg.c')
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c205
1 files changed, 205 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index ce718b9cb..9c7df81a6 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -131,11 +131,19 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
{
certificate_t *cert = (certificate_t*)entry->value;
cert->destroy(cert);
break;
}
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_CERT_POLICY:
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -147,6 +155,11 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+>>>>>>> upstream/4.5.1
break;
}
}
@@ -172,6 +185,11 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+>>>>>>> upstream/4.5.1
/* integer type */
enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
@@ -182,10 +200,18 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_CERT_POLICY:
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
/* pointer type */
enumerator->current->value = va_arg(args, void*);
break;
@@ -237,6 +263,11 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
case AUTH_RULE_EAP_TYPE:
return (void*)EAP_NAK;
case AUTH_RULE_EAP_VENDOR:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+>>>>>>> upstream/4.5.1
return (void*)0;
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
@@ -248,10 +279,18 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_CERT_POLICY:
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
default:
return NULL;
}
@@ -274,6 +313,11 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+>>>>>>> upstream/4.5.1
/* integer type */
entry->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
@@ -284,10 +328,18 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_CERT_POLICY:
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
/* pointer type */
entry->value = va_arg(args, void*);
break;
@@ -358,6 +410,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
{
+<<<<<<< HEAD
cert_validation_t validated, required;
required = (uintptr_t)value;
@@ -390,6 +443,47 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
}
break;
}
+=======
+ uintptr_t validated;
+
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &validated))
+ {
+ if (t2 == t1)
+ {
+ switch ((uintptr_t)value)
+ {
+ case VALIDATION_FAILED:
+ /* no constraint */
+ break;
+ case VALIDATION_SKIPPED:
+ if (validated == VALIDATION_SKIPPED)
+ {
+ break;
+ }
+ /* FALL */
+ case VALIDATION_GOOD:
+ if (validated == VALIDATION_GOOD)
+ {
+ break;
+ }
+ /* FALL */
+ default:
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: "
+ "%N is %N, but requires at least %N",
+ auth_rule_names, t1,
+ cert_validation_names, validated,
+ cert_validation_names, (uintptr_t)value);
+ }
+ break;
+ }
+ }
+ }
+ e2->destroy(e2);
+>>>>>>> upstream/4.5.1
break;
}
case AUTH_RULE_IDENTITY:
@@ -473,10 +567,82 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
e2->destroy(e2);
break;
}
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ {
+ uintptr_t strength;
+
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &strength))
+ {
+ if (t2 == t1)
+ {
+ if ((uintptr_t)value > strength)
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %d bit "
+ "public keys, but %d bit key used",
+ (uintptr_t)value, strength);
+ }
+ }
+ }
+ else if (t2 == AUTH_RULE_RSA_STRENGTH)
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %d bit ECDSA, "
+ "but RSA used", (uintptr_t)value);
+ }
+ }
+ else if (t2 == AUTH_RULE_ECDSA_STRENGTH)
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %d bit RSA, "
+ "but ECDSA used", (uintptr_t)value);
+ }
+ }
+ }
+ e2->destroy(e2);
+ break;
+ }
+ case AUTH_RULE_CERT_POLICY:
+ {
+ char *oid1, *oid2;
+
+ oid1 = (char*)value;
+ success = FALSE;
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &oid2))
+ {
+ if (t2 == t1 && streq(oid1, oid2))
+ {
+ success = TRUE;
+ break;
+ }
+ }
+ e2->destroy(e2);
+ if (!success && log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires cert policy %s", oid1);
+ }
+ break;
+ }
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
/* skip helpers */
continue;
}
@@ -523,6 +689,10 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
{
certificate_t *cert = (certificate_t*)value;
@@ -534,6 +704,11 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+>>>>>>> upstream/4.5.1
{
add(this, type, (uintptr_t)value);
break;
@@ -548,6 +723,10 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
add(this, type, id->clone(id));
break;
}
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_CERT_POLICY:
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -600,6 +779,11 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+>>>>>>> upstream/4.5.1
{
if (i1->value == i2->value)
{
@@ -613,6 +797,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
{
certificate_t *c1, *c2;
@@ -643,6 +831,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
}
continue;
}
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_CERT_POLICY:
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -725,11 +917,19 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
case AUTH_RULE_SUBJECT_CERT:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
+<<<<<<< HEAD
+=======
+ case AUTH_HELPER_REVOCATION_CERT:
+>>>>>>> upstream/4.5.1
{
certificate_t *cert = (certificate_t*)entry->value;
clone->add(clone, entry->type, cert->get_ref(cert));
break;
}
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_CERT_POLICY:
+>>>>>>> upstream/4.5.1
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -741,6 +941,11 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+<<<<<<< HEAD
+=======
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+>>>>>>> upstream/4.5.1
clone->add(clone, entry->type, (uintptr_t)entry->value);
break;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-13 13:05:00 +0000