summaryrefslogtreecommitdiff
path: root/src/libstrongswan/credentials
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials')
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c11
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c64
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h26
-rw-r--r--src/libstrongswan/credentials/sets/auth_cfg_wrapper.c2
-rw-r--r--src/libstrongswan/credentials/sets/mem_cred.c38
5 files changed, 98 insertions, 43 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 956ce08c9..3ec9491ed 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,7 +1,8 @@
/*
* Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffeb
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -548,10 +549,10 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
} schemes[] = {
{ "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, },
{ "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, },
- { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224, KEY_RSA, },
- { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, },
- { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, },
- { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, },
+ { "sha224", SIGN_RSA_EMSA_PKCS1_SHA2_224, KEY_RSA, },
+ { "sha256", SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, },
+ { "sha384", SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, },
+ { "sha512", SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, },
{ "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, },
{ "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, },
{ "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, },
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index d6f211a34..03f93b1d3 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -32,10 +32,14 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512,
"RSA_EMSA_PKCS1_NULL",
"RSA_EMSA_PKCS1_MD5",
"RSA_EMSA_PKCS1_SHA1",
- "RSA_EMSA_PKCS1_SHA224",
- "RSA_EMSA_PKCS1_SHA256",
- "RSA_EMSA_PKCS1_SHA384",
- "RSA_EMSA_PKCS1_SHA512",
+ "RSA_EMSA_PKCS1_SHA2_224",
+ "RSA_EMSA_PKCS1_SHA2_256",
+ "RSA_EMSA_PKCS1_SHA2_384",
+ "RSA_EMSA_PKCS1_SHA2_512",
+ "RSA_EMSA_PKCS1_SHA3_224",
+ "RSA_EMSA_PKCS1_SHA3_256",
+ "RSA_EMSA_PKCS1_SHA3_384",
+ "RSA_EMSA_PKCS1_SHA3_512",
"ECDSA_WITH_SHA1_DER",
"ECDSA_WITH_SHA256_DER",
"ECDSA_WITH_SHA384_DER",
@@ -120,16 +124,24 @@ signature_scheme_t signature_scheme_from_oid(int oid)
return SIGN_RSA_EMSA_PKCS1_SHA1;
case OID_SHA224_WITH_RSA:
case OID_SHA224:
- return SIGN_RSA_EMSA_PKCS1_SHA224;
+ return SIGN_RSA_EMSA_PKCS1_SHA2_224;
case OID_SHA256_WITH_RSA:
case OID_SHA256:
- return SIGN_RSA_EMSA_PKCS1_SHA256;
+ return SIGN_RSA_EMSA_PKCS1_SHA2_256;
case OID_SHA384_WITH_RSA:
case OID_SHA384:
- return SIGN_RSA_EMSA_PKCS1_SHA384;
+ return SIGN_RSA_EMSA_PKCS1_SHA2_384;
case OID_SHA512_WITH_RSA:
case OID_SHA512:
- return SIGN_RSA_EMSA_PKCS1_SHA512;
+ return SIGN_RSA_EMSA_PKCS1_SHA2_512;
+ case OID_RSASSA_PKCS1V15_WITH_SHA3_224:
+ return SIGN_RSA_EMSA_PKCS1_SHA3_224;
+ case OID_RSASSA_PKCS1V15_WITH_SHA3_256:
+ return SIGN_RSA_EMSA_PKCS1_SHA3_256;
+ case OID_RSASSA_PKCS1V15_WITH_SHA3_384:
+ return SIGN_RSA_EMSA_PKCS1_SHA3_384;
+ case OID_RSASSA_PKCS1V15_WITH_SHA3_512:
+ return SIGN_RSA_EMSA_PKCS1_SHA3_512;
case OID_ECDSA_WITH_SHA1:
case OID_EC_PUBLICKEY:
return SIGN_ECDSA_WITH_SHA1_DER;
@@ -174,14 +186,22 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
return OID_MD5_WITH_RSA;
case SIGN_RSA_EMSA_PKCS1_SHA1:
return OID_SHA1_WITH_RSA;
- case SIGN_RSA_EMSA_PKCS1_SHA224:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_224:
return OID_SHA224_WITH_RSA;
- case SIGN_RSA_EMSA_PKCS1_SHA256:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_256:
return OID_SHA256_WITH_RSA;
- case SIGN_RSA_EMSA_PKCS1_SHA384:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_384:
return OID_SHA384_WITH_RSA;
- case SIGN_RSA_EMSA_PKCS1_SHA512:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_512:
return OID_SHA512_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+ return OID_RSASSA_PKCS1V15_WITH_SHA3_224;
+ case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+ return OID_RSASSA_PKCS1V15_WITH_SHA3_256;
+ case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+ return OID_RSASSA_PKCS1V15_WITH_SHA3_384;
+ case SIGN_RSA_EMSA_PKCS1_SHA3_512:
+ return OID_RSASSA_PKCS1V15_WITH_SHA3_384;
case SIGN_ECDSA_WITH_SHA1_DER:
return OID_ECDSA_WITH_SHA1;
case SIGN_ECDSA_WITH_SHA256_DER:
@@ -216,9 +236,9 @@ static struct {
key_type_t type;
int max_keysize;
} scheme_map[] = {
- { SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, 3072 },
- { SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, 7680 },
- { SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, 0 },
+ { SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, 3072 },
+ { SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, 7680 },
+ { SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, 0 },
{ SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
{ SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
{ SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
@@ -285,10 +305,14 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
case SIGN_RSA_EMSA_PKCS1_NULL:
case SIGN_RSA_EMSA_PKCS1_MD5:
case SIGN_RSA_EMSA_PKCS1_SHA1:
- case SIGN_RSA_EMSA_PKCS1_SHA224:
- case SIGN_RSA_EMSA_PKCS1_SHA256:
- case SIGN_RSA_EMSA_PKCS1_SHA384:
- case SIGN_RSA_EMSA_PKCS1_SHA512:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_224:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_256:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_384:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_512:
+ case SIGN_RSA_EMSA_PKCS1_SHA3_224:
+ case SIGN_RSA_EMSA_PKCS1_SHA3_256:
+ case SIGN_RSA_EMSA_PKCS1_SHA3_384:
+ case SIGN_RSA_EMSA_PKCS1_SHA3_512:
return KEY_RSA;
case SIGN_ECDSA_WITH_SHA1_DER:
case SIGN_ECDSA_WITH_SHA256_DER:
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index ce48f9b7e..236128234 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -70,14 +70,22 @@ enum signature_scheme_t {
SIGN_RSA_EMSA_PKCS1_MD5,
/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1 */
SIGN_RSA_EMSA_PKCS1_SHA1,
- /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224 */
- SIGN_RSA_EMSA_PKCS1_SHA224,
- /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256 */
- SIGN_RSA_EMSA_PKCS1_SHA256,
- /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384 */
- SIGN_RSA_EMSA_PKCS1_SHA384,
- /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-512 */
- SIGN_RSA_EMSA_PKCS1_SHA512,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_224 */
+ SIGN_RSA_EMSA_PKCS1_SHA2_224,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_256 */
+ SIGN_RSA_EMSA_PKCS1_SHA2_256,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_384 */
+ SIGN_RSA_EMSA_PKCS1_SHA2_384,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-2_512 */
+ SIGN_RSA_EMSA_PKCS1_SHA2_512,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_224 */
+ SIGN_RSA_EMSA_PKCS1_SHA3_224,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_256 */
+ SIGN_RSA_EMSA_PKCS1_SHA3_256,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_384 */
+ SIGN_RSA_EMSA_PKCS1_SHA3_384,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_512 */
+ SIGN_RSA_EMSA_PKCS1_SHA3_512,
/** ECDSA with SHA-1 using DER encoding as in RFC 3279 */
SIGN_ECDSA_WITH_SHA1_DER,
/** ECDSA with SHA-256 using DER encoding as in RFC 3279 */
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index c6b8d0c7e..8393d5b18 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -108,7 +108,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator,
}
*value = cert;
enumerator->auth->replace(enumerator->auth, enumerator->inner,
- *rule, cert->get_ref(cert));
+ *rule, cert);
return TRUE;
}
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index 988e709ad..0f8bff23f 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -1,6 +1,7 @@
/*
- * Copyright (C) 2010-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperwsil
+ * Copyright (C) 2010-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperwsil
+ *
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
@@ -223,6 +224,7 @@ METHOD(mem_cred_t, add_crl, bool,
{
if (current->get_type(current) == CERT_X509_CRL)
{
+ chunk_t base;
bool found = FALSE;
crl_t *crl_c = (crl_t*)current;
chunk_t authkey = crl->get_authKeyIdentifier(crl);
@@ -246,17 +248,37 @@ METHOD(mem_cred_t, add_crl, bool,
}
if (found)
{
- new = crl_is_newer(crl, crl_c);
- if (new)
+ /* we keep at most one delta CRL for each base CRL */
+ if (crl->is_delta_crl(crl, &base))
{
- this->untrusted->remove_at(this->untrusted, enumerator);
- current->destroy(current);
+ if (!crl_c->is_delta_crl(crl_c, NULL))
+ {
+ if (chunk_equals(base, crl_c->get_serial(crl_c)))
+ { /* keep the added delta and the existing base CRL
+ * but check if this is the newest delta CRL for
+ * the same base */
+ continue;
+ }
+ }
}
- else
+ else if (crl_c->is_delta_crl(crl_c, &base))
+ {
+ if (chunk_equals(base, crl->get_serial(crl)))
+ { /* keep the existing delta and the added base CRL,
+ * but check if we don't store it already */
+ continue;
+ }
+ }
+ new = crl_is_newer(crl, crl_c);
+ if (!new)
{
cert->destroy(cert);
+ break;
}
- break;
+ /* we remove the existing older CRL but there might be other
+ * delta or base CRLs we can replace */
+ this->untrusted->remove_at(this->untrusted, enumerator);
+ current->destroy(current);
}
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 18:45:36 +0000