case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
break;
}
}
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
/* integer type */
enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
case AUTH_RULE_EAP_TYPE:
return (void*)EAP_NAK;
case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
return (void*)0;
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
/* integer type */
entry->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
e2->destroy(e2);
break;
}
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ {
+ if ((uintptr_t)value > (uintptr_t)get(this, t1))
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %d bit public key "
+ "strength", value);
+ }
+ }
+ break;
+ }
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
{
add(this, type, (uintptr_t)value);
break;
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
{
if (i1->value == i2->value)
{
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
clone->add(clone, entry->type, (uintptr_t)entry->value);
break;
}
return issuer;
}
+/**
+ * Get the strength of the weakest key in a trustchain
+ */
+static void calculate_trustchain_strength(auth_cfg_t *auth)
+{
+ enumerator_t *enumerator;
+ uintptr_t strength = 0;
+ key_type_t type = KEY_ANY;
+ certificate_t *cert;
+ public_key_t *key;
+ auth_rule_t rule;
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &rule, &cert))
+ {
+ switch (rule)
+ {
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_CA_CERT:
+ {
+ key = cert->get_public_key(cert);
+ if (!key || (type != KEY_ANY && type != key->get_type(key)))
+ { /* no key, or different key families */
+ DESTROY_IF(key);
+ enumerator->destroy(enumerator);
+ return;
+ }
+ type = key->get_type(key);
+ if (!strength)
+ {
+ strength = key->get_keysize(key);
+ }
+ else
+ {
+ strength = min(strength, key->get_keysize(key));
+ }
+ key->destroy(key);
+ break;
+ }
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (strength)
+ {
+ switch (type)
+ {
+ case KEY_RSA:
+ auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
+ break;
+ case KEY_ECDSA:
+ auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
+ break;
+ default:
+ break;
+ }
+ }
+}
+
/**
* try to verify the trust chain of subject, return TRUE if trusted
*/
{
this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
this->pretrusted->get_ref(this->pretrusted));
+ calculate_trustchain_strength(this->auth);
DBG1(DBG_CFG, " using trusted certificate \"%Y\"",
this->pretrusted->get_subject(this->pretrusted));
*cert = this->pretrusted;
if (verify_trust_chain(this->this, current, this->auth, FALSE,
this->online))
{
+ this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+ current->get_ref(current));
*cert = current;
+ calculate_trustchain_strength(this->auth);
if (auth)
{
*auth = this->auth;
projects / thirdparty / strongswan.git / commitdiff
