ikev2: Add an option to disable constraints against signature schemes

If this is disabled the schemes configured in `rightauth` are only
checked against signature schemes used in the certificate chain and
signature schemes used during IKEv2 are ignored.

Disabling this could be helpful if existing connections with peers that
don't support RFC 7427 use signature schemes in `rightauth` to verify
certificate chains.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 380ce9305eaab1d985c775263144f3551708af54..c8e7316657205b59b4b51862227199afa2325d7a 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -290,6 +290,14 @@ charon.send_vendor_id = no
 charon.signature_authentication = yes
        Whether to enable Signature Authentication as per RFC 7427.
 
+charon.signature_authentication_constraints = yes
+       Whether to enable constraints against IKEv2 signature schemes.
+
+       If enabled, signature schemes configured in _rightauth_, in addition to
+       getting used as constraints against signature schemes employed in the
+       certificate chain, are also used as constraints against the signature scheme
+       used by peers during IKEv2.
+
 charon.start-scripts {}
        Section containing a list of scripts (name = path) that are executed when
        the daemon is started.

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index d8c4570dcc1307faaa1792ecf351103efa3402db..52539456eb44cbe1182cc4c093ea5999bc48d61c 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -54,6 +54,11 @@ struct private_pubkey_authenticator_t {
         * Reserved bytes of ID payload
         */
        char reserved[3];
+
+       /**
+        * Whether to store signature schemes on remote auth configs.
+        */
+       bool store_signature_scheme;
 };
 
 /**
@@ -325,8 +330,11 @@ METHOD(authenticator_t, process, status_t,
                                 auth_method == AUTH_DS ? scheme : auth_method);
                        status = SUCCESS;
                        auth->merge(auth, current_auth, FALSE);
-                       auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
                        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+                       if (this->store_signature_scheme)
+                       {
+                               auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+                       }
                        break;
                }
                else
@@ -399,6 +407,8 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
                .ike_sa = ike_sa,
                .ike_sa_init = received_init,
                .nonce = sent_nonce,
+               .store_signature_scheme = lib->settings->get_bool(lib->settings,
+                                       "%s.signature_authentication_constraints", TRUE, lib->ns),
        );
        memcpy(this->reserved, reserved, sizeof(this->reserved));