auth-cfg: Add BLISS key strength constraint

author Tobias Brunner <tobias@strongswan.org>

Mon, 2 Mar 2015 14:49:53 +0000 (15:49 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Wed, 4 Mar 2015 12:54:11 +0000 (13:54 +0100)
author Tobias Brunner <tobias@strongswan.org>
Mon, 2 Mar 2015 14:49:53 +0000 (15:49 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Wed, 4 Mar 2015 12:54:11 +0000 (13:54 +0100)
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c

index db08c6b963ad84ec6c848d1418baba242e763d3a..0ca45a15b0999558c848e0054f235afbcc824e1a 100644 (file)
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
   * Copyright (C) 2007-2009 Martin Willi
   * Hochschule fuer Technik Rapperswil
   *
@@ -49,6 +49,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
         "RULE_GROUP",
         "RULE_RSA_STRENGTH",
         "RULE_ECDSA_STRENGTH",
+       "RULE_BLISS_STRENGTH",
         "RULE_SIGNATURE_SCHEME",
         "RULE_CERT_POLICY",
         "HELPER_IM_CERT",
@@ -71,6 +72,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
                 case AUTH_RULE_EAP_VENDOR:
                 case AUTH_RULE_RSA_STRENGTH:
                 case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                 case AUTH_RULE_IDENTITY:
                 case AUTH_RULE_IDENTITY_LOOSE:
                 case AUTH_RULE_EAP_IDENTITY:
@@ -207,6 +209,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
                 case AUTH_RULE_OCSP_VALIDATION:
                 case AUTH_RULE_RSA_STRENGTH:
                 case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                 case AUTH_RULE_SIGNATURE_SCHEME:
                         /* integer type */
                         this->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -255,6 +258,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
                 case AUTH_RULE_OCSP_VALIDATION:
                 case AUTH_RULE_RSA_STRENGTH:
                 case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                 case AUTH_RULE_SIGNATURE_SCHEME:
                 {
                         return e1->value == e2->value;
@@ -345,6 +349,7 @@ static void destroy_entry_value(entry_t *entry)
                 case AUTH_RULE_OCSP_VALIDATION:
                 case AUTH_RULE_RSA_STRENGTH:
                 case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                 case AUTH_RULE_SIGNATURE_SCHEME:
                 case AUTH_RULE_MAX:
                         break;
@@ -376,6 +381,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
                         case AUTH_RULE_OCSP_VALIDATION:
                         case AUTH_RULE_RSA_STRENGTH:
                         case AUTH_RULE_ECDSA_STRENGTH:
+                       case AUTH_RULE_BLISS_STRENGTH:
                         case AUTH_RULE_SIGNATURE_SCHEME:
                                 /* integer type */
                                 entry->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -450,6 +456,7 @@ METHOD(auth_cfg_t, get, void*,
                 case AUTH_RULE_EAP_VENDOR:
                 case AUTH_RULE_RSA_STRENGTH:
                 case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                         return (void*)0;
                 case AUTH_RULE_SIGNATURE_SCHEME:
                         return (void*)HASH_UNKNOWN;
@@ -513,6 +520,7 @@ METHOD(auth_cfg_t, complies, bool,
         signature_scheme_t scheme = SIGN_UNKNOWN;
         u_int strength = 0;
         auth_rule_t t1, t2;
+       char *key_type;
         void *value;
  
         e1 = constraints->create_enumerator(constraints);
@@ -703,6 +711,7 @@ METHOD(auth_cfg_t, complies, bool,
                         }
                         case AUTH_RULE_RSA_STRENGTH:
                         case AUTH_RULE_ECDSA_STRENGTH:
+                       case AUTH_RULE_BLISS_STRENGTH:
                         {
                                 strength = (uintptr_t)value;
                                 break;
@@ -797,30 +806,39 @@ METHOD(auth_cfg_t, complies, bool,
                 e2 = create_enumerator(this);
                 while (e2->enumerate(e2, &t2, &strength))
                 {
-                       if (t2 == AUTH_RULE_RSA_STRENGTH ||
-                               t2 == AUTH_RULE_ECDSA_STRENGTH)
+                       switch (t2)
                         {
-                               success = FALSE;
-                               e1 = constraints->create_enumerator(constraints);
-                               while (e1->enumerate(e1, &t1, &value))
+                               default:
+                                       continue;
+                               case AUTH_RULE_RSA_STRENGTH:
+                                       key_type = "RSA";
+                                       break;
+                               case AUTH_RULE_ECDSA_STRENGTH:
+                                       key_type = "ECDSA";
+                                       break;
+                               case AUTH_RULE_BLISS_STRENGTH:
+                                       key_type = "BLISS";
+                                       break;
+                       }
+                       success = FALSE;
+                       e1 = constraints->create_enumerator(constraints);
+                       while (e1->enumerate(e1, &t1, &value))
+                       {
+                               if (t1 == t2 && (uintptr_t)value <= strength)
                                 {
-                                       if (t1 == t2 && (uintptr_t)value <= strength)
-                                       {
-                                               success = TRUE;
-                                               break;
-                                       }
+                                       success = TRUE;
+                                       break;
                                 }
-                               e1->destroy(e1);
-                               if (!success)
+                       }
+                       e1->destroy(e1);
+                       if (!success)
+                       {
+                               if (log_error)
                                 {
-                                       if (log_error)
-                                       {
-                                               DBG1(DBG_CFG, "%s-%d signatures not acceptable",
-                                                        t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA",
-                                                        strength);
-                                       }
-                                       break;
+                                       DBG1(DBG_CFG, "%s-%d signatures not acceptable",
+                                                key_type, strength);
                                 }
+                               break;
                         }
                 }
                 e2->destroy(e2);
@@ -891,6 +909,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
                                 case AUTH_RULE_EAP_VENDOR:
                                 case AUTH_RULE_RSA_STRENGTH:
                                 case AUTH_RULE_ECDSA_STRENGTH:
+                               case AUTH_RULE_BLISS_STRENGTH:
                                 case AUTH_RULE_SIGNATURE_SCHEME:
                                 {
                                         add(this, type, (uintptr_t)value);
@@ -1060,6 +1079,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
                         case AUTH_RULE_OCSP_VALIDATION:
                         case AUTH_RULE_RSA_STRENGTH:
                         case AUTH_RULE_ECDSA_STRENGTH:
+                       case AUTH_RULE_BLISS_STRENGTH:
                         case AUTH_RULE_SIGNATURE_SCHEME:
                                 clone->add(clone, type, (uintptr_t)value);
                                 break;
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h

index 95b36d706d65fb90d08c7d2a0449b6c952bcee4e..53f1b38057ba895feb611137c7428faf7c943e5a 100644 (file)
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
   * Copyright (C) 2007-2009 Martin Willi
   * Hochschule fuer Technik Rapperswil
   *
@@ -102,6 +102,8 @@ enum auth_rule_t {
         AUTH_RULE_RSA_STRENGTH,
         /** required ECDSA public key strength, u_int in bits */
         AUTH_RULE_ECDSA_STRENGTH,
+       /** required BLISS public key strength, u_int in bits */
+       AUTH_RULE_BLISS_STRENGTH,
         /** required signature scheme, signature_scheme_t */
         AUTH_RULE_SIGNATURE_SCHEME,
         /** certificatePolicy constraint, numerical OID as char* */
author	Tobias Brunner <tobias@strongswan.org>
	Mon, 2 Mar 2015 14:49:53 +0000 (15:49 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Wed, 4 Mar 2015 12:54:11 +0000 (13:54 +0100)
src/libstrongswan/credentials/auth_cfg.c		patch \| blob \| blame \| history
src/libstrongswan/credentials/auth_cfg.h		patch \| blob \| blame \| history