credential-manager: Add option to reject trusted end-entity certificates

This allows preventing peers from authenticating with certificates
that are locally trusted, in particular, our own local certificate (which
safeguards against accidental reuse of certificates on multiple peers).

On the other hand, if this option is enabled, end-entity certificates
for peers can't be configured anymore explicitly (e.g. via remote.certs
in swanctl.conf).

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 72efd17de2f44b18f82fb5dccc642167336b27b2..e07f1dd85317a2ec01e7582d675d257e1b96aabe 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -372,6 +372,10 @@ charon.receive_delay_request = yes
 charon.receive_delay_type = 0
        Specific IKEv2 message type to delay, 0 for any.
 
+charon.reject_trusted_end_entity = no
+       Reject peers that use trusted end-entity certificates (i.e. local
+       certificates).
+
 charon.replay_window = 32
        Size of the AH/ESP replay window, in packets.
 

diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 6f030ef2a58b2cb77d4fc7f761449cacce26bc4c..d66a6e9a4a174797edcc8ef5201bcd99eba02275 100644 (file)
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -93,6 +93,11 @@ struct private_credential_manager_t {
         * Registered data to pass to hook
         */
        void *hook_data;
+
+       /**
+        * Whether to reject pre-trusted end-entity certificates
+        */
+       bool reject_pretrusted;
 };
 
 /** data to pass to create_private_enumerator */
@@ -924,6 +929,12 @@ METHOD(enumerator_t, trusted_enumerate, bool,
                this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id);
                if (this->pretrusted)
                {
+                       if (this->this->reject_pretrusted)
+                       {
+                               DBG1(DBG_CFG, "  rejecting trusted certificate \"%Y\"",
+                                        this->pretrusted->get_subject(this->pretrusted));
+                               return FALSE;
+                       }
                        DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
                                 this->pretrusted->get_subject(this->pretrusted));
                        /* if we find a trusted self signed certificate, we just accept it.
@@ -1436,6 +1447,8 @@ credential_manager_t *credential_manager_create()
                .cache_queue = linked_list_create(),
                .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
                .queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+               .reject_pretrusted = lib->settings->get_bool(lib->settings,
+                                                               "%s.reject_trusted_end_entity", FALSE, lib->ns),
        );
 
        this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);