ikev2: Diversify signature scheme rule

This allows for different signature schemes for IKE authentication and
trustchain verification.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 2929033aa9c98b55f10959ff58a974642d03eb08..64cd775ad94d9eaab5af896c970df1c05e72c834 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -130,7 +130,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
        enumerator = auth->create_enumerator(auth);
        while (enumerator->enumerate(enumerator, &rule, &config))
        {
-               if (rule != AUTH_RULE_SIGNATURE_SCHEME)
+               if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
                {
                        continue;
                }
@@ -427,7 +427,8 @@ METHOD(authenticator_t, process, status_t,
                        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
                        if (this->store_signature_scheme)
                        {
-                               auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+                               auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+                                                (uintptr_t)scheme);
                        }
                        break;
                }

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 5cfb5180783eac70e6df02b6b7e67af9dd821088..78579be95f10e22ca138109d67202bd448018df5 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -171,7 +171,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
                        enumerator = auth->create_enumerator(auth);
                        while (enumerator->enumerate(enumerator, &rule, &config))
                        {
-                               if (rule == AUTH_RULE_SIGNATURE_SCHEME)
+                               if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME)
                                {
                                        hash = hasher_from_signature_scheme(config);
                                        if (hasher_algorithm_for_ikev2(hash))

diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index e2047e88f484fd545a54609a31240a02ebb95492..2f18cb6cdefe89a0dc1833bd309912cccbcc1201 100644 (file)
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -51,6 +51,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
        "RULE_ECDSA_STRENGTH",
        "RULE_BLISS_STRENGTH",
        "RULE_SIGNATURE_SCHEME",
+       "RULE_IKE_SIGNATURE_SCHEME",
        "RULE_CERT_POLICY",
        "HELPER_IM_CERT",
        "HELPER_SUBJECT_CERT",
@@ -91,6 +92,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
                case AUTH_RULE_IM_CERT:
                case AUTH_RULE_CERT_POLICY:
                case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                case AUTH_HELPER_IM_CERT:
                case AUTH_HELPER_IM_HASH_URL:
                case AUTH_HELPER_REVOCATION_CERT:
@@ -211,6 +213,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_BLISS_STRENGTH:
                case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                        /* integer type */
                        this->value = (void*)(uintptr_t)va_arg(args, u_int);
                        break;
@@ -260,6 +263,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_BLISS_STRENGTH:
                case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                {
                        return e1->value == e2->value;
                }
@@ -351,6 +355,7 @@ static void destroy_entry_value(entry_t *entry)
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_BLISS_STRENGTH:
                case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                case AUTH_RULE_MAX:
                        break;
        }
@@ -383,6 +388,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
                        case AUTH_RULE_ECDSA_STRENGTH:
                        case AUTH_RULE_BLISS_STRENGTH:
                        case AUTH_RULE_SIGNATURE_SCHEME:
+                       case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                                /* integer type */
                                entry->value = (void*)(uintptr_t)va_arg(args, u_int);
                                break;
@@ -459,6 +465,7 @@ METHOD(auth_cfg_t, get, void*,
                case AUTH_RULE_BLISS_STRENGTH:
                        return (void*)0;
                case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                        return (void*)HASH_UNKNOWN;
                case AUTH_RULE_CRL_VALIDATION:
                case AUTH_RULE_OCSP_VALIDATION:
@@ -619,6 +626,50 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
        enumerator->destroy(enumerator);
 }
 
+/**
+ * Check if signature schemes of a specific type are compliant
+ */
+static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
+                                                       auth_rule_t type, bool log_error)
+{
+       enumerator_t *e1, *e2;
+       auth_rule_t t1, t2;
+       signature_scheme_t scheme;
+       void *value;
+       bool success = TRUE;
+
+       e2 = create_enumerator(this);
+       while (e2->enumerate(e2, &t2, &scheme))
+       {
+               if (t2 == type)
+               {
+                       success = FALSE;
+                       e1 = constraints->create_enumerator(constraints);
+                       while (e1->enumerate(e1, &t1, &value))
+                       {
+                               if (t1 == type && (uintptr_t)value == scheme)
+                               {
+                                       success = TRUE;
+                                       break;
+                               }
+                       }
+                       e1->destroy(e1);
+                       if (!success)
+                       {
+                               if (log_error)
+                               {
+                                       DBG1(DBG_CFG, "%s signature scheme %N not acceptable",
+                                                AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE",
+                                                signature_scheme_names, (int)scheme);
+                               }
+                               break;
+                       }
+               }
+       }
+       e2->destroy(e2);
+       return success;
+}
+
 METHOD(auth_cfg_t, complies, bool,
        private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
 {
@@ -627,7 +678,7 @@ METHOD(auth_cfg_t, complies, bool,
        bool ca_match = FALSE, cert_match = FALSE;
        identification_t *require_group = NULL;
        certificate_t *require_ca = NULL, *require_cert = NULL;
-       signature_scheme_t scheme = SIGN_UNKNOWN;
+       signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN;
        u_int strength = 0;
        auth_rule_t t1, t2;
        char *key_type;
@@ -823,6 +874,11 @@ METHOD(auth_cfg_t, complies, bool,
                                strength = (uintptr_t)value;
                                break;
                        }
+                       case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+                       {
+                               ike_scheme = (uintptr_t)value;
+                               break;
+                       }
                        case AUTH_RULE_SIGNATURE_SCHEME:
                        {
                                scheme = (uintptr_t)value;
@@ -875,35 +931,13 @@ METHOD(auth_cfg_t, complies, bool,
         * signature schemes. */
        if (success && scheme != SIGN_UNKNOWN)
        {
-               e2 = create_enumerator(this);
-               while (e2->enumerate(e2, &t2, &scheme))
-               {
-                       if (t2 == AUTH_RULE_SIGNATURE_SCHEME)
-                       {
-                               success = FALSE;
-                               e1 = constraints->create_enumerator(constraints);
-                               while (e1->enumerate(e1, &t1, &value))
-                               {
-                                       if (t1 == AUTH_RULE_SIGNATURE_SCHEME &&
-                                               (uintptr_t)value == scheme)
-                                       {
-                                               success = TRUE;
-                                               break;
-                                       }
-                               }
-                               e1->destroy(e1);
-                               if (!success)
-                               {
-                                       if (log_error)
-                                       {
-                                               DBG1(DBG_CFG, "signature scheme %N not acceptable",
-                                                        signature_scheme_names, (int)scheme);
-                                       }
-                                       break;
-                               }
-                       }
-               }
-               e2->destroy(e2);
+               success = complies_scheme(this, constraints,
+                                                                 AUTH_RULE_SIGNATURE_SCHEME, log_error);
+       }
+       if (success && ike_scheme != SIGN_UNKNOWN)
+       {
+               success = complies_scheme(this, constraints,
+                                                                 AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error);
        }
 
        /* Check if we have a matching constraint (or none at all) for used
@@ -1027,6 +1061,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
                                case AUTH_RULE_ECDSA_STRENGTH:
                                case AUTH_RULE_BLISS_STRENGTH:
                                case AUTH_RULE_SIGNATURE_SCHEME:
+                               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                                {
                                        add(this, type, (uintptr_t)value);
                                        break;
@@ -1197,6 +1232,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
                        case AUTH_RULE_ECDSA_STRENGTH:
                        case AUTH_RULE_BLISS_STRENGTH:
                        case AUTH_RULE_SIGNATURE_SCHEME:
+                       case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                                clone->add(clone, type, (uintptr_t)value);
                                break;
                        case AUTH_RULE_MAX:

diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 07e5a6bd36d580bc26e4e7ad2d4b8bcff8cf4417..f00e64f7e8492c05e95bf8f969ed10c3234a508d 100644 (file)
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -106,6 +106,8 @@ enum auth_rule_t {
        AUTH_RULE_BLISS_STRENGTH,
        /** required signature scheme, signature_scheme_t */
        AUTH_RULE_SIGNATURE_SCHEME,
+       /** required signature scheme for IKE authentication, signature_scheme_t */
+       AUTH_RULE_IKE_SIGNATURE_SCHEME,
        /** certificatePolicy constraint, numerical OID as char* */
        AUTH_RULE_CERT_POLICY,