From: Martin Willi Date: Fri, 7 Jan 2011 14:38:34 +0000 (+0100) Subject: Added support for trustchain key strength checking to rightauth option X-Git-Tag: 4.5.1~128 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44e513a320e71e63879fef1664d19a4fe9589912;p=thirdparty%2Fstrongswan.git Added support for trustchain key strength checking to rightauth option --- diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index a75b5566ea..48eb136aa5 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of +to (require the) use of the Extensible Authentication Protocol. +To require a trustchain public key strength for the remote side, specify the +key type followed by the strength in bits (for example +.BR rsa-2048 +or +.BR ecdsa-256 ). +For .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index dc2c57e9c5..ea7d175924 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -445,11 +445,22 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, /* authentication metod (class, actually) */ if (streq(auth, "pubkey") || - streq(auth, "rsasig") || streq(auth, "rsa") || - streq(auth, "ecdsasig") || streq(auth, "ecdsa")) + strneq(auth, "rsa", strlen("rsa")) || + strneq(auth, "ecdsa", strlen("ecdsa"))) { + u_int strength; + cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); build_crl_policy(cfg, local, msg->add_conn.crl_policy); + + if (sscanf(auth, "rsa-%d", &strength) == 1) + { + cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength); + } + if (sscanf(auth, "ecdsa-%d", &strength) == 1) + { + cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength); + } } else if (streq(auth, "psk") || streq(auth, "secret")) {