From: Martin Willi Date: Fri, 7 Jan 2011 14:14:41 +0000 (+0100) Subject: Added a left/rightcertpolicy keyword to specify certificatePolicy requirements X-Git-Tag: 4.5.1~129 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6367de28ad9b21cc8f145c7154cb29f5acca366a;p=thirdparty%2Fstrongswan.git Added a left/rightcertpolicy keyword to specify certificatePolicy requirements --- diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 0de9a2c926..a75b5566ea 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -598,6 +598,10 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +.BR leftcertpolicy " = " +Comma separated list of certificate policy OIDs the peers certificate must have. +OIDs are specified using the numerical dotted representation (IKEv2 only). +.TP .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 4f2f58e869..dc2c57e9c5 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -429,6 +429,20 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator->destroy(enumerator); } + /* certificatePolicies */ + if (end->cert_policy) + { + enumerator_t *enumerator; + char *policy; + + enumerator = enumerator_create_token(end->cert_policy, ",", " "); + while (enumerator->enumerate(enumerator, &policy)) + { + cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy)); + } + enumerator->destroy(enumerator); + } + /* authentication metod (class, actually) */ if (streq(auth, "pubkey") || streq(auth, "rsasig") || streq(auth, "rsa") || diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 3762ffcad7..18e77905d1 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -151,6 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) pop_string(msg, &end->ca); pop_string(msg, &end->ca2); pop_string(msg, &end->groups); + pop_string(msg, &end->cert_policy); pop_string(msg, &end->updown); DBG2(DBG_CFG, " %s=%s", label, end->address); diff --git a/src/starter/args.c b/src/starter/args.c index c13f5a952f..87307f1aa3 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -273,6 +273,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, rsakey), NULL }, { ARG_STR, offsetof(starter_end_t, cert), NULL }, { ARG_STR, offsetof(starter_end_t, cert2), NULL }, + { ARG_STR, offsetof(starter_end_t, cert_policy), NULL }, { ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert }, { ARG_STR, offsetof(starter_end_t, ca), NULL }, { ARG_STR, offsetof(starter_end_t, ca2), NULL }, diff --git a/src/starter/confread.h b/src/starter/confread.h index 75ef992119..4f9c5f7d03 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -64,6 +64,7 @@ struct starter_end { char *ca; char *ca2; char *groups; + char *cert_policy; char *iface; ip_address addr; u_int ikeport; diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 038391acad..9f46a8b4b4 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -142,6 +142,7 @@ typedef enum { KW_RSASIGKEY, KW_CERT, KW_CERT2, + KW_CERTPOLICY, KW_SENDCERT, KW_CA, KW_CA2, @@ -171,6 +172,7 @@ typedef enum { KW_LEFTRSASIGKEY, KW_LEFTCERT, KW_LEFTCERT2, + KW_LEFTCERTPOLICY, KW_LEFTSENDCERT, KW_LEFTCA, KW_LEFTCA2, @@ -199,6 +201,7 @@ typedef enum { KW_RIGHTRSASIGKEY, KW_RIGHTCERT, KW_RIGHTCERT2, + KW_RIGHTCERTPOLICY, KW_RIGHTSENDCERT, KW_RIGHTCA, KW_RIGHTCA2, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 67ae53f015..2c0e5de3d1 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -121,8 +121,9 @@ leftid2, KW_LEFTID2 leftauth, KW_LEFTAUTH leftauth2, KW_LEFTAUTH2 leftrsasigkey, KW_LEFTRSASIGKEY -leftcert, KW_LEFTCERT, -leftcert2, KW_LEFTCERT2, +leftcert, KW_LEFTCERT +leftcert2, KW_LEFTCERT2 +leftcertpolicy, KW_LEFTCERTPOLICY leftsendcert, KW_LEFTSENDCERT leftca, KW_LEFTCA leftca2, KW_LEFTCA2 @@ -146,6 +147,7 @@ rightauth2, KW_RIGHTAUTH2 rightrsasigkey, KW_RIGHTRSASIGKEY rightcert, KW_RIGHTCERT rightcert2, KW_RIGHTCERT2 +rightcertpolicy, KW_RIGHTCERTPOLICY rightsendcert, KW_RIGHTSENDCERT rightca, KW_RIGHTCA rightca2, KW_RIGHTCA2 diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index a7e098d91f..f251667c72 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -171,6 +171,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->id2 = push_string(msg, conn_end->id2); msg_end->cert = push_string(msg, conn_end->cert); msg_end->cert2 = push_string(msg, conn_end->cert2); + msg_end->cert_policy = push_string(msg, conn_end->cert_policy); msg_end->ca = push_string(msg, conn_end->ca); msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index adb9d0e101..3af2b70422 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -149,6 +149,7 @@ struct stroke_end_t { char *ca; char *ca2; char *groups; + char *cert_policy; char *updown; char *address; u_int16_t ikeport;