From 04c17ab56a6a00a60cf2ac0becbbc29a7eff22bb Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 31 May 2023 14:39:05 +0200 Subject: [PATCH] credential-manager: Add option to reject trusted end-entity certificates This allows preventing peers from authenticating with certificates that are locally trusted, in particular, our own local certificate (which safeguards against accidental reuse of certificates on multiple peers). On the other hand, if this option is enabled, end-entity certificates for peers can't be configured anymore explicitly (e.g. via remote.certs in swanctl.conf). --- conf/options/charon.opt | 4 ++++ src/libstrongswan/credentials/credential_manager.c | 13 +++++++++++++ 2 files changed, 17 insertions(+) diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 72efd17de2..e07f1dd853 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -372,6 +372,10 @@ charon.receive_delay_request = yes charon.receive_delay_type = 0 Specific IKEv2 message type to delay, 0 for any. +charon.reject_trusted_end_entity = no + Reject peers that use trusted end-entity certificates (i.e. local + certificates). + charon.replay_window = 32 Size of the AH/ESP replay window, in packets. diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 6f030ef2a5..d66a6e9a4a 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -93,6 +93,11 @@ struct private_credential_manager_t { * Registered data to pass to hook */ void *hook_data; + + /** + * Whether to reject pre-trusted end-entity certificates + */ + bool reject_pretrusted; }; /** data to pass to create_private_enumerator */ @@ -924,6 +929,12 @@ METHOD(enumerator_t, trusted_enumerate, bool, this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id); if (this->pretrusted) { + if (this->this->reject_pretrusted) + { + DBG1(DBG_CFG, " rejecting trusted certificate \"%Y\"", + this->pretrusted->get_subject(this->pretrusted)); + return FALSE; + } DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); /* if we find a trusted self signed certificate, we just accept it. @@ -1436,6 +1447,8 @@ credential_manager_t *credential_manager_create() .cache_queue = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), .queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .reject_pretrusted = lib->settings->get_bool(lib->settings, + "%s.reject_trusted_end_entity", FALSE, lib->ns), ); this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy); -- 2.47.2