From: Tobias Brunner Date: Wed, 31 May 2023 12:39:05 +0000 (+0200) Subject: credential-manager: Add option to reject trusted end-entity certificates X-Git-Tag: 5.9.12rc1~11 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=04c17ab56a6a00a60cf2ac0becbbc29a7eff22bb;p=thirdparty%2Fstrongswan.git credential-manager: Add option to reject trusted end-entity certificates This allows preventing peers from authenticating with certificates that are locally trusted, in particular, our own local certificate (which safeguards against accidental reuse of certificates on multiple peers). On the other hand, if this option is enabled, end-entity certificates for peers can't be configured anymore explicitly (e.g. via remote.certs in swanctl.conf). --- diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 72efd17de2..e07f1dd853 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -372,6 +372,10 @@ charon.receive_delay_request = yes charon.receive_delay_type = 0 Specific IKEv2 message type to delay, 0 for any. +charon.reject_trusted_end_entity = no + Reject peers that use trusted end-entity certificates (i.e. local + certificates). + charon.replay_window = 32 Size of the AH/ESP replay window, in packets. diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 6f030ef2a5..d66a6e9a4a 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -93,6 +93,11 @@ struct private_credential_manager_t { * Registered data to pass to hook */ void *hook_data; + + /** + * Whether to reject pre-trusted end-entity certificates + */ + bool reject_pretrusted; }; /** data to pass to create_private_enumerator */ @@ -924,6 +929,12 @@ METHOD(enumerator_t, trusted_enumerate, bool, this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id); if (this->pretrusted) { + if (this->this->reject_pretrusted) + { + DBG1(DBG_CFG, " rejecting trusted certificate \"%Y\"", + this->pretrusted->get_subject(this->pretrusted)); + return FALSE; + } DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); /* if we find a trusted self signed certificate, we just accept it. @@ -1436,6 +1447,8 @@ credential_manager_t *credential_manager_create() .cache_queue = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), .queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .reject_pretrusted = lib->settings->get_bool(lib->settings, + "%s.reject_trusted_end_entity", FALSE, lib->ns), ); this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);