From: Martin Willi <martin@revosec.ch>
Date: Thu, 23 Feb 2012 14:05:28 +0000 (+0100)
Subject: pubkey-authenticator: Added an option to allow mismatches between IKE identity and... 
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=fb072014c462a81cb5c72daa88cb1f4921b16a35;p=thirdparty%2Fstrongswan.git

pubkey-authenticator: Added an option to allow mismatches between IKE identity and certificates
---

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 55db379ffe..0496e6bdb2 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -440,7 +440,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		}
 		enumerator->destroy(enumerator);
 
-		if (first && !has_subject)
+		if (first && !has_subject &&
+			lib->settings->get_bool(lib->settings,
+									"charon.cert_id_binding", TRUE))
 		{
 			DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
 				 "defaulting to '%Y'", identity, first->get_subject(first));
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 4f83dad10c..df88e4ae41 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -509,6 +509,39 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
 	return status;
 }
 
+/**
+ * Check if we should enforce a specific certificate, return ID of it
+ */
+static identification_t *get_cert_id(ike_sa_t *ike_sa, bool local)
+{
+	identification_t *id;
+	auth_cfg_t *auth;
+	certificate_t *cert = NULL;
+
+	id = local ? ike_sa->get_my_id(ike_sa) : ike_sa->get_other_id(ike_sa);
+
+	if (lib->settings->get_bool(lib->settings, "charon.cert_id_binding", TRUE))
+	{	/* disabled by config, use IKE identity */
+		return id;
+	}
+	auth = ike_sa->get_auth_cfg(ike_sa, local);
+	if (local)
+	{	/* apply certificate from config */
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+	}
+	else
+	{	/* get certificate received in CERT payload */
+		cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
+	}
+	if (cert && !cert->has_subject(cert, id))
+	{	/* not as subjectAltName, use subject */
+		DBG1(DBG_CFG, "enforcing %s cert '%Y' mismatching IKE identity '%Y'",
+			 local ? "local" : "remote", cert->get_subject(cert), id);
+		id = cert->get_subject(cert);
+	}
+	return id;
+}
+
 METHOD(authenticator_t, build, status_t,
 	private_pubkey_authenticator_t *this, message_t *message)
 {
@@ -517,7 +550,7 @@ METHOD(authenticator_t, build, status_t,
 	auth_cfg_t *auth;
 	status_t status;
 
-	id = this->ike_sa->get_my_id(this->ike_sa);
+	id = get_cert_id(this->ike_sa, TRUE);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
 	if (!private)
@@ -626,7 +659,7 @@ METHOD(authenticator_t, process, status_t,
 			signature_params_destroy(params);
 			return INVALID_ARG;
 	}
-	id = this->ike_sa->get_other_id(this->ike_sa);
+	id = get_cert_id(this->ike_sa, FALSE);
 	if (!get_auth_octets_scheme(this, TRUE, id, this->ppk, &octets, &params))
 	{
 		return FAILED;