Added support for trustchain key strength checking to rightauth option
This commit is contained in:
parent
6367de28ad
commit
44e513a320
|
@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA),
|
|||
.B psk
|
||||
for pre-shared key authentication and
|
||||
.B eap
|
||||
to (require the) use of the Extensible Authentication Protocol. In the case
|
||||
of
|
||||
to (require the) use of the Extensible Authentication Protocol.
|
||||
To require a trustchain public key strength for the remote side, specify the
|
||||
key type followed by the strength in bits (for example
|
||||
.BR rsa-2048
|
||||
or
|
||||
.BR ecdsa-256 ).
|
||||
For
|
||||
.B eap,
|
||||
an optional EAP method can be appended. Currently defined methods are
|
||||
.BR eap-aka ,
|
||||
|
|
|
@ -445,11 +445,22 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
|
|||
|
||||
/* authentication metod (class, actually) */
|
||||
if (streq(auth, "pubkey") ||
|
||||
streq(auth, "rsasig") || streq(auth, "rsa") ||
|
||||
streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
|
||||
strneq(auth, "rsa", strlen("rsa")) ||
|
||||
strneq(auth, "ecdsa", strlen("ecdsa")))
|
||||
{
|
||||
u_int strength;
|
||||
|
||||
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
|
||||
build_crl_policy(cfg, local, msg->add_conn.crl_policy);
|
||||
|
||||
if (sscanf(auth, "rsa-%d", &strength) == 1)
|
||||
{
|
||||
cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
|
||||
}
|
||||
if (sscanf(auth, "ecdsa-%d", &strength) == 1)
|
||||
{
|
||||
cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
|
||||
}
|
||||
}
|
||||
else if (streq(auth, "psk") || streq(auth, "secret"))
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue