ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Key strength checking stores all key sizes in auth_cfg, verifies all in complies()

This commit is contained in:
Martin Willi 2010-12-07 17:48:23 +01:00
parent 37b3fad782
commit 473d5aa868
2 changed files with 84 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
src/libstrongswan/credentials/auth_cfg.c
View File

@ -366,38 +366,45 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
{
cert_validation_t validated, required;
uintptr_t validated;
required = (uintptr_t)value;
validated = (uintptr_t)get(this, t1);
switch (required)
e2 = create_enumerator(this);
while (e2->enumerate(e2, &t2, &validated))
{
case VALIDATION_FAILED:
/* no constraint */
break;
case VALIDATION_SKIPPED:
if (validated == VALIDATION_SKIPPED)
if (t2 == t1)
{
switch ((uintptr_t)value)
{
break;
case VALIDATION_FAILED:
/* no constraint */
break;
case VALIDATION_SKIPPED:
if (validated == VALIDATION_SKIPPED)
{
break;
}
/* FALL */
case VALIDATION_GOOD:
if (validated == VALIDATION_GOOD)
{
break;
}
/* FALL */
default:
success = FALSE;
if (log_error)
{
DBG1(DBG_CFG, "constraint check failed: "
"%N is %N, but requires at least %N",
auth_rule_names, t1,
cert_validation_names, validated,
cert_validation_names, (uintptr_t)value);
}
break;
}
/* FALL */
case VALIDATION_GOOD:
if (validated == VALIDATION_GOOD)
{
break;
}
/* FALL */
default:
success = FALSE;
if (log_error)
{
DBG1(DBG_CFG, "constraint check failed: %N is %N, "
"but requires at least %N", auth_rule_names,
t1, cert_validation_names, validated,
cert_validation_names, required);
}
break;
}
}
e2->destroy(e2);
break;
}
case AUTH_RULE_IDENTITY:
@ -484,15 +491,44 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
{
if ((uintptr_t)value > (uintptr_t)get(this, t1))
uintptr_t strength;
e2 = create_enumerator(this);
while (e2->enumerate(e2, &t2, &strength))
{
success = FALSE;
if (log_error)
if (t2 == t1)
{
DBG1(DBG_CFG, "constraint requires %d bit public key "
"strength", value);
if ((uintptr_t)value > strength)
{
success = FALSE;
if (log_error)
{
DBG1(DBG_CFG, "constraint requires %d bit "
"public keys, but %d bit key used",
(uintptr_t)value, strength);
}
}
}
else if (t2 == AUTH_RULE_RSA_STRENGTH)
{
success = FALSE;
if (log_error)
{
DBG1(DBG_CFG, "constraint requires %d bit ECDSA, "
"but RSA used", (uintptr_t)value);
}
}
else if (t2 == AUTH_RULE_ECDSA_STRENGTH)
{
success = FALSE;
if (log_error)
{
DBG1(DBG_CFG, "constraint requires %d bit RSA, "
"but ECDSA used", (uintptr_t)value);
}
}
}
e2->destroy(e2);
break;
}
case AUTH_HELPER_IM_CERT:

59
src/libstrongswan/credentials/credential_manager.c
View File

@ -551,52 +551,21 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
}
/**
* Get the strength of the weakest key in a trustchain
* Get the strength of certificate, add it to auth
*/
static void calculate_trustchain_strength(auth_cfg_t *auth)
static void get_key_strength(certificate_t *cert, auth_cfg_t *auth)
{
enumerator_t *enumerator;
uintptr_t strength = 0;
key_type_t type = KEY_ANY;
certificate_t *cert;
uintptr_t strength;
public_key_t *key;
auth_rule_t rule;
key_type_t type;
enumerator = auth->create_enumerator(auth);
while (enumerator->enumerate(enumerator, &rule, &cert))
{
switch (rule)
{
case AUTH_RULE_SUBJECT_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_CA_CERT:
{
key = cert->get_public_key(cert);
if (!key || (type != KEY_ANY && type != key->get_type(key)))
{ /* no key, or different key families */
DESTROY_IF(key);
enumerator->destroy(enumerator);
return;
}
type = key->get_type(key);
if (!strength)
{
strength = key->get_keysize(key);
}
else
{
strength = min(strength, key->get_keysize(key));
}
key->destroy(key);
break;
}
default:
break;
}
}
enumerator->destroy(enumerator);
if (strength)
key = cert->get_public_key(cert);
if (key)
{
type = key->get_type(key);
strength = key->get_keysize(key);
DBG2(DBG_CFG, " certificate \"%Y\" key: %d bit %N",
cert->get_subject(cert), strength, key_type_names, type);
switch (type)
{
case KEY_RSA:
@ -608,6 +577,7 @@ static void calculate_trustchain_strength(auth_cfg_t *auth)
default:
break;
}
key->destroy(key);
}
}
@ -623,6 +593,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
int pathlen;
auth = auth_cfg_create();
get_key_strength(subject, auth);
current = subject->get_ref(subject);
for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
@ -675,6 +646,10 @@ static bool verify_trust_chain(private_credential_manager_t *this,
issuer->destroy(issuer);
break;
}
if (issuer)
{
get_key_strength(issuer, auth);
}
current->destroy(current);
current = issuer;
if (trusted)
@ -746,7 +721,6 @@ METHOD(enumerator_t, trusted_enumerate, bool,
{
this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
this->pretrusted->get_ref(this->pretrusted));
calculate_trustchain_strength(this->auth);
DBG1(DBG_CFG, " using trusted certificate \"%Y\"",
this->pretrusted->get_subject(this->pretrusted));
*cert = this->pretrusted;
@ -775,7 +749,6 @@ METHOD(enumerator_t, trusted_enumerate, bool,
this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
current->get_ref(current));
*cert = current;
calculate_trustchain_strength(this->auth);
if (auth)
{
*auth = this->auth;