Added support for trustchain key strength checking to rightauth option
authorMartin Willi <martin@revosec.ch>
Fri, 7 Jan 2011 14:38:34 +0000 (15:38 +0100)
committerMartin Willi <martin@revosec.ch>
Fri, 7 Jan 2011 14:51:35 +0000 (15:51 +0100)
man/ipsec.conf.5.in
src/libcharon/plugins/stroke/stroke_config.c

index a75b556..48eb136 100644 (file)
@@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA),
 .B psk
 for pre-shared key authentication and
 .B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
+to (require the) use of the Extensible Authentication Protocol.
+To require a trustchain public key strength for the remote side, specify the
+key type followed by the strength in bits (for example
+.BR rsa-2048
+or
+.BR ecdsa-256 ).
+For
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
index dc2c57e..ea7d175 100644 (file)
@@ -445,11 +445,22 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 
        /* authentication metod (class, actually) */
        if (streq(auth, "pubkey") ||
-               streq(auth, "rsasig") || streq(auth, "rsa") ||
-               streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
+               strneq(auth, "rsa", strlen("rsa")) ||
+               strneq(auth, "ecdsa", strlen("ecdsa")))
        {
+               u_int strength;
+
                cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
                build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+
+               if (sscanf(auth, "rsa-%d", &strength) == 1)
+               {
+                       cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
+               }
+               if (sscanf(auth, "ecdsa-%d", &strength) == 1)
+               {
+                       cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
+               }
        }
        else if (streq(auth, "psk") || streq(auth, "secret"))
        {