Added a left/rightcertpolicy keyword to specify certificatePolicy requirements
authorMartin Willi <martin@revosec.ch>
Fri, 7 Jan 2011 14:14:41 +0000 (15:14 +0100)
committerMartin Willi <martin@revosec.ch>
Fri, 7 Jan 2011 14:51:35 +0000 (15:51 +0100)
man/ipsec.conf.5.in
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/stroke/stroke_socket.c
src/starter/args.c
src/starter/confread.h
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke_msg.h

index 0de9a2c..a75b556 100644 (file)
@@ -598,6 +598,10 @@ Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
+.BR leftcertpolicy " = <OIDs>"
+Comma separated list of certificate policy OIDs the peers certificate must have.
+OIDs are specified using the numerical dotted representation (IKEv2 only).
+.TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
index 4f2f58e..dc2c57e 100644 (file)
@@ -429,6 +429,20 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
                enumerator->destroy(enumerator);
        }
 
+       /* certificatePolicies */
+       if (end->cert_policy)
+       {
+               enumerator_t *enumerator;
+               char *policy;
+
+               enumerator = enumerator_create_token(end->cert_policy, ",", " ");
+               while (enumerator->enumerate(enumerator, &policy))
+               {
+                       cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy));
+               }
+               enumerator->destroy(enumerator);
+       }
+
        /* authentication metod (class, actually) */
        if (streq(auth, "pubkey") ||
                streq(auth, "rsasig") || streq(auth, "rsa") ||
index 3762ffc..18e7790 100644 (file)
@@ -151,6 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
        pop_string(msg, &end->ca);
        pop_string(msg, &end->ca2);
        pop_string(msg, &end->groups);
+       pop_string(msg, &end->cert_policy);
        pop_string(msg, &end->updown);
 
        DBG2(DBG_CFG, "  %s=%s", label, end->address);
index c13f5a9..87307f1 100644 (file)
@@ -273,6 +273,7 @@ static const token_info_t token_info[] =
        { ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },
        { ARG_STR,  offsetof(starter_end_t, cert), NULL                                },
        { ARG_STR,  offsetof(starter_end_t, cert2), NULL                               },
+       { ARG_STR,  offsetof(starter_end_t, cert_policy), NULL                         },
        { ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert                    },
        { ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
        { ARG_STR,  offsetof(starter_end_t, ca2), NULL                                 },
index 75ef992..4f9c5f7 100644 (file)
@@ -64,6 +64,7 @@ struct starter_end {
                char            *ca;
                char            *ca2;
                char            *groups;
+               char            *cert_policy;
                char            *iface;
                ip_address      addr;
                u_int           ikeport;
index 038391a..9f46a8b 100644 (file)
@@ -142,6 +142,7 @@ typedef enum {
        KW_RSASIGKEY,
        KW_CERT,
        KW_CERT2,
+       KW_CERTPOLICY,
        KW_SENDCERT,
        KW_CA,
        KW_CA2,
@@ -171,6 +172,7 @@ typedef enum {
        KW_LEFTRSASIGKEY,
        KW_LEFTCERT,
        KW_LEFTCERT2,
+       KW_LEFTCERTPOLICY,
        KW_LEFTSENDCERT,
        KW_LEFTCA,
        KW_LEFTCA2,
@@ -199,6 +201,7 @@ typedef enum {
        KW_RIGHTRSASIGKEY,
        KW_RIGHTCERT,
        KW_RIGHTCERT2,
+       KW_RIGHTCERTPOLICY,
        KW_RIGHTSENDCERT,
        KW_RIGHTCA,
        KW_RIGHTCA2,
index 67ae53f..2c0e5de 100644 (file)
@@ -121,8 +121,9 @@ leftid2,           KW_LEFTID2
 leftauth,          KW_LEFTAUTH
 leftauth2,         KW_LEFTAUTH2
 leftrsasigkey,     KW_LEFTRSASIGKEY
-leftcert,          KW_LEFTCERT,
-leftcert2,         KW_LEFTCERT2,
+leftcert,          KW_LEFTCERT
+leftcert2,         KW_LEFTCERT2
+leftcertpolicy,    KW_LEFTCERTPOLICY
 leftsendcert,      KW_LEFTSENDCERT
 leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
@@ -146,6 +147,7 @@ rightauth2,        KW_RIGHTAUTH2
 rightrsasigkey,    KW_RIGHTRSASIGKEY
 rightcert,         KW_RIGHTCERT
 rightcert2,        KW_RIGHTCERT2
+rightcertpolicy,   KW_RIGHTCERTPOLICY
 rightsendcert,     KW_RIGHTSENDCERT
 rightca,           KW_RIGHTCA
 rightca2,          KW_RIGHTCA2
index a7e098d..f251667 100644 (file)
@@ -171,6 +171,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
        msg_end->id2 = push_string(msg, conn_end->id2);
        msg_end->cert = push_string(msg, conn_end->cert);
        msg_end->cert2 = push_string(msg, conn_end->cert2);
+       msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
        msg_end->ca = push_string(msg, conn_end->ca);
        msg_end->ca2 = push_string(msg, conn_end->ca2);
        msg_end->groups = push_string(msg, conn_end->groups);
index adb9d0e..3af2b70 100644 (file)
@@ -149,6 +149,7 @@ struct stroke_end_t {
        char *ca;
        char *ca2;
        char *groups;
+       char *cert_policy;
        char *updown;
        char *address;
        u_int16_t ikeport;