auth-cfg: Add BLISS key strength constraint
authorTobias Brunner <tobias@strongswan.org>
Mon, 2 Mar 2015 14:49:53 +0000 (15:49 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 4 Mar 2015 12:54:11 +0000 (13:54 +0100)
src/libstrongswan/credentials/auth_cfg.c
src/libstrongswan/credentials/auth_cfg.h

index db08c6b..0ca45a1 100644 (file)
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -49,6 +49,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
        "RULE_GROUP",
        "RULE_RSA_STRENGTH",
        "RULE_ECDSA_STRENGTH",
        "RULE_GROUP",
        "RULE_RSA_STRENGTH",
        "RULE_ECDSA_STRENGTH",
+       "RULE_BLISS_STRENGTH",
        "RULE_SIGNATURE_SCHEME",
        "RULE_CERT_POLICY",
        "HELPER_IM_CERT",
        "RULE_SIGNATURE_SCHEME",
        "RULE_CERT_POLICY",
        "HELPER_IM_CERT",
@@ -71,6 +72,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
                case AUTH_RULE_EAP_VENDOR:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_EAP_VENDOR:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                case AUTH_RULE_IDENTITY:
                case AUTH_RULE_IDENTITY_LOOSE:
                case AUTH_RULE_EAP_IDENTITY:
                case AUTH_RULE_IDENTITY:
                case AUTH_RULE_IDENTITY_LOOSE:
                case AUTH_RULE_EAP_IDENTITY:
@@ -207,6 +209,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
                case AUTH_RULE_OCSP_VALIDATION:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_OCSP_VALIDATION:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                case AUTH_RULE_SIGNATURE_SCHEME:
                        /* integer type */
                        this->value = (void*)(uintptr_t)va_arg(args, u_int);
                case AUTH_RULE_SIGNATURE_SCHEME:
                        /* integer type */
                        this->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -255,6 +258,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
                case AUTH_RULE_OCSP_VALIDATION:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_OCSP_VALIDATION:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                case AUTH_RULE_SIGNATURE_SCHEME:
                {
                        return e1->value == e2->value;
                case AUTH_RULE_SIGNATURE_SCHEME:
                {
                        return e1->value == e2->value;
@@ -345,6 +349,7 @@ static void destroy_entry_value(entry_t *entry)
                case AUTH_RULE_OCSP_VALIDATION:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_OCSP_VALIDATION:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                case AUTH_RULE_SIGNATURE_SCHEME:
                case AUTH_RULE_MAX:
                        break;
                case AUTH_RULE_SIGNATURE_SCHEME:
                case AUTH_RULE_MAX:
                        break;
@@ -376,6 +381,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
                        case AUTH_RULE_OCSP_VALIDATION:
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
                        case AUTH_RULE_OCSP_VALIDATION:
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
+                       case AUTH_RULE_BLISS_STRENGTH:
                        case AUTH_RULE_SIGNATURE_SCHEME:
                                /* integer type */
                                entry->value = (void*)(uintptr_t)va_arg(args, u_int);
                        case AUTH_RULE_SIGNATURE_SCHEME:
                                /* integer type */
                                entry->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -450,6 +456,7 @@ METHOD(auth_cfg_t, get, void*,
                case AUTH_RULE_EAP_VENDOR:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_EAP_VENDOR:
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
+               case AUTH_RULE_BLISS_STRENGTH:
                        return (void*)0;
                case AUTH_RULE_SIGNATURE_SCHEME:
                        return (void*)HASH_UNKNOWN;
                        return (void*)0;
                case AUTH_RULE_SIGNATURE_SCHEME:
                        return (void*)HASH_UNKNOWN;
@@ -513,6 +520,7 @@ METHOD(auth_cfg_t, complies, bool,
        signature_scheme_t scheme = SIGN_UNKNOWN;
        u_int strength = 0;
        auth_rule_t t1, t2;
        signature_scheme_t scheme = SIGN_UNKNOWN;
        u_int strength = 0;
        auth_rule_t t1, t2;
+       char *key_type;
        void *value;
 
        e1 = constraints->create_enumerator(constraints);
        void *value;
 
        e1 = constraints->create_enumerator(constraints);
@@ -703,6 +711,7 @@ METHOD(auth_cfg_t, complies, bool,
                        }
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
                        }
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
+                       case AUTH_RULE_BLISS_STRENGTH:
                        {
                                strength = (uintptr_t)value;
                                break;
                        {
                                strength = (uintptr_t)value;
                                break;
@@ -797,30 +806,39 @@ METHOD(auth_cfg_t, complies, bool,
                e2 = create_enumerator(this);
                while (e2->enumerate(e2, &t2, &strength))
                {
                e2 = create_enumerator(this);
                while (e2->enumerate(e2, &t2, &strength))
                {
-                       if (t2 == AUTH_RULE_RSA_STRENGTH ||
-                               t2 == AUTH_RULE_ECDSA_STRENGTH)
+                       switch (t2)
                        {
                        {
-                               success = FALSE;
-                               e1 = constraints->create_enumerator(constraints);
-                               while (e1->enumerate(e1, &t1, &value))
+                               default:
+                                       continue;
+                               case AUTH_RULE_RSA_STRENGTH:
+                                       key_type = "RSA";
+                                       break;
+                               case AUTH_RULE_ECDSA_STRENGTH:
+                                       key_type = "ECDSA";
+                                       break;
+                               case AUTH_RULE_BLISS_STRENGTH:
+                                       key_type = "BLISS";
+                                       break;
+                       }
+                       success = FALSE;
+                       e1 = constraints->create_enumerator(constraints);
+                       while (e1->enumerate(e1, &t1, &value))
+                       {
+                               if (t1 == t2 && (uintptr_t)value <= strength)
                                {
                                {
-                                       if (t1 == t2 && (uintptr_t)value <= strength)
-                                       {
-                                               success = TRUE;
-                                               break;
-                                       }
+                                       success = TRUE;
+                                       break;
                                }
                                }
-                               e1->destroy(e1);
-                               if (!success)
+                       }
+                       e1->destroy(e1);
+                       if (!success)
+                       {
+                               if (log_error)
                                {
                                {
-                                       if (log_error)
-                                       {
-                                               DBG1(DBG_CFG, "%s-%d signatures not acceptable",
-                                                        t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA",
-                                                        strength);
-                                       }
-                                       break;
+                                       DBG1(DBG_CFG, "%s-%d signatures not acceptable",
+                                                key_type, strength);
                                }
                                }
+                               break;
                        }
                }
                e2->destroy(e2);
                        }
                }
                e2->destroy(e2);
@@ -891,6 +909,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
                                case AUTH_RULE_EAP_VENDOR:
                                case AUTH_RULE_RSA_STRENGTH:
                                case AUTH_RULE_ECDSA_STRENGTH:
                                case AUTH_RULE_EAP_VENDOR:
                                case AUTH_RULE_RSA_STRENGTH:
                                case AUTH_RULE_ECDSA_STRENGTH:
+                               case AUTH_RULE_BLISS_STRENGTH:
                                case AUTH_RULE_SIGNATURE_SCHEME:
                                {
                                        add(this, type, (uintptr_t)value);
                                case AUTH_RULE_SIGNATURE_SCHEME:
                                {
                                        add(this, type, (uintptr_t)value);
@@ -1060,6 +1079,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
                        case AUTH_RULE_OCSP_VALIDATION:
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
                        case AUTH_RULE_OCSP_VALIDATION:
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
+                       case AUTH_RULE_BLISS_STRENGTH:
                        case AUTH_RULE_SIGNATURE_SCHEME:
                                clone->add(clone, type, (uintptr_t)value);
                                break;
                        case AUTH_RULE_SIGNATURE_SCHEME:
                                clone->add(clone, type, (uintptr_t)value);
                                break;
index 95b36d7..53f1b38 100644 (file)
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -102,6 +102,8 @@ enum auth_rule_t {
        AUTH_RULE_RSA_STRENGTH,
        /** required ECDSA public key strength, u_int in bits */
        AUTH_RULE_ECDSA_STRENGTH,
        AUTH_RULE_RSA_STRENGTH,
        /** required ECDSA public key strength, u_int in bits */
        AUTH_RULE_ECDSA_STRENGTH,
+       /** required BLISS public key strength, u_int in bits */
+       AUTH_RULE_BLISS_STRENGTH,
        /** required signature scheme, signature_scheme_t */
        AUTH_RULE_SIGNATURE_SCHEME,
        /** certificatePolicy constraint, numerical OID as char* */
        /** required signature scheme, signature_scheme_t */
        AUTH_RULE_SIGNATURE_SCHEME,
        /** certificatePolicy constraint, numerical OID as char* */