sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

credential-manager: Add option to reject trusted end-entity certificates

Browse Source 
This allows preventing peers from authenticating with certificates
that are locally trusted, in particular, our own local certificate (which
safeguards against accidental reuse of certificates on multiple peers).

On the other hand, if this option is enabled, end-entity certificates
for peers can't be configured anymore explicitly (e.g. via remote.certs
in swanctl.conf).
This commit is contained in:
Tobias Brunner 2023-05-31 14:39:05 +02:00
parent 28ccdff692
commit 04c17ab56a
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
conf/options/charon.opt
View File

@ -372,6 +372,10 @@ charon.receive_delay_request = yes
charon.receive_delay_type = 0
Specific IKEv2 message type to delay, 0 for any.
charon.reject_trusted_end_entity = no
Reject peers that use trusted end-entity certificates (i.e. local
certificates).
charon.replay_window = 32
Size of the AH/ESP replay window, in packets.

13
src/libstrongswan/credentials/credential_manager.c
View File

@ -93,6 +93,11 @@ struct private_credential_manager_t {
* Registered data to pass to hook
*/
void *hook_data;
/**
* Whether to reject pre-trusted end-entity certificates
*/
bool reject_pretrusted;
};
/** data to pass to create_private_enumerator */
@ -924,6 +929,12 @@ METHOD(enumerator_t, trusted_enumerate, bool,
this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id);
if (this->pretrusted)
{
if (this->this->reject_pretrusted)
{
DBG1(DBG_CFG, " rejecting trusted certificate \"%Y\"",
this->pretrusted->get_subject(this->pretrusted));
return FALSE;
}
DBG1(DBG_CFG, " using trusted certificate \"%Y\"",
this->pretrusted->get_subject(this->pretrusted));
/* if we find a trusted self signed certificate, we just accept it.
@ -1436,6 +1447,8 @@ credential_manager_t *credential_manager_create()
.cache_queue = linked_list_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
.queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.reject_pretrusted = lib->settings->get_bool(lib->settings,
"%s.reject_trusted_end_entity", FALSE, lib->ns),
);
this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);