Permalink
Browse files

wo#5451 . actually pick the correct private key based upon the public

key that was provided in the CONN.
  • Loading branch information...
mcr committed Apr 10, 2017
1 parent b2d6a7f commit 6f2203a9fab4b9a497be126ac9f4d5d134c66286
@@ -191,6 +191,8 @@ extern void RSA_show_key_fields(struct private_key_stuff *pks);
extern struct secret *osw_find_secret_by_id(struct secret *secrets
, enum PrivateKeyKind kind
, const struct id *my_id
, osw_public_key *key1
, osw_public_key *key2
, const struct id *his_id
, bool asym);
@@ -390,16 +390,19 @@ struct secret *osw_find_secret_by_public_key(struct secret *secrets
struct secret *osw_find_secret_by_id(struct secret *secrets
, enum PrivateKeyKind kind
, const struct id *my_id
, osw_public_key *key1
, osw_public_key *key2
, const struct id *his_id
, bool asym)
{
char idstr1[IDTOA_BUF], idme[IDTOA_BUF]
, idhim[IDTOA_BUF], idhim2[IDTOA_BUF];
enum { /* bits */
match_default = 01,
match_any = 02,
match_him = 04,
match_me = 010
match_default = 0x1,
match_any = 0x2,
match_him = 0x4,
match_me = 0x8,
match_me_pubkey = 0x10
};
unsigned int best_match = 0;
struct secret *s, *best = NULL;
@@ -475,11 +478,25 @@ struct secret *osw_find_secret_by_id(struct secret *secrets
match |= match_default;
}
if(key1) {
if(key1 == s->pks.pub ||
memcmp(key1->key_ckaid, s->pks.pub->key_ckaid, sizeof(key1->key_ckaid))==0) {
match = match_me_pubkey;
}
}
if(key2) {
if(key2 == s->pks.pub ||
memcmp(key2->key_ckaid, s->pks.pub->key_ckaid, sizeof(key2->key_ckaid))==0) {
match = match_me_pubkey;
}
}
DBG(DBG_CONTROL,
DBG_log("line %d: match=%d\n", s->secretlineno, match));
switch (match)
{
case match_me_pubkey:
case match_me:
/* if this is an asymmetric (eg. public key) system,
* allow this-side-only match to count, even if
@@ -526,8 +543,8 @@ struct secret *osw_find_secret_by_id(struct secret *secrets
}
if (!same)
{
loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints:"
" first secret used");
loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints: %s",
(match == match_me_pubkey ? " matched by public key" : " first secret used"));
best = s; /* list is backwards: take latest in list */
}
}
@@ -515,7 +515,10 @@ osw_get_secret(const struct connection *c
best = osw_find_secret_by_id(pluto_secrets
, kind
, my_id, his_id, asym);
, my_id
, c->spd.this.key1
, c->spd.this.key2
, his_id, asym);
return best;
}
@@ -541,7 +544,7 @@ osw_get_xauthsecret(const struct connection *c UNUSED
best = osw_find_secret_by_id(pluto_secrets
, PPK_XAUTH
, &xa_id, NULL, TRUE);
, &xa_id, NULL, NULL, NULL, TRUE);
return best;
}
@@ -219,7 +219,7 @@ struct secret *pick_key(struct secret *host_secrets
}
s = osw_find_secret_by_id(host_secrets, PPK_RSA
, &id, NULL, TRUE /* asymmetric */);
, &id, NULL, NULL, NULL, TRUE /* asymmetric */);
if(s==NULL) {
char abuf[IDTOA_BUF];
@@ -19,3 +19,4 @@ include ${OPENSWANSRCDIR}/Makefile.inc
clean check:
@${MAKE} -C ct10-parentI2 $@
@${MAKE} -C ct12-parentR2 $@
@${MAKE} -C ct14-bigkeyI2 $@
@@ -264,9 +264,9 @@ sending 836 bytes for ikev2_parent_outI1_common through eth0:500 to 132.213.238.
| line 1: key type PPK_RSA(@parker01.emmjay.credil.org) to type PPK_RSA
| 1: compared key (none) to @parker01.emmjay.credil.org / @jamesjohnson.emmjay.credil.org -> 2
| 2: compared key (none) to @parker01.emmjay.credil.org / @jamesjohnson.emmjay.credil.org -> 2
| line 1: match=2
| best_match 0>2 line=1
| concluding with best_match=2 lineno=1
| line 1: match=16
| best_match 0>16 line=1
| concluding with best_match=16 lineno=1
| rsa key AQN7wUerV found
| inputs to hash1 (first packet)
| 80 01 02 03 04 05 06 07 00 00 00 00 00 00 00 00
@@ -2,8 +2,9 @@ This test case is an IKEv2 initiator on I2.
This uses the proper cryptographic options to form a *signature*
(the DH is still link seamed to constants).
In this test case, there are two keys loaded, and pluto must pick
the one that corresponds to the public mentioned in leftrsasigkey=.
In this test case, there are two keys loaded (via twosecrets.secrets),
and pluto must pick the one that corresponds to the public mentioned in
leftrsasigkey=. This is key: AQN7wUerV, the 2048 bit one.
It is a copy of lp10-parentI2 and ct10.
@@ -272,9 +272,9 @@ sending 836 bytes for ikev2_parent_outI1_common through eth0:500 to 132.213.238.
| line 1: key type PPK_RSA(@parker01.emmjay.credil.org) to type PPK_RSA
| 1: compared key (none) to @parker01.emmjay.credil.org / @jamesjohnson.emmjay.credil.org -> 2
| 2: compared key (none) to @parker01.emmjay.credil.org / @jamesjohnson.emmjay.credil.org -> 2
| line 1: match=2
./pickkeyI2 multiple ipsec.secrets entries with distinct secrets match endpoints: matched by public key
| concluding with best_match=2 lineno=1
| line 1: match=16
| best_match 2>16 line=1
| concluding with best_match=16 lineno=1
| rsa key AQN7wUerV found
| inputs to hash1 (first packet)
| 80 01 02 03 04 05 06 07 00 00 00 00 00 00 00 00

0 comments on commit 6f2203a

Please sign in to comment.