Reenable ASN1_DN IDs with certificates in iked

Tue, 16 May 2017 22:06:31 -0700 

A sample configuration:

ikev2 "win10host" passive esp \
  from 0.0.0.0/0 to 10.1.1.51 \
  local any peer any \
  ikesa auth hmac-sha2-384 enc aes-256 prf hmac-sha2-384 group modp2048 \
  childsa enc aes-256-gcm group modp2048 \
  srcid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=foo.stoo.org" \
  dstid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=bar.stoo.org" \
  rsa \
  config address 10.1.1.51 \
  config name-server 10.1.1.5 \
  config name-server 10.1.1.6 \
  tag "$name-$id"

The above configuration worked fine with iked in OpenBSD 6.0.  It broke
as of 6.1 with the following error:

set_policy_auth_method: ikeauth policy mismatch, rsa specified, but only 
rfc7427 possible
set_policy: failed to set policy auth method for
/etc/iked.conf: 17: create_ike failed
/etc/iked.conf: no valid configuration rules found

I use a CA certificate and signed host certificates generated using a
process like the EXAMPLES section in ikectl(8).  I'm a bit surprised
that I could not find anyone else who has seen this problem, so maybe
I'm doing something strange without realizing it.

The following patch restores the old functionality, though I include it
mainly for demonstration purposes.  I'm happy to improve it and
resubmit, depending on feedback.

-TimS


Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.65
diff -u -p -r1.65 parse.y
--- parse.y     24 Apr 2017 07:07:25 -0000      1.65
+++ parse.y     17 May 2017 04:58:34 -0000
@@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri
        method = IKEV2_AUTH_NONE;
        cert_type = IKEV2_CERT_NONE;

+       ikeauth = &pol->pol_auth;
+
        if (key != NULL) {
                /* infer policy from key type */
                if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) {
@@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri

                if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE)
                        return (-1);
+       } else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) {
+               /* default to IKEV2_CERT_X509_CERT otherwise */
+               method = IKEV2_AUTH_RSA_SIG;
+               cert_type = IKEV2_CERT_X509_CERT;
        } else {
                /* default to IKEV2_CERT_X509_CERT otherwise */
                method = IKEV2_AUTH_SIG;
                cert_type = IKEV2_CERT_X509_CERT;
        }

-       ikeauth = &pol->pol_auth;
-
        if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) {
                if (key != NULL &&
                    method != IKEV2_AUTH_RSA_SIG)
@@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri

        if (ikeauth->auth_method != IKEV2_AUTH_NONE &&
            ikeauth->auth_method != IKEV2_AUTH_SIG_ANY &&
+           ikeauth->auth_method != IKEV2_AUTH_RSA_SIG &&
            ikeauth->auth_method != method)
                goto mismatch;

Reply via email to