subject:"Reenable ASN1_DN IDs with certificates in iked"

Re: Reenable ASN1_DN IDs with certificates in iked

2017-06-04 Thread Tim Stewart

Tim Stewart  writes:

> A sample configuration:
>
> ikev2 "win10host" passive esp \
>   from 0.0.0.0/0 to 10.1.1.51 \
>   local any peer any \
>   ikesa auth hmac-sha2-384 enc aes-256 prf hmac-sha2-384 group modp2048 \
>   childsa enc aes-256-gcm group modp2048 \
>   srcid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=foo.stoo.org" \
>   dstid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=bar.stoo.org" \
>   rsa \
>   config address 10.1.1.51 \
>   config name-server 10.1.1.5 \
>   config name-server 10.1.1.6 \
>   tag "$name-$id"
>
> The above configuration worked fine with iked in OpenBSD 6.0.  It broke
> as of 6.1 with the following error:
>
> set_policy_auth_method: ikeauth policy mismatch, rsa specified, but only 
> rfc7427 possible
> set_policy: failed to set policy auth method for
> /etc/iked.conf: 17: create_ike failed
> /etc/iked.conf: no valid configuration rules found
>
> I use a CA certificate and signed host certificates generated using a
> process like the EXAMPLES section in ikectl(8).  I'm a bit surprised
> that I could not find anyone else who has seen this problem, so maybe
> I'm doing something strange without realizing it.

Is there any more information that I can provide about this issue, or
possibly suggestions for changes to the patch?  Some guidance would help
me as I am new to this code.

Perhaps this should be moved to bugs?  (I posted to tech because I had a
patch).

Thanks,

-TimS

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org

Re: Reenable ASN1_DN IDs with certificates in iked

2017-05-16 Thread Tim Stewart

Here is a version of the previous patch that preserves tabs properly.
Apologies.

-TimS


Index: parse.y
===
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.65
diff -u -p -r1.65 parse.y
--- parse.y 24 Apr 2017 07:07:25 -  1.65
+++ parse.y 17 May 2017 05:40:39 -
@@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri
method = IKEV2_AUTH_NONE;
cert_type = IKEV2_CERT_NONE;

+   ikeauth = >pol_auth;
+
if (key != NULL) {
/* infer policy from key type */
if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) {
@@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri

if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE)
return (-1);
+   } else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) {
+   /* default to IKEV2_CERT_X509_CERT otherwise */
+   method = IKEV2_AUTH_RSA_SIG;
+   cert_type = IKEV2_CERT_X509_CERT;
} else {
/* default to IKEV2_CERT_X509_CERT otherwise */
method = IKEV2_AUTH_SIG;
cert_type = IKEV2_CERT_X509_CERT;
}

-   ikeauth = >pol_auth;
-
if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) {
if (key != NULL &&
method != IKEV2_AUTH_RSA_SIG)
@@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri

if (ikeauth->auth_method != IKEV2_AUTH_NONE &&
ikeauth->auth_method != IKEV2_AUTH_SIG_ANY &&
+   ikeauth->auth_method != IKEV2_AUTH_RSA_SIG &&
ikeauth->auth_method != method)
goto mismatch;

Reenable ASN1_DN IDs with certificates in iked

2017-05-16 Thread Tim Stewart

A sample configuration:

ikev2 "win10host" passive esp \
  from 0.0.0.0/0 to 10.1.1.51 \
  local any peer any \
  ikesa auth hmac-sha2-384 enc aes-256 prf hmac-sha2-384 group modp2048 \
  childsa enc aes-256-gcm group modp2048 \
  srcid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=foo.stoo.org" \
  dstid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=bar.stoo.org" \
  rsa \
  config address 10.1.1.51 \
  config name-server 10.1.1.5 \
  config name-server 10.1.1.6 \
  tag "$name-$id"

The above configuration worked fine with iked in OpenBSD 6.0.  It broke
as of 6.1 with the following error:

set_policy_auth_method: ikeauth policy mismatch, rsa specified, but only 
rfc7427 possible
set_policy: failed to set policy auth method for
/etc/iked.conf: 17: create_ike failed
/etc/iked.conf: no valid configuration rules found

I use a CA certificate and signed host certificates generated using a
process like the EXAMPLES section in ikectl(8).  I'm a bit surprised
that I could not find anyone else who has seen this problem, so maybe
I'm doing something strange without realizing it.

The following patch restores the old functionality, though I include it
mainly for demonstration purposes.  I'm happy to improve it and
resubmit, depending on feedback.

-TimS


Index: parse.y
===
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.65
diff -u -p -r1.65 parse.y
--- parse.y 24 Apr 2017 07:07:25 -  1.65
+++ parse.y 17 May 2017 04:58:34 -
@@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri
method = IKEV2_AUTH_NONE;
cert_type = IKEV2_CERT_NONE;

+   ikeauth = >pol_auth;
+
if (key != NULL) {
/* infer policy from key type */
if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) {
@@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri

if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE)
return (-1);
+   } else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) {
+   /* default to IKEV2_CERT_X509_CERT otherwise */
+   method = IKEV2_AUTH_RSA_SIG;
+   cert_type = IKEV2_CERT_X509_CERT;
} else {
/* default to IKEV2_CERT_X509_CERT otherwise */
method = IKEV2_AUTH_SIG;
cert_type = IKEV2_CERT_X509_CERT;
}

-   ikeauth = >pol_auth;
-
if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) {
if (key != NULL &&
method != IKEV2_AUTH_RSA_SIG)
@@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri

if (ikeauth->auth_method != IKEV2_AUTH_NONE &&
ikeauth->auth_method != IKEV2_AUTH_SIG_ANY &&
+   ikeauth->auth_method != IKEV2_AUTH_RSA_SIG &&
ikeauth->auth_method != method)
goto mismatch;

Re: Reenable ASN1_DN IDs with certificates in iked

Re: Reenable ASN1_DN IDs with certificates in iked

Reenable ASN1_DN IDs with certificates in iked

3 matches

Site Navigation

Mail list logo

Footer information