Re: Reenable ASN1_DN IDs with certificates in iked
Tim Stewartwrites: > A sample configuration: > > ikev2 "win10host" passive esp \ > from 0.0.0.0/0 to 10.1.1.51 \ > local any peer any \ > ikesa auth hmac-sha2-384 enc aes-256 prf hmac-sha2-384 group modp2048 \ > childsa enc aes-256-gcm group modp2048 \ > srcid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=foo.stoo.org" \ > dstid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=bar.stoo.org" \ > rsa \ > config address 10.1.1.51 \ > config name-server 10.1.1.5 \ > config name-server 10.1.1.6 \ > tag "$name-$id" > > The above configuration worked fine with iked in OpenBSD 6.0. It broke > as of 6.1 with the following error: > > set_policy_auth_method: ikeauth policy mismatch, rsa specified, but only > rfc7427 possible > set_policy: failed to set policy auth method for > /etc/iked.conf: 17: create_ike failed > /etc/iked.conf: no valid configuration rules found > > I use a CA certificate and signed host certificates generated using a > process like the EXAMPLES section in ikectl(8). I'm a bit surprised > that I could not find anyone else who has seen this problem, so maybe > I'm doing something strange without realizing it. Is there any more information that I can provide about this issue, or possibly suggestions for changes to the patch? Some guidance would help me as I am new to this code. Perhaps this should be moved to bugs? (I posted to tech because I had a patch). Thanks, -TimS -- Tim Stewart --- Mail: t...@stoo.org Matrix: @tim:stoo.org
Re: Reenable ASN1_DN IDs with certificates in iked
Here is a version of the previous patch that preserves tabs properly. Apologies. -TimS Index: parse.y === RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.65 diff -u -p -r1.65 parse.y --- parse.y 24 Apr 2017 07:07:25 - 1.65 +++ parse.y 17 May 2017 05:40:39 - @@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri method = IKEV2_AUTH_NONE; cert_type = IKEV2_CERT_NONE; + ikeauth = >pol_auth; + if (key != NULL) { /* infer policy from key type */ if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) { @@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE) return (-1); + } else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) { + /* default to IKEV2_CERT_X509_CERT otherwise */ + method = IKEV2_AUTH_RSA_SIG; + cert_type = IKEV2_CERT_X509_CERT; } else { /* default to IKEV2_CERT_X509_CERT otherwise */ method = IKEV2_AUTH_SIG; cert_type = IKEV2_CERT_X509_CERT; } - ikeauth = >pol_auth; - if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) { if (key != NULL && method != IKEV2_AUTH_RSA_SIG) @@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri if (ikeauth->auth_method != IKEV2_AUTH_NONE && ikeauth->auth_method != IKEV2_AUTH_SIG_ANY && + ikeauth->auth_method != IKEV2_AUTH_RSA_SIG && ikeauth->auth_method != method) goto mismatch;
Reenable ASN1_DN IDs with certificates in iked
A sample configuration: ikev2 "win10host" passive esp \ from 0.0.0.0/0 to 10.1.1.51 \ local any peer any \ ikesa auth hmac-sha2-384 enc aes-256 prf hmac-sha2-384 group modp2048 \ childsa enc aes-256-gcm group modp2048 \ srcid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=foo.stoo.org" \ dstid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=bar.stoo.org" \ rsa \ config address 10.1.1.51 \ config name-server 10.1.1.5 \ config name-server 10.1.1.6 \ tag "$name-$id" The above configuration worked fine with iked in OpenBSD 6.0. It broke as of 6.1 with the following error: set_policy_auth_method: ikeauth policy mismatch, rsa specified, but only rfc7427 possible set_policy: failed to set policy auth method for /etc/iked.conf: 17: create_ike failed /etc/iked.conf: no valid configuration rules found I use a CA certificate and signed host certificates generated using a process like the EXAMPLES section in ikectl(8). I'm a bit surprised that I could not find anyone else who has seen this problem, so maybe I'm doing something strange without realizing it. The following patch restores the old functionality, though I include it mainly for demonstration purposes. I'm happy to improve it and resubmit, depending on feedback. -TimS Index: parse.y === RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.65 diff -u -p -r1.65 parse.y --- parse.y 24 Apr 2017 07:07:25 - 1.65 +++ parse.y 17 May 2017 04:58:34 - @@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri method = IKEV2_AUTH_NONE; cert_type = IKEV2_CERT_NONE; + ikeauth = >pol_auth; + if (key != NULL) { /* infer policy from key type */ if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) { @@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE) return (-1); + } else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) { + /* default to IKEV2_CERT_X509_CERT otherwise */ + method = IKEV2_AUTH_RSA_SIG; + cert_type = IKEV2_CERT_X509_CERT; } else { /* default to IKEV2_CERT_X509_CERT otherwise */ method = IKEV2_AUTH_SIG; cert_type = IKEV2_CERT_X509_CERT; } - ikeauth = >pol_auth; - if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) { if (key != NULL && method != IKEV2_AUTH_RSA_SIG) @@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri if (ikeauth->auth_method != IKEV2_AUTH_NONE && ikeauth->auth_method != IKEV2_AUTH_SIG_ANY && + ikeauth->auth_method != IKEV2_AUTH_RSA_SIG && ikeauth->auth_method != method) goto mismatch;