Match to private use algorithms only if we know we are talking to strongSwan
authorMartin Willi <martin@strongswan.org>
Thu, 7 Jan 2010 10:07:53 +0000 (11:07 +0100)
committerMartin Willi <martin@strongswan.org>
Thu, 7 Jan 2010 10:07:53 +0000 (11:07 +0100)
src/charon/config/child_cfg.c
src/charon/config/child_cfg.h
src/charon/config/ike_cfg.c
src/charon/config/ike_cfg.h
src/charon/config/proposal.c
src/charon/config/proposal.h
src/charon/sa/tasks/child_create.c
src/charon/sa/tasks/ike_init.c

index 036a250..350a5a9 100644 (file)
@@ -161,7 +161,8 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
  * Implementation of child_cfg_t.select_proposal.
  */
 static proposal_t* select_proposal(private_child_cfg_t*this,
-                                                                  linked_list_t *proposals, bool strip_dh)
+                                                                  linked_list_t *proposals, bool strip_dh,
+                                                                  bool private)
 {
        enumerator_t *stored_enum, *supplied_enum;
        proposal_t *stored, *supplied, *selected = NULL;
@@ -179,7 +180,7 @@ static proposal_t* select_proposal(private_child_cfg_t*this,
                        {
                                stored->strip_dh(stored);
                        }
-                       selected = stored->select(stored, supplied);
+                       selected = stored->select(stored, supplied, private);
                        if (selected)
                        {
                                DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -500,7 +501,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
        this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
        this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
        this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
-       this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
+       this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal;
        this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
        this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
        this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
index b189ab4..f98170d 100644 (file)
@@ -130,10 +130,11 @@ struct child_cfg_t {
         *
         * @param proposals             list from from wich proposals are selected
         * @param strip_dh              TRUE strip out diffie hellman groups
+        * @param private               accept algorithms from a private range
         * @return                              selected proposal, or NULL if nothing matches
         */
        proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
-                                                                  bool strip_dh);
+                                                                  bool strip_dh, bool private);
 
        /**
         * Add a traffic selector to the config.
index c2ebf64..2e748f5 100644 (file)
@@ -128,7 +128,7 @@ static linked_list_t* get_proposals(private_ike_cfg_t *this)
  * Implementation of ike_cfg_t.select_proposal.
  */
 static proposal_t *select_proposal(private_ike_cfg_t *this,
-                                                                  linked_list_t *proposals)
+                                                                  linked_list_t *proposals, bool private)
 {
        iterator_t *stored_iter, *supplied_iter;
        proposal_t *stored, *supplied, *selected;
@@ -144,7 +144,7 @@ static proposal_t *select_proposal(private_ike_cfg_t *this,
 
                while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
                {
-                       selected = stored->select(stored, supplied);
+                       selected = stored->select(stored, supplied, private);
                        if (selected)
                        {
                                /* they match, return */
@@ -268,7 +268,7 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
        this->public.get_other_addr = (char*(*)(ike_cfg_t*))get_other_addr;
        this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
        this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals;
-       this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*))select_proposal;
+       this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*,bool))select_proposal;
        this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group;
        this->public.equals = (bool(*)(ike_cfg_t*,ike_cfg_t*)) equals;
        this->public.get_ref = (ike_cfg_t*(*)(ike_cfg_t*))get_ref;
index 8b68af3..eaac321 100644 (file)
@@ -77,9 +77,11 @@ struct ike_cfg_t {
         * Returned proposal must be destroyed after use.
         *
         * @param proposals     list of proposals to select from
+        * @param private       accept algorithms from a private range
         * @return                      selected proposal, or NULL if none matches.
         */
-       proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals);
+       proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
+                                                                       bool private);
 
        /**
         * Should we send a certificate request in IKE_SA_INIT?
index 66a0a3b..6b3500b 100644 (file)
@@ -277,8 +277,8 @@ static bool is_authenticated_encryption(u_int16_t alg)
 /**
  * Find a matching alg/keysize in two linked lists
  */
-static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
-                                               u_int16_t *alg, size_t *key_size)
+static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
+                                               bool *add, u_int16_t *alg, size_t *key_size)
 {
        enumerator_t *e1, *e2;
        algorithm_t *alg1, *alg2;
@@ -302,6 +302,13 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
                        if (alg1->algorithm == alg2->algorithm &&
                                alg1->key_size == alg2->key_size)
                        {
+                               if (!priv && alg1->algorithm >= 1024)
+                               {
+                                       /* accept private use algorithms only if requested */
+                                       DBG1(DBG_CFG, "an algorithm from private space would match, "
+                                                "but peer implementation is unknown, skipped");
+                                       continue;
+                               }
                                /* ok, we have an algorithm */
                                *alg = alg1->algorithm;
                                *key_size = alg1->key_size;
@@ -321,7 +328,8 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
 /**
  * Implements proposal_t.select.
  */
-static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t *other)
+static proposal_t *select_proposal(private_proposal_t *this,
+                                                               private_proposal_t *other, bool private)
 {
        proposal_t *selected;
        u_int16_t algo;
@@ -340,7 +348,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
        selected = proposal_create(this->protocol);
 
        /* select encryption algorithm */
-       if (select_algo(this->encryption_algos, other->encryption_algos,
+       if (select_algo(this->encryption_algos, other->encryption_algos, private,
                                        &add, &algo, &key_size))
        {
                if (add)
@@ -359,7 +367,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
        /* select integrity algorithm */
        if (!is_authenticated_encryption(algo))
        {
-               if (select_algo(this->integrity_algos, other->integrity_algos,
+               if (select_algo(this->integrity_algos, other->integrity_algos, private,
                                                &add, &algo, &key_size))
                {
                        if (add)
@@ -377,7 +385,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
                }
        }
        /* select prf algorithm */
-       if (select_algo(this->prf_algos, other->prf_algos,
+       if (select_algo(this->prf_algos, other->prf_algos, private,
                                        &add, &algo, &key_size))
        {
                if (add)
@@ -394,7 +402,8 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
                return NULL;
        }
        /* select a DH-group */
-       if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size))
+       if (select_algo(this->dh_groups, other->dh_groups, private,
+                                       &add, &algo, &key_size))
        {
                if (add)
                {
@@ -408,8 +417,8 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
                         transform_type_names, DIFFIE_HELLMAN_GROUP);
                return NULL;
        }
-       /* select if we use ESNs */
-       if (select_algo(this->esns, other->esns, &add, &algo, &key_size))
+       /* select if we use ESNs (has no private use space) */
+       if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
        {
                if (add)
                {
@@ -730,7 +739,7 @@ proposal_t *proposal_create(protocol_id_t protocol)
        this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
        this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
        this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
-       this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
+       this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
        this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
        this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
        this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
index d3973fb..30f63b8 100644 (file)
@@ -134,9 +134,10 @@ struct proposal_t {
         * in common, a resulting proposal of this kind is created.
         *
         * @param other                 proposal to compair agains
+        * @param private               accepts algorithms allocated in a private range
         * @return                              selected proposal, NULL if proposals don't match
         */
-       proposal_t *(*select) (proposal_t *this, proposal_t *other);
+       proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
 
        /**
         * Get the protocol ID of the proposal.
index f18d381..6255776 100644 (file)
@@ -261,6 +261,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
        chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
        linked_list_t *my_ts, *other_ts;
        host_t *me, *other, *other_vip, *my_vip;
+       bool private;
 
        if (this->proposals == NULL)
        {
@@ -278,8 +279,9 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
        my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
        other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
 
-       this->proposal = this->config->select_proposal(this->config, this->proposals,
-                                                                                                  no_dh);
+       private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+       this->proposal = this->config->select_proposal(this->config,
+                                                                                       this->proposals, no_dh, private);
        if (this->proposal == NULL)
        {
                DBG1(DBG_IKE, "no acceptable proposal found");
index 63c0889..5eb33b5 100644 (file)
@@ -179,10 +179,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                        {
                                sa_payload_t *sa_payload = (sa_payload_t*)payload;
                                linked_list_t *proposal_list;
+                               bool private;
 
                                proposal_list = sa_payload->get_proposals(sa_payload);
+                               private = this->ike_sa->supports_extension(this->ike_sa,
+                                                                                                                  EXT_STRONGSWAN);
                                this->proposal = this->config->select_proposal(this->config,
-                                                                                                                          proposal_list);
+                                                                                                               proposal_list, private);
                                proposal_list->destroy_offset(proposal_list,
                                                                                          offsetof(proposal_t, destroy));
                                break;