proposal: Correctly add AES-GMAC for AH proposals
authorTobias Brunner <tobias@strongswan.org>
Tue, 4 Oct 2016 09:58:28 +0000 (11:58 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 5 Oct 2016 12:27:05 +0000 (14:27 +0200)
We parse aes*gmac as encryption algorithm, which we have to map to an
integrity algorithm.  We also make sure we remove all other encryption
algorithms and ensure there is an integrity algorithm.

src/libcharon/config/proposal.c

index 8e4a348..011c0b8 100644 (file)
@@ -529,6 +529,47 @@ static bool check_proposal(private_proposal_t *this)
                        remove_transform(this, INTEGRITY_ALGORITHM);
                }
        }
+       else
+       {       /* AES-GMAC is parsed as encryption algorithm, so we map that to the
+                * proper integrity algorithm */
+               e = array_create_enumerator(this->transforms);
+               while (e->enumerate(e, &entry))
+               {
+                       if (entry->type == ENCRYPTION_ALGORITHM)
+                       {
+                               if (entry->alg == ENCR_NULL_AUTH_AES_GMAC)
+                               {
+                                       entry->type = INTEGRITY_ALGORITHM;
+                                       ks = entry->key_size;
+                                       entry->key_size = 0;
+                                       switch (ks)
+                                       {
+                                               case 128:
+                                                       entry->alg = AUTH_AES_128_GMAC;
+                                                       continue;
+                                               case 192:
+                                                       entry->alg = AUTH_AES_192_GMAC;
+                                                       continue;
+                                               case 256:
+                                                       entry->alg = AUTH_AES_256_GMAC;
+                                                       continue;
+                                               default:
+                                                       break;
+                                       }
+                               }
+                               /* remove all other encryption algorithms */
+                               array_remove_at(this->transforms, e);
+                       }
+               }
+               e->destroy(e);
+
+               if (!get_algorithm(this, INTEGRITY_ALGORITHM, NULL, NULL))
+               {
+                       DBG1(DBG_CFG, "an integrity algorithm is mandatory in AH "
+                                "proposals");
+                       return FALSE;
+               }
+       }
 
        if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
        {