* Implementation of child_cfg_t.select_proposal.
*/
static proposal_t* select_proposal(private_child_cfg_t*this,
- linked_list_t *proposals, bool strip_dh)
+ linked_list_t *proposals, bool strip_dh,
+ bool private)
{
enumerator_t *stored_enum, *supplied_enum;
proposal_t *stored, *supplied, *selected = NULL;
{
stored->strip_dh(stored);
}
- selected = stored->select(stored, supplied);
+ selected = stored->select(stored, supplied, private);
if (selected)
{
DBG2(DBG_CFG, "received proposals: %#P", proposals);
this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
- this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
+ this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal;
this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
*
* @param proposals list from from wich proposals are selected
* @param strip_dh TRUE strip out diffie hellman groups
+ * @param private accept algorithms from a private range
* @return selected proposal, or NULL if nothing matches
*/
proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
- bool strip_dh);
+ bool strip_dh, bool private);
/**
* Add a traffic selector to the config.
* Implementation of ike_cfg_t.select_proposal.
*/
static proposal_t *select_proposal(private_ike_cfg_t *this,
- linked_list_t *proposals)
+ linked_list_t *proposals, bool private)
{
iterator_t *stored_iter, *supplied_iter;
proposal_t *stored, *supplied, *selected;
while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
{
- selected = stored->select(stored, supplied);
+ selected = stored->select(stored, supplied, private);
if (selected)
{
/* they match, return */
this->public.get_other_addr = (char*(*)(ike_cfg_t*))get_other_addr;
this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals;
- this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*))select_proposal;
+ this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*,bool))select_proposal;
this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group;
this->public.equals = (bool(*)(ike_cfg_t*,ike_cfg_t*)) equals;
this->public.get_ref = (ike_cfg_t*(*)(ike_cfg_t*))get_ref;
* Returned proposal must be destroyed after use.
*
* @param proposals list of proposals to select from
+ * @param private accept algorithms from a private range
* @return selected proposal, or NULL if none matches.
*/
- proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals);
+ proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
+ bool private);
/**
* Should we send a certificate request in IKE_SA_INIT?
/**
* Find a matching alg/keysize in two linked lists
*/
-static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
- u_int16_t *alg, size_t *key_size)
+static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
+ bool *add, u_int16_t *alg, size_t *key_size)
{
enumerator_t *e1, *e2;
algorithm_t *alg1, *alg2;
if (alg1->algorithm == alg2->algorithm &&
alg1->key_size == alg2->key_size)
{
+ if (!priv && alg1->algorithm >= 1024)
+ {
+ /* accept private use algorithms only if requested */
+ DBG1(DBG_CFG, "an algorithm from private space would match, "
+ "but peer implementation is unknown, skipped");
+ continue;
+ }
/* ok, we have an algorithm */
*alg = alg1->algorithm;
*key_size = alg1->key_size;
/**
* Implements proposal_t.select.
*/
-static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t *other)
+static proposal_t *select_proposal(private_proposal_t *this,
+ private_proposal_t *other, bool private)
{
proposal_t *selected;
u_int16_t algo;
selected = proposal_create(this->protocol);
/* select encryption algorithm */
- if (select_algo(this->encryption_algos, other->encryption_algos,
+ if (select_algo(this->encryption_algos, other->encryption_algos, private,
&add, &algo, &key_size))
{
if (add)
/* select integrity algorithm */
if (!is_authenticated_encryption(algo))
{
- if (select_algo(this->integrity_algos, other->integrity_algos,
+ if (select_algo(this->integrity_algos, other->integrity_algos, private,
&add, &algo, &key_size))
{
if (add)
}
}
/* select prf algorithm */
- if (select_algo(this->prf_algos, other->prf_algos,
+ if (select_algo(this->prf_algos, other->prf_algos, private,
&add, &algo, &key_size))
{
if (add)
return NULL;
}
/* select a DH-group */
- if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size))
+ if (select_algo(this->dh_groups, other->dh_groups, private,
+ &add, &algo, &key_size))
{
if (add)
{
transform_type_names, DIFFIE_HELLMAN_GROUP);
return NULL;
}
- /* select if we use ESNs */
- if (select_algo(this->esns, other->esns, &add, &algo, &key_size))
+ /* select if we use ESNs (has no private use space) */
+ if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
{
if (add)
{
this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
- this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
+ this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
* in common, a resulting proposal of this kind is created.
*
* @param other proposal to compair agains
+ * @param private accepts algorithms allocated in a private range
* @return selected proposal, NULL if proposals don't match
*/
- proposal_t *(*select) (proposal_t *this, proposal_t *other);
+ proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
/**
* Get the protocol ID of the proposal.
chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
linked_list_t *my_ts, *other_ts;
host_t *me, *other, *other_vip, *my_vip;
+ bool private;
if (this->proposals == NULL)
{
my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
- this->proposal = this->config->select_proposal(this->config, this->proposals,
- no_dh);
+ private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+ this->proposal = this->config->select_proposal(this->config,
+ this->proposals, no_dh, private);
if (this->proposal == NULL)
{
DBG1(DBG_IKE, "no acceptable proposal found");
{
sa_payload_t *sa_payload = (sa_payload_t*)payload;
linked_list_t *proposal_list;
+ bool private;
proposal_list = sa_payload->get_proposals(sa_payload);
+ private = this->ike_sa->supports_extension(this->ike_sa,
+ EXT_STRONGSWAN);
this->proposal = this->config->select_proposal(this->config,
- proposal_list);
+ proposal_list, private);
proposal_list->destroy_offset(proposal_list,
offsetof(proposal_t, destroy));
break;
projects / thirdparty / strongswan.git / commitdiff
