proposal: Handle skipping DH groups directly in select() and matches()

Also renames the flag.

diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 02a65b64357759048d5abb22b9ead090e2653692..0dc8a742a6f6895fea5e5b4b831090c99f03711a 100644 (file)
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -253,11 +253,6 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 
        while (prefer_enum->enumerate(prefer_enum, &proposal))
        {
-               proposal = proposal->clone(proposal);
-               if (flags & PROPOSAL_STRIP_DH)
-               {
-                       proposal->strip_dh(proposal, MODP_NONE);
-               }
                if (flags & PROPOSAL_PREFER_CONFIGURED)
                {
                        proposals->reset_enumerator(proposals, match_enum);
@@ -268,13 +263,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
                }
                while (match_enum->enumerate(match_enum, &match))
                {
-                       match = match->clone(match);
-                       if (flags & PROPOSAL_STRIP_DH)
-                       {
-                               match->strip_dh(match, MODP_NONE);
-                       }
                        selected = proposal->select(proposal, match, flags);
-                       match->destroy(match);
                        if (selected)
                        {
                                DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -283,7 +272,6 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
                                break;
                        }
                }
-               proposal->destroy(proposal);
                if (selected)
                {
                        break;

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index a90e29237bdfabc57d79f7e79f5aa5cd335b9f8c..ace796970f05dd4c4d5e0e7e790e9f6b02077c42 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -562,7 +562,7 @@ static status_t select_and_install(private_child_create_t *this,
 
        if (no_dh)
        {
-               flags |= PROPOSAL_STRIP_DH;
+               flags |= PROPOSAL_SKIP_DH;
        }
        if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
        {

diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c
index 4772078b8491263f18c6e4ba05fc528f60f92abd..807ddd083fa0b7c3a2cd347f828b20a1d4c24767 100644 (file)
--- a/src/libstrongswan/crypto/proposal/proposal.c
+++ b/src/libstrongswan/crypto/proposal/proposal.c
@@ -434,6 +434,10 @@ static bool select_algos(private_proposal_t *this, proposal_t *other,
                {
                        continue;
                }
+               if (type == DIFFIE_HELLMAN_GROUP && (flags & PROPOSAL_SKIP_DH))
+               {
+                       continue;
+               }
                if (select_algo(this, other, type, flags, selected != NULL, &alg, &ks))
                {
                        if (alg == 0 && type != EXTENDED_SEQUENCE_NUMBERS)

diff --git a/src/libstrongswan/crypto/proposal/proposal.h b/src/libstrongswan/crypto/proposal/proposal.h
index a951dd13627b901fe2839ac15ab715ceb8f05891..edf22d585cda6c14e2c3ec83d9831c84a77d468f 100644 (file)
--- a/src/libstrongswan/crypto/proposal/proposal.h
+++ b/src/libstrongswan/crypto/proposal/proposal.h
@@ -60,8 +60,8 @@ enum proposal_selection_flag_t {
        PROPOSAL_ALLOW_PRIVATE = (1<<0),
        /** Whether to prefer configured or supplied proposals. */
        PROPOSAL_PREFER_CONFIGURED = (1<<1),
-       /** Whether to strip out diffie hellman groups */
-       PROPOSAL_STRIP_DH = (1<<2),
+       /** Whether to skip and ignore diffie hellman groups. */
+       PROPOSAL_SKIP_DH = (1<<2),
 };
 
 /**

diff --git a/src/libstrongswan/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c
index 788b51e31dfa336d02af0124f17037cf80cdf9e1..49014344f557f421be28b8822bc78c52379f69ed 100644 (file)
--- a/src/libstrongswan/tests/suites/test_proposal.c
+++ b/src/libstrongswan/tests/suites/test_proposal.c
@@ -88,6 +88,7 @@ static struct {
        char *self;
        char *other;
        char *expected;
+       proposal_selection_flag_t flags;
 } select_data[] = {
        { PROTO_ESP, "aes128", "aes128", "aes128" },
        { PROTO_ESP, "aes128", "aes256", NULL },
@@ -96,7 +97,11 @@ static struct {
        { PROTO_ESP, "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" },
        { PROTO_ESP, "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" },
        { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", NULL },
+       { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", "aes128-sha256", PROPOSAL_SKIP_DH },
        { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", NULL },
+       { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", "aes128-sha256", PROPOSAL_SKIP_DH },
+       { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modp3072", "aes128-sha256", PROPOSAL_SKIP_DH },
+       { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-ecp256", "aes128-sha256", PROPOSAL_SKIP_DH },
        { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL },
        { PROTO_ESP, "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL },
        { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" },
@@ -121,7 +126,8 @@ START_TEST(test_select)
                                                                           select_data[_i].self);
        other = proposal_create_from_string(select_data[_i].proto,
                                                                                select_data[_i].other);
-       selected = self->select(self, other, PROPOSAL_PREFER_CONFIGURED);
+       selected = self->select(self, other,
+                                                       select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED);
        if (select_data[_i].expected)
        {
                expected = proposal_create_from_string(select_data[_i].proto,
@@ -174,13 +180,21 @@ START_TEST(test_matches)
                                                                                select_data[_i].other);
        if (select_data[_i].expected)
        {
-               ck_assert(self->matches(self, other, FALSE));
-               ck_assert(other->matches(other, self, FALSE));
+               ck_assert(self->matches(self, other, select_data[_i].flags));
+               ck_assert(other->matches(other, self, select_data[_i].flags));
+               ck_assert(self->matches(self, other,
+                                 select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED));
+               ck_assert(other->matches(other, self,
+                                 select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED));
        }
        else
        {
-               ck_assert(!self->matches(self, other, FALSE));
-               ck_assert(!other->matches(other, self, FALSE));
+               ck_assert(!self->matches(self, other, select_data[_i].flags));
+               ck_assert(!other->matches(other, self, select_data[_i].flags));
+               ck_assert(!self->matches(self, other,
+                                 select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED));
+               ck_assert(!other->matches(other, self,
+                                 select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED));
        }
        other->destroy(other);
        self->destroy(self);