}
METHOD(child_cfg_t, select_proposal, proposal_t*,
- private_child_cfg_t*this, linked_list_t *proposals, bool strip_dh,
- bool private, bool prefer_self)
+ private_child_cfg_t*this, linked_list_t *proposals,
+ proposal_selection_flag_t flags)
{
enumerator_t *prefer_enum, *match_enum;
proposal_t *proposal, *match, *selected = NULL;
- if (prefer_self)
+ if (flags & PROPOSAL_PREFER_CONFIGURED)
{
prefer_enum = this->proposals->create_enumerator(this->proposals);
match_enum = proposals->create_enumerator(proposals);
while (prefer_enum->enumerate(prefer_enum, &proposal))
{
proposal = proposal->clone(proposal);
- if (strip_dh)
+ if (flags & PROPOSAL_STRIP_DH)
{
proposal->strip_dh(proposal, MODP_NONE);
}
- if (prefer_self)
+ if (flags & PROPOSAL_PREFER_CONFIGURED)
{
proposals->reset_enumerator(proposals, match_enum);
}
while (match_enum->enumerate(match_enum, &match))
{
match = match->clone(match);
- if (strip_dh)
+ if (flags & PROPOSAL_STRIP_DH)
{
match->strip_dh(match, MODP_NONE);
}
- selected = proposal->select(proposal, match, prefer_self, private);
+ selected = proposal->select(proposal, match, flags);
match->destroy(match);
if (selected)
{
* Returned propsal is newly created and must be destroyed after usage.
*
* @param proposals list from which proposals are selected
- * @param strip_dh TRUE strip out diffie hellman groups
- * @param private accept algorithms from a private range
- * @param prefer_self whether to prefer configured or supplied proposals
+ * @param flags flags to consider during proposal selection
* @return selected proposal, or NULL if nothing matches
*/
proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
- bool strip_dh, bool private,
- bool prefer_self);
+ proposal_selection_flag_t flags);
/**
* Add a traffic selector to the config.
enumerator = this->proposals->create_enumerator(this->proposals);
while (enumerator->enumerate(enumerator, &proposal))
{
- if (proposal->matches(proposal, match, private))
+ if (proposal->matches(proposal, match,
+ private ? PROPOSAL_ALLOW_PRIVATE : 0))
{
enumerator->destroy(enumerator);
return TRUE;
}
METHOD(ike_cfg_t, select_proposal, proposal_t*,
- private_ike_cfg_t *this, linked_list_t *proposals, bool private,
- bool prefer_self)
+ private_ike_cfg_t *this, linked_list_t *proposals,
+ proposal_selection_flag_t flags)
{
enumerator_t *prefer_enum, *match_enum;
proposal_t *proposal, *match, *selected = NULL;
- if (prefer_self)
+ if (flags & PROPOSAL_PREFER_CONFIGURED)
{
prefer_enum = this->proposals->create_enumerator(this->proposals);
match_enum = proposals->create_enumerator(proposals);
while (prefer_enum->enumerate(prefer_enum, (void**)&proposal))
{
- if (prefer_self)
+ if (flags & PROPOSAL_PREFER_CONFIGURED)
{
proposals->reset_enumerator(proposals, match_enum);
}
}
while (match_enum->enumerate(match_enum, (void**)&match))
{
- selected = proposal->select(proposal, match, prefer_self, private);
+ selected = proposal->select(proposal, match, flags);
if (selected)
{
DBG2(DBG_CFG, "received proposals: %#P", proposals);
* Returned proposal must be destroyed after use.
*
* @param proposals list of proposals to select from
- * @param private accept algorithms from a private range
- * @param prefer_self whether to prefer configured or supplied proposals
+ * @param flags flags to consider during proposal selection
* @return selected proposal, or NULL if none matches.
*/
proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
- bool private, bool prefer_self);
+ proposal_selection_flag_t flags);
/**
* Check if the config has a matching proposal.
id_payload_t *id_payload;
identification_t *id;
linked_list_t *list;
+ proposal_selection_flag_t flags = 0;
uint16_t group;
- bool prefer_configured;
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
DBG0(DBG_IKE, "%H is initiating a Aggressive Mode IKE_SA",
}
list = sa_payload->get_proposals(sa_payload);
- prefer_configured = lib->settings->get_bool(lib->settings,
- "%s.prefer_configured_proposals", TRUE, lib->ns);
- this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, FALSE, prefer_configured);
+ if (lib->settings->get_bool(lib->settings,
+ "%s.prefer_configured_proposals", TRUE, lib->ns))
+ {
+ flags = PROPOSAL_PREFER_CONFIGURED;
+ }
+ this->proposal = this->ike_cfg->select_proposal(this->ike_cfg, list,
+ flags);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
list = sa_payload->get_proposals(sa_payload);
- this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, FALSE, TRUE);
+ this->proposal = this->ike_cfg->select_proposal(this->ike_cfg, list,
+ PROPOSAL_PREFER_CONFIGURED);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
{
linked_list_t *list;
sa_payload_t *sa_payload;
- bool private, prefer_configured;
+ proposal_selection_flag_t flags = 0;
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
}
list = sa_payload->get_proposals(sa_payload);
- private = this->ike_sa->supports_extension(this->ike_sa,
- EXT_STRONGSWAN);
- prefer_configured = lib->settings->get_bool(lib->settings,
- "%s.prefer_configured_proposals", TRUE, lib->ns);
+ if (this->ike_sa->supports_extension(this->ike_sa , EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_ALLOW_PRIVATE;
+ }
+ if (lib->settings->get_bool(lib->settings,
+ "%s.prefer_configured_proposals", TRUE, lib->ns))
+ {
+ flags |= PROPOSAL_PREFER_CONFIGURED;
+ }
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, private, prefer_configured);
+ list, flags);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
linked_list_t *list;
sa_payload_t *sa_payload;
auth_method_t method;
+ proposal_selection_flag_t flags = PROPOSAL_PREFER_CONFIGURED;
uint32_t lifetime;
- bool private;
sa_payload = (sa_payload_t*)message->get_payload(message,
PLV1_SECURITY_ASSOCIATION);
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
list = sa_payload->get_proposals(sa_payload);
- private = this->ike_sa->supports_extension(this->ike_sa,
- EXT_STRONGSWAN);
+ if (this->ike_sa->supports_extension(this->ike_sa , EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_ALLOW_PRIVATE;
+ }
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, private, TRUE);
+ list, flags);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
}
}
- list = this->config->get_proposals(this->config, MODP_NONE);
+ list = this->config->get_proposals(this->config, FALSE);
if (list->get_first(list, (void**)&proposal) == SUCCESS)
{
this->proto = proposal->get_protocol(proposal);
linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
peer_cfg_t *peer_cfg;
uint16_t group;
- bool private, prefer_configured;
+ proposal_selection_flag_t flags = 0;
sa_payload = (sa_payload_t*)message->get_payload(message,
PLV1_SECURITY_ASSOCIATION);
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
- private = this->ike_sa->supports_extension(this->ike_sa,
- EXT_STRONGSWAN);
- prefer_configured = lib->settings->get_bool(lib->settings,
- "%s.prefer_configured_proposals", TRUE, lib->ns);
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_ALLOW_PRIVATE;
+ }
+ if (lib->settings->get_bool(lib->settings,
+ "%s.prefer_configured_proposals", TRUE, lib->ns))
+ {
+ flags |= PROPOSAL_PREFER_CONFIGURED;
+ }
this->proposal = this->config->select_proposal(this->config, list,
- FALSE, private, prefer_configured);
+ flags);
list->destroy_offset(list, offsetof(proposal_t, destroy));
get_lifetimes(this);
{
sa_payload_t *sa_payload;
linked_list_t *list = NULL;
- bool private;
+ proposal_selection_flag_t flags = PROPOSAL_PREFER_CONFIGURED;
sa_payload = (sa_payload_t*)message->get_payload(message,
PLV1_SECURITY_ASSOCIATION);
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
- private = this->ike_sa->supports_extension(this->ike_sa,
- EXT_STRONGSWAN);
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_ALLOW_PRIVATE;
+ }
this->proposal = this->config->select_proposal(this->config, list,
- FALSE, private, TRUE);
+ flags);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
linked_list_t *my_ts, *other_ts;
host_t *me, *other;
- bool private, prefer_configured;
+ proposal_selection_flag_t flags = 0;
if (this->proposals == NULL)
{
me = this->ike_sa->get_my_host(this->ike_sa);
other = this->ike_sa->get_other_host(this->ike_sa);
- private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
- prefer_configured = lib->settings->get_bool(lib->settings,
- "%s.prefer_configured_proposals", TRUE, lib->ns);
+ if (no_dh)
+ {
+ flags |= PROPOSAL_STRIP_DH;
+ }
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_ALLOW_PRIVATE;
+ }
+ if (lib->settings->get_bool(lib->settings, "%s.prefer_configured_proposals",
+ TRUE, lib->ns))
+ {
+ flags |= PROPOSAL_PREFER_CONFIGURED;
+ }
this->proposal = this->config->select_proposal(this->config,
- this->proposals, no_dh, private, prefer_configured);
+ this->proposals, flags);
if (this->proposal == NULL)
{
DBG1(DBG_IKE, "no acceptable proposal found");
enumerator_t *enumerator;
linked_list_t *proposal_list;
host_t *me, *other;
- bool private, prefer_configured;
+ proposal_selection_flag_t flags = 0;
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
proposal_list = sa_payload->get_proposals(sa_payload);
- private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
- prefer_configured = lib->settings->get_bool(lib->settings,
- "%s.prefer_configured_proposals", TRUE, lib->ns);
-
- this->proposal = ike_cfg->select_proposal(ike_cfg, proposal_list, private,
- prefer_configured);
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_ALLOW_PRIVATE;
+ }
+ if (lib->settings->get_bool(lib->settings, "%s.prefer_configured_proposals",
+ TRUE, lib->ns))
+ {
+ flags |= PROPOSAL_PREFER_CONFIGURED;
+ }
+ this->proposal = ike_cfg->select_proposal(ike_cfg, proposal_list, flags);
if (!this->proposal)
{
if (!this->initiator && !this->old_sa)
DBG1(DBG_IKE, "no matching proposal found, trying alternative "
"config");
this->proposal = cfg->select_proposal(cfg, proposal_list,
- private, prefer_configured);
+ flags);
if (this->proposal)
{
alt_cfg = cfg->get_ref(cfg);
* Select a matching proposal from this and other.
*/
static bool select_algo(private_proposal_t *this, proposal_t *other,
- transform_type_t type, bool priv, bool log,
- uint16_t *alg, uint16_t *ks)
+ transform_type_t type, proposal_selection_flag_t flags,
+ bool log, uint16_t *alg, uint16_t *ks)
{
enumerator_t *e1, *e2;
uint16_t alg1, alg2, ks1, ks2;
{
if (alg1 == alg2 && ks1 == ks2)
{
- if (!priv && alg1 >= 1024)
+ if (!(flags & PROPOSAL_ALLOW_PRIVATE) && alg1 >= 1024)
{
if (log)
{
* is stored there and errors are logged.
*/
static bool select_algos(private_proposal_t *this, proposal_t *other,
- proposal_t *selected, bool private)
+ proposal_t *selected, proposal_selection_flag_t flags)
{
transform_type_t type;
array_t *types;
{
continue;
}
- if (select_algo(this, other, type, private, selected != NULL, &alg, &ks))
+ if (select_algo(this, other, type, flags, selected != NULL, &alg, &ks))
{
if (alg == 0 && type != EXTENDED_SEQUENCE_NUMBERS)
{ /* 0 is "valid" for extended sequence numbers, for other
}
METHOD(proposal_t, select_proposal, proposal_t*,
- private_proposal_t *this, proposal_t *other, bool other_remote,
- bool private)
+ private_proposal_t *this, proposal_t *other,
+ proposal_selection_flag_t flags)
{
proposal_t *selected;
return NULL;
}
- if (other_remote)
+ if (flags & PROPOSAL_PREFER_CONFIGURED)
{
selected = proposal_create(this->protocol, other->get_number(other));
selected->set_spi(selected, other->get_spi(other));
selected->set_spi(selected, this->spi);
}
- if (!select_algos(this, other, selected, private))
+ if (!select_algos(this, other, selected, flags))
{
selected->destroy(selected);
return NULL;
}
METHOD(proposal_t, matches, bool,
- private_proposal_t *this, proposal_t *other, bool private)
+ private_proposal_t *this, proposal_t *other,
+ proposal_selection_flag_t flags)
{
if (this->protocol != other->get_protocol(other))
{
return FALSE;
}
- return select_algos(this, other, NULL, private);
+ return select_algos(this, other, NULL, flags);
}
METHOD(proposal_t, get_protocol, protocol_id_t,
#define PROPOSAL_H_
typedef enum protocol_id_t protocol_id_t;
+typedef enum proposal_selection_flag_t proposal_selection_flag_t;
typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
typedef struct proposal_t proposal_t;
*/
extern enum_name_t *protocol_id_names;
+/**
+ * Flags for selecting proposals
+ */
+enum proposal_selection_flag_t {
+ /** Accept algorithms from a private range. */
+ PROPOSAL_ALLOW_PRIVATE = (1<<0),
+ /** Whether to prefer configured or supplied proposals. */
+ PROPOSAL_PREFER_CONFIGURED = (1<<1),
+ /** Whether to strip out diffie hellman groups */
+ PROPOSAL_STRIP_DH = (1<<2),
+};
+
/**
* Stores a set of algorithms used for an SA.
*
* compared. If they have at least one algorithm of each type
* in common, a resulting proposal of this kind is created.
*
+ * If the flag PROPOSAL_PREFER_CONFIGURED is set, other is expected to be
+ * the remote proposal from which to copy SPI and proposal number to the
+ * result, otherwise copy from this proposal.
+ *
* @param other proposal to compare against
- * @param other_remote whether other is the remote proposal from which to
- * copy SPI and proposal number to the result,
- * otherwise copy from this proposal
- * @param private accepts algorithms allocated in a private range
+ * @param flags flags to consider during proposal selection
* @return selected proposal, NULL if proposals don't match
*/
proposal_t *(*select)(proposal_t *this, proposal_t *other,
- bool other_remote, bool private);
+ proposal_selection_flag_t flags);
/**
* Check if the given proposal matches this proposal.
* This is similar to select, but no resulting proposal is selected.
*
* @param other proposal to compare against
- * @param private accepts algorithms allocated in a private range
+ * @param flags flags to consider during proposal selection
* @return TRUE if the proposals match
*/
- bool (*matches)(proposal_t *this, proposal_t *other, bool private);
+ bool (*matches)(proposal_t *this, proposal_t *other,
+ proposal_selection_flag_t flags);
/**
* Get the protocol ID of the proposal.
select_data[_i].self);
other = proposal_create_from_string(select_data[_i].proto,
select_data[_i].other);
- selected = self->select(self, other, TRUE, FALSE);
+ selected = self->select(self, other, PROPOSAL_PREFER_CONFIGURED);
if (select_data[_i].expected)
{
expected = proposal_create_from_string(select_data[_i].proto,
other = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072");
other->set_spi(other, 0x12345678);
- selected = self->select(self, other, TRUE, FALSE);
+ selected = self->select(self, other, PROPOSAL_PREFER_CONFIGURED);
ck_assert(selected);
ck_assert_int_eq(selected->get_spi(selected), other->get_spi(other));
selected->destroy(selected);
- selected = self->select(self, other, FALSE, FALSE);
+ selected = self->select(self, other, 0);
ck_assert(selected);
ck_assert_int_eq(selected->get_spi(selected), self->get_spi(self));
selected->destroy(selected);
other = proposal_create_from_string(PROTO_IKE, "aes128-sha256-ecp256");
other->add_algorithm(other, 242, 42, 0);
- selected = self->select(self, other, TRUE, FALSE);
+ selected = self->select(self, other, PROPOSAL_PREFER_CONFIGURED);
ck_assert(!selected);
other->destroy(other);
self->destroy(self);
other = proposal_create_from_string(PROTO_IKE, "aes128-sha256-ecp256");
other->add_algorithm(other, 242, 42, 0);
- selected = self->select(self, other, TRUE, FALSE);
+ selected = self->select(self, other, PROPOSAL_PREFER_CONFIGURED);
ck_assert(!selected);
other->destroy(other);
self->destroy(self);
other->add_algorithm(other, 242, 42, 128);
other->add_algorithm(other, 242, 1, 0);
- selected = self->select(self, other, TRUE, FALSE);
+ selected = self->select(self, other, PROPOSAL_PREFER_CONFIGURED);
ck_assert(selected);
assert_proposal_eq(selected, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/UNKNOWN_242_42_128");
selected->destroy(selected);