From: Tobias Brunner Date: Wed, 4 Sep 2019 09:25:12 +0000 (+0200) Subject: proposal: Handle skipping DH groups directly in select() and matches() X-Git-Tag: 5.8.2dr2~19^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a406bc60c5e2ebd363268a345b206519a483b476;p=thirdparty%2Fstrongswan.git proposal: Handle skipping DH groups directly in select() and matches() Also renames the flag. --- diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 02a65b6435..0dc8a742a6 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -253,11 +253,6 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, while (prefer_enum->enumerate(prefer_enum, &proposal)) { - proposal = proposal->clone(proposal); - if (flags & PROPOSAL_STRIP_DH) - { - proposal->strip_dh(proposal, MODP_NONE); - } if (flags & PROPOSAL_PREFER_CONFIGURED) { proposals->reset_enumerator(proposals, match_enum); @@ -268,13 +263,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, } while (match_enum->enumerate(match_enum, &match)) { - match = match->clone(match); - if (flags & PROPOSAL_STRIP_DH) - { - match->strip_dh(match, MODP_NONE); - } selected = proposal->select(proposal, match, flags); - match->destroy(match); if (selected) { DBG2(DBG_CFG, "received proposals: %#P", proposals); @@ -283,7 +272,6 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, break; } } - proposal->destroy(proposal); if (selected) { break; diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index a90e29237b..ace796970f 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -562,7 +562,7 @@ static status_t select_and_install(private_child_create_t *this, if (no_dh) { - flags |= PROPOSAL_STRIP_DH; + flags |= PROPOSAL_SKIP_DH; } if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)) { diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c index 4772078b84..807ddd083f 100644 --- a/src/libstrongswan/crypto/proposal/proposal.c +++ b/src/libstrongswan/crypto/proposal/proposal.c @@ -434,6 +434,10 @@ static bool select_algos(private_proposal_t *this, proposal_t *other, { continue; } + if (type == DIFFIE_HELLMAN_GROUP && (flags & PROPOSAL_SKIP_DH)) + { + continue; + } if (select_algo(this, other, type, flags, selected != NULL, &alg, &ks)) { if (alg == 0 && type != EXTENDED_SEQUENCE_NUMBERS) diff --git a/src/libstrongswan/crypto/proposal/proposal.h b/src/libstrongswan/crypto/proposal/proposal.h index a951dd1362..edf22d585c 100644 --- a/src/libstrongswan/crypto/proposal/proposal.h +++ b/src/libstrongswan/crypto/proposal/proposal.h @@ -60,8 +60,8 @@ enum proposal_selection_flag_t { PROPOSAL_ALLOW_PRIVATE = (1<<0), /** Whether to prefer configured or supplied proposals. */ PROPOSAL_PREFER_CONFIGURED = (1<<1), - /** Whether to strip out diffie hellman groups */ - PROPOSAL_STRIP_DH = (1<<2), + /** Whether to skip and ignore diffie hellman groups. */ + PROPOSAL_SKIP_DH = (1<<2), }; /** diff --git a/src/libstrongswan/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c index 788b51e31d..49014344f5 100644 --- a/src/libstrongswan/tests/suites/test_proposal.c +++ b/src/libstrongswan/tests/suites/test_proposal.c @@ -88,6 +88,7 @@ static struct { char *self; char *other; char *expected; + proposal_selection_flag_t flags; } select_data[] = { { PROTO_ESP, "aes128", "aes128", "aes128" }, { PROTO_ESP, "aes128", "aes256", NULL }, @@ -96,7 +97,11 @@ static struct { { PROTO_ESP, "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" }, { PROTO_ESP, "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" }, { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", NULL }, + { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", "aes128-sha256", PROPOSAL_SKIP_DH }, { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", NULL }, + { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", "aes128-sha256", PROPOSAL_SKIP_DH }, + { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modp3072", "aes128-sha256", PROPOSAL_SKIP_DH }, + { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-ecp256", "aes128-sha256", PROPOSAL_SKIP_DH }, { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL }, { PROTO_ESP, "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL }, { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" }, @@ -121,7 +126,8 @@ START_TEST(test_select) select_data[_i].self); other = proposal_create_from_string(select_data[_i].proto, select_data[_i].other); - selected = self->select(self, other, PROPOSAL_PREFER_CONFIGURED); + selected = self->select(self, other, + select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED); if (select_data[_i].expected) { expected = proposal_create_from_string(select_data[_i].proto, @@ -174,13 +180,21 @@ START_TEST(test_matches) select_data[_i].other); if (select_data[_i].expected) { - ck_assert(self->matches(self, other, FALSE)); - ck_assert(other->matches(other, self, FALSE)); + ck_assert(self->matches(self, other, select_data[_i].flags)); + ck_assert(other->matches(other, self, select_data[_i].flags)); + ck_assert(self->matches(self, other, + select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED)); + ck_assert(other->matches(other, self, + select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED)); } else { - ck_assert(!self->matches(self, other, FALSE)); - ck_assert(!other->matches(other, self, FALSE)); + ck_assert(!self->matches(self, other, select_data[_i].flags)); + ck_assert(!other->matches(other, self, select_data[_i].flags)); + ck_assert(!self->matches(self, other, + select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED)); + ck_assert(!other->matches(other, self, + select_data[_i].flags | PROPOSAL_PREFER_CONFIGURED)); } other->destroy(other); self->destroy(self);