From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 4 Oct 2016 08:58:18 +0000 (+0200)
Subject: proposal: Make sure there is a PRF defined in IKE proposals
X-Git-Tag: 5.5.1rc1~8^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e98414ea9c7fa15c2b8a64601fdd1bc1c7848919;p=thirdparty%2Fstrongswan.git

proposal: Make sure there is a PRF defined in IKE proposals

But filter PRFs from ESP proposals.
---

diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 9a50365b84..83cbb58c28 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -419,6 +419,25 @@ static const struct {
 	{AUTH_AES_CMAC_96,					PRF_AES128_CMAC					},
 };
 
+/**
+ * Remove all entries of the given transform type
+ */
+static void remove_transform(private_proposal_t *this, transform_type_t type)
+{
+	enumerator_t *e;
+	entry_t *entry;
+
+	e = array_create_enumerator(this->transforms);
+	while (e->enumerate(e, &entry))
+	{
+		if (entry->type == type)
+		{
+			array_remove_at(this->transforms, e);
+		}
+	}
+	e->destroy(e);
+}
+
 /**
  * Checks the proposal read from a string.
  */
@@ -432,12 +451,9 @@ static bool check_proposal(private_proposal_t *this)
 
 	if (this->protocol == PROTO_IKE)
 	{
-		e = create_enumerator(this, PSEUDO_RANDOM_FUNCTION);
-		if (!e->enumerate(e, &alg, &ks))
-		{
-			/* No explicit PRF found. We assume the same algorithm as used
-			 * for integrity checking */
-			e->destroy(e);
+		if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL))
+		{	/* No explicit PRF found. We assume the same algorithm as used
+			 * for integrity checking. */
 			e = create_enumerator(this, INTEGRITY_ALGORITHM);
 			while (e->enumerate(e, &alg, &ks))
 			{
@@ -451,8 +467,13 @@ static bool check_proposal(private_proposal_t *this)
 					}
 				}
 			}
+			e->destroy(e);
+		}
+		if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL))
+		{
+			DBG1(DBG_CFG, "a PRF algorithm is mandatory in IKE proposals");
+			return FALSE;
 		}
-		e->destroy(e);
 		/* remove MODP_NONE from IKE proposal */
 		e = array_create_enumerator(this->transforms);
 		while (e->enumerate(e, &entry))
@@ -463,14 +484,15 @@ static bool check_proposal(private_proposal_t *this)
 			}
 		}
 		e->destroy(e);
-		e = create_enumerator(this, DIFFIE_HELLMAN_GROUP);
-		if (!e->enumerate(e, &alg, &ks))
+		if (!get_algorithm(this, DIFFIE_HELLMAN_GROUP, NULL, NULL))
 		{
 			DBG1(DBG_CFG, "a DH group is mandatory in IKE proposals");
-			e->destroy(e);
 			return FALSE;
 		}
-		e->destroy(e);
+	}
+	else
+	{	/* remove PRFs from ESP/AH proposals */
+		remove_transform(this, PSEUDO_RANDOM_FUNCTION);
 	}
 
 	if (this->protocol == PROTO_ESP)
@@ -504,12 +526,10 @@ static bool check_proposal(private_proposal_t *this)
 
 	if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
 	{
-		e = create_enumerator(this, EXTENDED_SEQUENCE_NUMBERS);
-		if (!e->enumerate(e, NULL, NULL))
+		if (!get_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NULL, NULL))
 		{	/* ESN not specified, assume not supported */
 			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 		}
-		e->destroy(e);
 	}
 
 	array_compress(this->transforms);