From: Tobias Brunner Date: Mon, 12 Aug 2019 15:02:39 +0000 (+0200) Subject: proposal: Add an option to whitelist specific algorithm keywords X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fproposal-keywords-whitelist;p=thirdparty%2Fstrongswan.git proposal: Add an option to whitelist specific algorithm keywords So custom proposals with other keywords are rejected (e.g. if it's known that only specific algorithms will be available due to the plugin configuration). --- diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 21f6e08333..a5daaf155d 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -296,6 +296,10 @@ charon.processor.priority_threads {} Section to configure the number of reserved threads per priority class see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5). +charon.proposal_whitelist = + Comma separated list of proposal keywords that are accepted in + configurations (doesn't affect the algorithms in the default proposal). + charon.receive_delay = 0 Delay in ms for receiving packets, to simulate larger RTT. diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c index e83e188297..cee515bc89 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords.c +++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2019 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,6 +39,7 @@ #include "proposal_keywords_static.h" #include +#include #include typedef struct private_proposal_keywords_t private_proposal_keywords_t; @@ -46,22 +47,27 @@ typedef struct private_proposal_keywords_t private_proposal_keywords_t; struct private_proposal_keywords_t { /** - * public interface + * Public interface. */ proposal_keywords_t public; /** - * registered tokens, as proposal_token_t + * Registered tokens, as proposal_token_t. */ linked_list_t * tokens; /** - * registered algname parsers, as proposal_algname_parser_t + * Registered algname parsers, as proposal_algname_parser_t. */ linked_list_t *parsers; /** - * rwlock to lock access to modules + * Whitelisted algorithm tokens. + */ + hashtable_t *whitelist; + + /** + * Lock for safe access to containers. */ rwlock_t *lock; }; @@ -120,6 +126,11 @@ METHOD(proposal_keywords_t, get_token, const proposal_token_t*, { const proposal_token_t *token; + if (this->whitelist && !this->whitelist->get(this->whitelist, str)) + { + return NULL; + } + token = proposal_get_token_static(str, strlen(str)); if (!token) { @@ -163,6 +174,7 @@ METHOD(proposal_keywords_t, destroy, void, { proposal_token_t *token; + DESTROY_FUNCTION_IF(this->whitelist, (void*)free); while (this->tokens->remove_first(this->tokens, (void**)&token) == SUCCESS) { free(token->name); @@ -180,6 +192,8 @@ METHOD(proposal_keywords_t, destroy, void, proposal_keywords_t *proposal_keywords_create() { private_proposal_keywords_t *this; + enumerator_t *enumerator; + char *whitelist, *token; INIT(this, .public = { @@ -193,5 +207,20 @@ proposal_keywords_t *proposal_keywords_create() .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); + whitelist = lib->settings->get_str(lib->settings, "%s.proposal_whitelist", + NULL, lib->ns); + if (whitelist) + { + this->whitelist = hashtable_create(hashtable_hash_str, + hashtable_equals_str, 16); + enumerator = enumerator_create_token(whitelist, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + token = strdup(token); + this->whitelist->put(this->whitelist, token, token); + } + enumerator->destroy(enumerator); + } + return &this->public; }