Match to private use algorithms only if we know we are talking to strongSwan

8 files changed, 41 insertions, 22 deletions

diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 036a25007..350a5a99e 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -161,7 +161,8 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
  * Implementation of child_cfg_t.select_proposal.
  */
 static proposal_t* select_proposal(private_child_cfg_t*this,
-								   linked_list_t *proposals, bool strip_dh)
+								   linked_list_t *proposals, bool strip_dh,
+								   bool private)
 {
 	enumerator_t *stored_enum, *supplied_enum;
 	proposal_t *stored, *supplied, *selected = NULL;
@@ -179,7 +180,7 @@ static proposal_t* select_proposal(private_child_cfg_t*this,
 			{
 				stored->strip_dh(stored);
 			}
-			selected = stored->select(stored, supplied);
+			selected = stored->select(stored, supplied, private);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -500,7 +501,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
 	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
 	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
-	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
+	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal;
 	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
 	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
 	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index b189ab4fe..f98170d69 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -130,10 +130,11 @@ struct child_cfg_t {
 	 *
 	 * @param proposals		list from from wich proposals are selected
 	 * @param strip_dh		TRUE strip out diffie hellman groups
+	 * @param private		accept algorithms from a private range
 	 * @return				selected proposal, or NULL if nothing matches
 	 */
 	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
-								   bool strip_dh);
+								   bool strip_dh, bool private);
 
 	/**
 	 * Add a traffic selector to the config.
diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c
index c2ebf648b..2e748f511 100644
--- a/src/charon/config/ike_cfg.c
+++ b/src/charon/config/ike_cfg.c
@@ -128,7 +128,7 @@ static linked_list_t* get_proposals(private_ike_cfg_t *this)
  * Implementation of ike_cfg_t.select_proposal.
  */
 static proposal_t *select_proposal(private_ike_cfg_t *this,
-								   linked_list_t *proposals)
+								   linked_list_t *proposals, bool private)
 {
 	iterator_t *stored_iter, *supplied_iter;
 	proposal_t *stored, *supplied, *selected;
@@ -144,7 +144,7 @@ static proposal_t *select_proposal(private_ike_cfg_t *this,
 
 		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
 		{
-			selected = stored->select(stored, supplied);
+			selected = stored->select(stored, supplied, private);
 			if (selected)
 			{
 				/* they match, return */
@@ -268,7 +268,7 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 	this->public.get_other_addr = (char*(*)(ike_cfg_t*))get_other_addr;
 	this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
 	this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals;
-	this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*))select_proposal;
+	this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*,bool))select_proposal;
 	this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group;
 	this->public.equals = (bool(*)(ike_cfg_t*,ike_cfg_t*)) equals;
 	this->public.get_ref = (ike_cfg_t*(*)(ike_cfg_t*))get_ref;
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
index 8b68af3e9..eaac321b9 100644
--- a/src/charon/config/ike_cfg.h
+++ b/src/charon/config/ike_cfg.h
@@ -77,9 +77,11 @@ struct ike_cfg_t {
 	 * Returned proposal must be destroyed after use.
 	 *
 	 * @param proposals	list of proposals to select from
+	 * @param private	accept algorithms from a private range
 	 * @return			selected proposal, or NULL if none matches.
 	 */
-	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals);
+	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
+									bool private);
 
 	/**
 	 * Should we send a certificate request in IKE_SA_INIT?
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 66a0a3bf8..6b3500b6e 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -277,8 +277,8 @@ static bool is_authenticated_encryption(u_int16_t alg)
 /**
  * Find a matching alg/keysize in two linked lists
  */
-static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
-						u_int16_t *alg, size_t *key_size)
+static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
+						bool *add, u_int16_t *alg, size_t *key_size)
 {
 	enumerator_t *e1, *e2;
 	algorithm_t *alg1, *alg2;
@@ -302,6 +302,13 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
 			if (alg1->algorithm == alg2->algorithm &&
 				alg1->key_size == alg2->key_size)
 			{
+				if (!priv && alg1->algorithm >= 1024)
+				{
+					/* accept private use algorithms only if requested */
+					DBG1(DBG_CFG, "an algorithm from private space would match, "
+						 "but peer implementation is unknown, skipped");
+					continue;
+				}
 				/* ok, we have an algorithm */
 				*alg = alg1->algorithm;
 				*key_size = alg1->key_size;
@@ -321,7 +328,8 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add,
 /**
  * Implements proposal_t.select.
  */
-static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t *other)
+static proposal_t *select_proposal(private_proposal_t *this,
+								private_proposal_t *other, bool private)
 {
 	proposal_t *selected;
 	u_int16_t algo;
@@ -340,7 +348,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 	selected = proposal_create(this->protocol);
 
 	/* select encryption algorithm */
-	if (select_algo(this->encryption_algos, other->encryption_algos,
+	if (select_algo(this->encryption_algos, other->encryption_algos, private,
 					&add, &algo, &key_size))
 	{
 		if (add)
@@ -359,7 +367,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 	/* select integrity algorithm */
 	if (!is_authenticated_encryption(algo))
 	{
-		if (select_algo(this->integrity_algos, other->integrity_algos,
+		if (select_algo(this->integrity_algos, other->integrity_algos, private,
 						&add, &algo, &key_size))
 		{
 			if (add)
@@ -377,7 +385,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 		}
 	}
 	/* select prf algorithm */
-	if (select_algo(this->prf_algos, other->prf_algos,
+	if (select_algo(this->prf_algos, other->prf_algos, private,
 					&add, &algo, &key_size))
 	{
 		if (add)
@@ -394,7 +402,8 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 		return NULL;
 	}
 	/* select a DH-group */
-	if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size))
+	if (select_algo(this->dh_groups, other->dh_groups, private,
+					&add, &algo, &key_size))
 	{
 		if (add)
 		{
@@ -408,8 +417,8 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 			 transform_type_names, DIFFIE_HELLMAN_GROUP);
 		return NULL;
 	}
-	/* select if we use ESNs */
-	if (select_algo(this->esns, other->esns, &add, &algo, &key_size))
+	/* select if we use ESNs (has no private use space) */
+	if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
 	{
 		if (add)
 		{
@@ -730,7 +739,7 @@ proposal_t *proposal_create(protocol_id_t protocol)
 	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
 	this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
 	this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
-	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
+	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
 	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
 	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
 	this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index d3973fb78..30f63b80d 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -134,9 +134,10 @@ struct proposal_t {
 	 * in common, a resulting proposal of this kind is created.
 	 *
 	 * @param other			proposal to compair agains
+	 * @param private		accepts algorithms allocated in a private range
 	 * @return				selected proposal, NULL if proposals don't match
 	 */
-	proposal_t *(*select) (proposal_t *this, proposal_t *other);
+	proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
 
 	/**
 	 * Get the protocol ID of the proposal.
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index f18d381ec..6255776a2 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -261,6 +261,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
 	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other, *other_vip, *my_vip;
+	bool private;
 
 	if (this->proposals == NULL)
 	{
@@ -278,8 +279,9 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
 	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
 
-	this->proposal = this->config->select_proposal(this->config, this->proposals,
-												   no_dh);
+	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+	this->proposal = this->config->select_proposal(this->config,
+											this->proposals, no_dh, private);
 	if (this->proposal == NULL)
 	{
 		DBG1(DBG_IKE, "no acceptable proposal found");
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 63c088948..5eb33b540 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -179,10 +179,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			{
 				sa_payload_t *sa_payload = (sa_payload_t*)payload;
 				linked_list_t *proposal_list;
+				bool private;
 
 				proposal_list = sa_payload->get_proposals(sa_payload);
+				private = this->ike_sa->supports_extension(this->ike_sa,
+														   EXT_STRONGSWAN);
 				this->proposal = this->config->select_proposal(this->config,
-															   proposal_list);
+														proposal_list, private);
 				proposal_list->destroy_offset(proposal_list,
 											  offsetof(proposal_t, destroy));
 				break;