child-cfg: Strip DH groups from both compared proposals

This fixes two issues, one is a bug if a DH group is configured for the local ESP proposals and charon.prefer_configured_proposals is disabled. This would cause the DH groups to get stripped not from the configured but from the supplied proposal, which usually already has them stripped. So the proposals wouldn't match. We'd have to always strip them from the local proposal. Since there are apparently implementations that, incorrectly, don't remove the DH groups in the IKE_AUTH exchange (e.g. WatchGuard XTM25 appliances) we just strip them from both proposals. It's a bit more lenient that way and we don't have to complicate the code to only clone and strip the local proposal, which would depend on a flag. References #2503.
2018-01-22 14:33:40 +01:00 · 2018-01-22 14:33:40 +01:00 · d058fd3c32
parent 007a2701bb
commit d058fd3c32
1 changed files with 7 additions and 1 deletions
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@ -224,6 +224,10 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 	while (prefer_enum->enumerate(prefer_enum, &proposal))
 	{
 		proposal = proposal->clone(proposal);
+		if (strip_dh)
+		{
+			proposal->strip_dh(proposal, MODP_NONE);
+		}
 		if (prefer_self)
 		{
 			proposals->reset_enumerator(proposals, match_enum);
@ -234,11 +238,13 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 		}
 		while (match_enum->enumerate(match_enum, &match))
 		{
+			match = match->clone(match);
 			if (strip_dh)
 			{
-				proposal->strip_dh(proposal, MODP_NONE);
+				match->strip_dh(match, MODP_NONE);
 			}
 			selected = proposal->select(proposal, match, prefer_self, private);
+			match->destroy(match);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);