child-cfg: Strip DH groups from both compared proposals
This fixes two issues, one is a bug if a DH group is configured for the local ESP proposals and charon.prefer_configured_proposals is disabled. This would cause the DH groups to get stripped not from the configured but from the supplied proposal, which usually already has them stripped. So the proposals wouldn't match. We'd have to always strip them from the local proposal. Since there are apparently implementations that, incorrectly, don't remove the DH groups in the IKE_AUTH exchange (e.g. WatchGuard XTM25 appliances) we just strip them from both proposals. It's a bit more lenient that way and we don't have to complicate the code to only clone and strip the local proposal, which would depend on a flag. References #2503.
This commit is contained in:
parent
007a2701bb
commit
d058fd3c32
|
@ -224,6 +224,10 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
|
|||
while (prefer_enum->enumerate(prefer_enum, &proposal))
|
||||
{
|
||||
proposal = proposal->clone(proposal);
|
||||
if (strip_dh)
|
||||
{
|
||||
proposal->strip_dh(proposal, MODP_NONE);
|
||||
}
|
||||
if (prefer_self)
|
||||
{
|
||||
proposals->reset_enumerator(proposals, match_enum);
|
||||
|
@ -234,11 +238,13 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
|
|||
}
|
||||
while (match_enum->enumerate(match_enum, &match))
|
||||
{
|
||||
match = match->clone(match);
|
||||
if (strip_dh)
|
||||
{
|
||||
proposal->strip_dh(proposal, MODP_NONE);
|
||||
match->strip_dh(match, MODP_NONE);
|
||||
}
|
||||
selected = proposal->select(proposal, match, prefer_self, private);
|
||||
match->destroy(match);
|
||||
if (selected)
|
||||
{
|
||||
DBG2(DBG_CFG, "received proposals: %#P", proposals);
|
||||
|
|
Loading…
Reference in New Issue