ike: Optionally allow private algorithms for IKE/CHILD_SAs
authorThomas Egerer <thomas.egerer@secunet.com>
Thu, 12 Sep 2019 14:58:46 +0000 (16:58 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Mar 2020 10:15:15 +0000 (11:15 +0100)
Charon refuses to make use of algorithms IDs from the private space
for unknown peer implementations [1]. If you chose to ignore and violate
that section of the RFC since you *know* your peers *must* support those
private IDs, there's no way to disable that behavior.

With this commit a strongswan.conf option is introduced which allows to
deliberately ignore parts of section 3.12 from the standard.

[1] http://tools.ietf.org/html/rfc7296#section-3.12

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
conf/options/charon.opt
src/libcharon/sa/ikev1/tasks/main_mode.c
src/libcharon/sa/ikev1/tasks/quick_mode.c
src/libcharon/sa/ikev2/tasks/child_create.c
src/libcharon/sa/ikev2/tasks/ike_auth.c
src/libcharon/sa/ikev2/tasks/ike_init.c

index cc58afd..d9d98ef 100644 (file)
@@ -8,6 +8,10 @@ charon {}
        **charon-cmd** instead of **charon**). For many options defaults can be
        defined in the **libstrongswan** section.
 
+charon.accept_private_algs = no
+       Deliberately violate the IKE standard's requirement and allow the use of
+       private algorithm identifiers, even if the peer implementation is unknown.
+
 charon.accept_unencrypted_mainmode_messages = no
        Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
 
index eb77f5c..24b2f24 100644 (file)
@@ -386,7 +386,9 @@ METHOD(task_t, process_r, status_t,
                        }
 
                        list = sa_payload->get_proposals(sa_payload);
-                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+                               && !lib->settings->get_bool(lib->settings,
+                                                                       "%s.accept_private_algs", FALSE, lib->ns))
                        {
                                flags |= PROPOSAL_SKIP_PRIVATE;
                        }
@@ -641,7 +643,9 @@ METHOD(task_t, process_i, status_t,
                                return send_notify(this, INVALID_PAYLOAD_TYPE);
                        }
                        list = sa_payload->get_proposals(sa_payload);
-                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+                               && !lib->settings->get_bool(lib->settings,
+                                                                       "%s.accept_private_algs", FALSE, lib->ns))
                        {
                                flags |= PROPOSAL_SKIP_PRIVATE;
                        }
index 89d7444..f494e48 100644 (file)
@@ -1132,7 +1132,9 @@ METHOD(task_t, process_r, status_t,
                                DESTROY_IF(list);
                                list = sa_payload->get_proposals(sa_payload);
                        }
-                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+                               && !lib->settings->get_bool(lib->settings,
+                                                                       "%s.accept_private_algs", FALSE, lib->ns))
                        {
                                flags |= PROPOSAL_SKIP_PRIVATE;
                        }
@@ -1370,7 +1372,9 @@ METHOD(task_t, process_i, status_t,
                                DESTROY_IF(list);
                                list = sa_payload->get_proposals(sa_payload);
                        }
-                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+                       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+                               && !lib->settings->get_bool(lib->settings,
+                                                                       "%s.accept_private_algs", FALSE, lib->ns))
                        {
                                flags |= PROPOSAL_SKIP_PRIVATE;
                        }
index e98c1db..a642a76 100644 (file)
@@ -564,7 +564,9 @@ static status_t select_and_install(private_child_create_t *this,
        {
                flags |= PROPOSAL_SKIP_DH;
        }
-       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+               !lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+                                                                FALSE, lib->ns))
        {
                flags |= PROPOSAL_SKIP_PRIVATE;
        }
index f95ec5c..6448d8b 100644 (file)
@@ -330,7 +330,9 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
        my_id = this->ike_sa->get_my_id(this->ike_sa);
        other_id = this->ike_sa->get_other_id(this->ike_sa);
        ike_proposal = this->ike_sa->get_proposal(this->ike_sa);
-       private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+       private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) ||
+                         lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+                                                                         FALSE, lib->ns);
 
        DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
                 me, my_id, other, other_id);
index d15b5b1..477d2ca 100644 (file)
@@ -458,7 +458,9 @@ static void process_sa_payload(private_ike_init_t *this, message_t *message,
        ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 
        proposal_list = sa_payload->get_proposals(sa_payload);
-       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+       if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+               !lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+                                                                FALSE, lib->ns))
        {
                flags |= PROPOSAL_SKIP_PRIVATE;
        }