ikev2: Add option to disable following redirects as client
authorTobias Brunner <tobias@strongswan.org>
Mon, 20 Apr 2015 15:36:45 +0000 (17:36 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 4 Mar 2016 15:02:58 +0000 (16:02 +0100)
conf/options/charon.opt
src/libcharon/sa/ike_sa.c
src/libcharon/sa/ikev2/tasks/ike_init.c

index 3820036..86279ec 100644 (file)
@@ -97,6 +97,9 @@ charon.flush_auth_cfg = no
        this might conflict with plugins that later need access to e.g. the used
        certificates.
 
+charon.follow_redirects = yes
+       Whether to follow IKEv2 redirects (RFC 5685).
+
 charon.fragment_size = 0
        Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
        when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
index 864e8c0..cb941af 100644 (file)
@@ -282,6 +282,11 @@ struct private_ike_sa_t {
         * Maximum length of a single fragment, 0 for address-specific defaults
         */
        size_t fragment_size;
+
+       /**
+        * Whether to follow IKEv2 redirects
+        */
+       bool follow_redirects;
 };
 
 /**
@@ -1958,6 +1963,11 @@ METHOD(ike_sa_t, handle_redirect, bool,
        host_t *other;
 
        DBG1(DBG_IKE, "redirected to %Y", gateway);
+       if (!this->follow_redirects)
+       {
+               DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
+               return FALSE;
+       }
 
        snprintf(gw, sizeof(gw), "%Y", gateway);
        gw[sizeof(gw)-1] = '\0';
@@ -2640,6 +2650,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
                                                                "%s.flush_auth_cfg", FALSE, lib->ns),
                .fragment_size = lib->settings->get_int(lib->settings,
                                                                "%s.fragment_size", 0, lib->ns),
+               .follow_redirects = lib->settings->get_bool(lib->settings,
+                                                               "%s.follow_redirects", TRUE, lib->ns),
        );
 
        if (version == IKEV2)
index 71bd82c..42be118 100644 (file)
@@ -118,6 +118,11 @@ struct private_ike_init_t {
         * Whether to use Signature Authentication as per RFC 7427
         */
        bool signature_authentication;
+
+       /**
+        * Whether to follow IKEv2 redirects as per RFC 5685
+        */
+       bool follow_redirects;
 };
 
 /**
@@ -325,7 +330,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
                }
        }
        /* notify other peer if we support redirection */
-       if (!this->old_sa && this->initiator)
+       if (!this->old_sa && this->initiator && this->follow_redirects)
        {
                message->add_notify(message, FALSE, REDIRECT_SUPPORTED, chunk_empty);
        }
@@ -850,6 +855,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
                .old_sa = old_sa,
                .signature_authentication = lib->settings->get_bool(lib->settings,
                                                                "%s.signature_authentication", TRUE, lib->ns),
+               .follow_redirects = lib->settings->get_bool(lib->settings,
+                                                               "%s.follow_redirects", TRUE, lib->ns),
        );
        this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);