Require a scary option to respond to Aggressive Mode PSK requests
authorMartin Willi <martin@revosec.ch>
Wed, 13 Jun 2012 07:32:28 +0000 (09:32 +0200)
committerMartin Willi <martin@revosec.ch>
Thu, 14 Jun 2012 08:25:48 +0000 (10:25 +0200)
While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.

src/libcharon/sa/ikev1/tasks/aggressive_mode.c

index 66e6451..8fa2d52 100644 (file)
@@ -380,6 +380,23 @@ METHOD(task_t, process_r, status_t,
                        this->method = sa_payload->get_auth_method(sa_payload);
                        this->lifetime = sa_payload->get_lifetime(sa_payload);
 
+                       switch (this->method)
+                       {
+                               case AUTH_XAUTH_INIT_PSK:
+                               case AUTH_XAUTH_RESP_PSK:
+                               case AUTH_PSK:
+                                       if (!lib->settings->get_bool(lib->settings, "charon.i_dont_"
+                                               "care_about_security_and_use_aggressive_mode_psk", FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
+                                                        "security reasons");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
+                                       break;
+                               default:
+                                       break;
+                       }
+
                        if (!this->proposal->get_algorithm(this->proposal,
                                                                                DIFFIE_HELLMAN_GROUP, &group, NULL))
                        {