From 489d154e63c14cb79f3e6a757ab4ea9256c4aab8 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 20 Apr 2015 17:36:45 +0200
Subject: [PATCH] ikev2: Add option to disable following redirects as client

---
 conf/options/charon.opt                 |  3 +++
 src/libcharon/sa/ike_sa.c               | 12 ++++++++++++
 src/libcharon/sa/ikev2/tasks/ike_init.c |  9 ++++++++-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 3820036..86279ec 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -97,6 +97,9 @@ charon.flush_auth_cfg = no
 	this might conflict with plugins that later need access to e.g. the used
 	certificates.
 
+charon.follow_redirects = yes
+	Whether to follow IKEv2 redirects (RFC 5685).
+
 charon.fragment_size = 0
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
 	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 864e8c0..cb941af 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -282,6 +282,11 @@ struct private_ike_sa_t {
 	 * Maximum length of a single fragment, 0 for address-specific defaults
 	 */
 	size_t fragment_size;
+
+	/**
+	 * Whether to follow IKEv2 redirects
+	 */
+	bool follow_redirects;
 };
 
 /**
@@ -1958,6 +1963,11 @@ METHOD(ike_sa_t, handle_redirect, bool,
 	host_t *other;
 
 	DBG1(DBG_IKE, "redirected to %Y", gateway);
+	if (!this->follow_redirects)
+	{
+		DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
+		return FALSE;
+	}
 
 	snprintf(gw, sizeof(gw), "%Y", gateway);
 	gw[sizeof(gw)-1] = '\0';
@@ -2640,6 +2650,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 								"%s.flush_auth_cfg", FALSE, lib->ns),
 		.fragment_size = lib->settings->get_int(lib->settings,
 								"%s.fragment_size", 0, lib->ns),
+		.follow_redirects = lib->settings->get_bool(lib->settings,
+								"%s.follow_redirects", TRUE, lib->ns),
 	);
 
 	if (version == IKEV2)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 71bd82c..42be118 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -118,6 +118,11 @@ struct private_ike_init_t {
 	 * Whether to use Signature Authentication as per RFC 7427
 	 */
 	bool signature_authentication;
+
+	/**
+	 * Whether to follow IKEv2 redirects as per RFC 5685
+	 */
+	bool follow_redirects;
 };
 
 /**
@@ -325,7 +330,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 		}
 	}
 	/* notify other peer if we support redirection */
-	if (!this->old_sa && this->initiator)
+	if (!this->old_sa && this->initiator && this->follow_redirects)
 	{
 		message->add_notify(message, FALSE, REDIRECT_SUPPORTED, chunk_empty);
 	}
@@ -850,6 +855,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 		.old_sa = old_sa,
 		.signature_authentication = lib->settings->get_bool(lib->settings,
 								"%s.signature_authentication", TRUE, lib->ns),
+		.follow_redirects = lib->settings->get_bool(lib->settings,
+								"%s.follow_redirects", TRUE, lib->ns),
 	);
 	this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
 
-- 
2.7.4