ike: Optionally allow private algorithms for IKE/CHILD_SAs

Charon refuses to make use of algorithms IDs from the private space
for unknown peer implementations [1]. If you chose to ignore and violate
that section of the RFC since you *know* your peers *must* support those
private IDs, there's no way to disable that behavior.

With this commit a strongswan.conf option is introduced which allows to
deliberately ignore parts of section 3.12 from the standard.

[1] http://tools.ietf.org/html/rfc7296#section-3.12

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
This commit is contained in:
Thomas Egerer 2019-09-12 16:58:46 +02:00 committed by Tobias Brunner
parent 61769fd1e3
commit 05e373aeb0
6 changed files with 25 additions and 7 deletions

View File

@ -8,6 +8,10 @@ charon {}
**charon-cmd** instead of **charon**). For many options defaults can be
defined in the **libstrongswan** section.
charon.accept_private_algs = no
Deliberately violate the IKE standard's requirement and allow the use of
private algorithm identifiers, even if the peer implementation is unknown.
charon.accept_unencrypted_mainmode_messages = no
Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.

View File

@ -386,7 +386,9 @@ METHOD(task_t, process_r, status_t,
}
list = sa_payload->get_proposals(sa_payload);
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
&& !lib->settings->get_bool(lib->settings,
"%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
@ -641,7 +643,9 @@ METHOD(task_t, process_i, status_t,
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
list = sa_payload->get_proposals(sa_payload);
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
&& !lib->settings->get_bool(lib->settings,
"%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}

View File

@ -1132,7 +1132,9 @@ METHOD(task_t, process_r, status_t,
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
&& !lib->settings->get_bool(lib->settings,
"%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
@ -1370,7 +1372,9 @@ METHOD(task_t, process_i, status_t,
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
&& !lib->settings->get_bool(lib->settings,
"%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}

View File

@ -564,7 +564,9 @@ static status_t select_and_install(private_child_create_t *this,
{
flags |= PROPOSAL_SKIP_DH;
}
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
!lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}

View File

@ -330,7 +330,9 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
my_id = this->ike_sa->get_my_id(this->ike_sa);
other_id = this->ike_sa->get_other_id(this->ike_sa);
ike_proposal = this->ike_sa->get_proposal(this->ike_sa);
private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) ||
lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
FALSE, lib->ns);
DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
me, my_id, other, other_id);

View File

@ -458,7 +458,9 @@ static void process_sa_payload(private_ike_init_t *this, message_t *message,
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
proposal_list = sa_payload->get_proposals(sa_payload);
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
!lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}