ike: Add configuration option to switch to preferring supplied proposals over local ones

conf/options/charon.opt

@@ -253,6 +253,11 @@ charon.port_nat_t = 4500
 	allocated.  Has to be different from **charon.port**, otherwise a random
 	port will be allocated.
 
+charon.prefer_configured_proposals = yes
+	Prefer locally configured proposals for	IKE/IPsec over supplied ones as
+	responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
+	notifies).
+
 charon.prefer_temporary_addrs = no
 	By default public IPv6 addresses are preferred over temporary ones (RFC
 	4941), to make connections more stable. Enable this option to reverse this.

src/libcharon/sa/ikev1/tasks/aggressive_mode.c

@@ -378,6 +378,7 @@ METHOD(task_t, process_r, status_t,
 			identification_t *id;
 			linked_list_t *list;
 			uint16_t group;
+			bool prefer_configured;
 
 			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 			DBG0(DBG_IKE, "%H is initiating a Aggressive Mode IKE_SA",
@@ -401,8 +402,10 @@ METHOD(task_t, process_r, status_t,
 			}
 
 			list = sa_payload->get_proposals(sa_payload);
+			prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-															list, FALSE, TRUE);
+												list, FALSE, prefer_configured);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			if (!this->proposal)
 			{

src/libcharon/sa/ikev1/tasks/main_mode.c

@@ -367,7 +367,7 @@ METHOD(task_t, process_r, status_t,
 		{
 			linked_list_t *list;
 			sa_payload_t *sa_payload;
-			bool private;
+			bool private, prefer_configured;
 
 			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 			DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
@@ -392,9 +392,11 @@ METHOD(task_t, process_r, status_t,
 
 			list = sa_payload->get_proposals(sa_payload);
 			private = this->ike_sa->supports_extension(this->ike_sa,
-														   EXT_STRONGSWAN);
+													   EXT_STRONGSWAN);
+			prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-															list, private, TRUE);
+											list, private, prefer_configured);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			if (!this->proposal)
 			{

src/libcharon/sa/ikev1/tasks/quick_mode.c

@@ -1051,7 +1051,7 @@ METHOD(task_t, process_r, status_t,
 			linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
 			peer_cfg_t *peer_cfg;
 			uint16_t group;
-			bool private;
+			bool private, prefer_configured;
 
 			sa_payload = (sa_payload_t*)message->get_payload(message,
 													PLV1_SECURITY_ASSOCIATION);
@@ -1109,8 +1109,10 @@ METHOD(task_t, process_r, status_t,
 			}
 			private = this->ike_sa->supports_extension(this->ike_sa,
 													   EXT_STRONGSWAN);
+			prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 			this->proposal = this->config->select_proposal(this->config, list,
-														FALSE, private, TRUE);
+											FALSE, private, prefer_configured);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 
 			get_lifetimes(this);

src/libcharon/sa/ikev2/tasks/child_create.c

@@ -464,7 +464,7 @@ static status_t select_and_install(private_child_create_t *this,
 	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
 	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other;
-	bool private;
+	bool private, prefer_configured;
 
 	if (this->proposals == NULL)
 	{
@@ -481,8 +481,10 @@ static status_t select_and_install(private_child_create_t *this,
 	other = this->ike_sa->get_other_host(this->ike_sa);
 
 	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+	prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 	this->proposal = this->config->select_proposal(this->config,
-										this->proposals, no_dh, private, TRUE);
+							this->proposals, no_dh, private, prefer_configured);
 	if (this->proposal == NULL)
 	{
 		DBG1(DBG_IKE, "no acceptable proposal found");

src/libcharon/sa/ikev2/tasks/ike_init.c

@@ -373,13 +373,15 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			{
 				sa_payload_t *sa_payload = (sa_payload_t*)payload;
 				linked_list_t *proposal_list;
-				bool private;
+				bool private, prefer_configured;
 
 				proposal_list = sa_payload->get_proposals(sa_payload);
 				private = this->ike_sa->supports_extension(this->ike_sa,
 														   EXT_STRONGSWAN);
+				prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 				this->proposal = this->config->select_proposal(this->config,
-												proposal_list, private, TRUE);
+									proposal_list, private, prefer_configured);
 				if (!this->proposal)
 				{
 					charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE,