From b31a56f1281f51932d945f8f6ac9dfc34a30af6d Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Wed, 13 Jun 2012 09:32:28 +0200
Subject: [PATCH] Require a scary option to respond to Aggressive Mode PSK
 requests

While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.
---
 src/libcharon/sa/ikev1/tasks/aggressive_mode.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 66e6451ea..8fa2d525e 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -380,6 +380,23 @@ METHOD(task_t, process_r, status_t,
 			this->method = sa_payload->get_auth_method(sa_payload);
 			this->lifetime = sa_payload->get_lifetime(sa_payload);
 
+			switch (this->method)
+			{
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_PSK:
+					if (!lib->settings->get_bool(lib->settings, "charon.i_dont_"
+						"care_about_security_and_use_aggressive_mode_psk", FALSE))
+					{
+						DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
+							 "security reasons");
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					break;
+				default:
+					break;
+			}
+
 			if (!this->proposal->get_algorithm(this->proposal,
 										DIFFIE_HELLMAN_GROUP, &group, NULL))
 			{