ikev2: Add option to disable following redirects as client

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 38200364447229b7f339c5dfb162189a17817934..86279ec83d09b45e659e267bfceab0c213c5a3a9 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -97,6 +97,9 @@ charon.flush_auth_cfg = no
        this might conflict with plugins that later need access to e.g. the used
        certificates.
 
+charon.follow_redirects = yes
+       Whether to follow IKEv2 redirects (RFC 5685).
+
 charon.fragment_size = 0
        Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
        when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 864e8c055712bc83bb2f441a91131cf474bc7b8e..cb941afb05b2beac438712c9f7432fd58a766c0a 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -282,6 +282,11 @@ struct private_ike_sa_t {
         * Maximum length of a single fragment, 0 for address-specific defaults
         */
        size_t fragment_size;
+
+       /**
+        * Whether to follow IKEv2 redirects
+        */
+       bool follow_redirects;
 };
 
 /**
@@ -1958,6 +1963,11 @@ METHOD(ike_sa_t, handle_redirect, bool,
        host_t *other;
 
        DBG1(DBG_IKE, "redirected to %Y", gateway);
+       if (!this->follow_redirects)
+       {
+               DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
+               return FALSE;
+       }
 
        snprintf(gw, sizeof(gw), "%Y", gateway);
        gw[sizeof(gw)-1] = '\0';
@@ -2640,6 +2650,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
                                                                "%s.flush_auth_cfg", FALSE, lib->ns),
                .fragment_size = lib->settings->get_int(lib->settings,
                                                                "%s.fragment_size", 0, lib->ns),
+               .follow_redirects = lib->settings->get_bool(lib->settings,
+                                                               "%s.follow_redirects", TRUE, lib->ns),
        );
 
        if (version == IKEV2)

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 71bd82cf1d52a5e6fb3d2173616156549b3c2106..42be11896d1ff78c78c919659977894d51bc5d96 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -118,6 +118,11 @@ struct private_ike_init_t {
         * Whether to use Signature Authentication as per RFC 7427
         */
        bool signature_authentication;
+
+       /**
+        * Whether to follow IKEv2 redirects as per RFC 5685
+        */
+       bool follow_redirects;
 };
 
 /**
@@ -325,7 +330,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
                }
        }
        /* notify other peer if we support redirection */
-       if (!this->old_sa && this->initiator)
+       if (!this->old_sa && this->initiator && this->follow_redirects)
        {
                message->add_notify(message, FALSE, REDIRECT_SUPPORTED, chunk_empty);
        }
@@ -850,6 +855,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
                .old_sa = old_sa,
                .signature_authentication = lib->settings->get_bool(lib->settings,
                                                                "%s.signature_authentication", TRUE, lib->ns),
+               .follow_redirects = lib->settings->get_bool(lib->settings,
+                                                               "%s.follow_redirects", TRUE, lib->ns),
        );
        this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);