ikev2: Add a global option to disable RFC 7427 signature authentication

This is mostly for testing.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index f0969e6c6113ecf694b85ff578390e9f41e9fe4d..380ce9305eaab1d985c775263144f3551708af54 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -287,6 +287,9 @@ charon.send_delay_type = 0
 charon.send_vendor_id = no
        Send strongSwan vendor ID payload
 
+charon.signature_authentication = yes
+       Whether to enable Signature Authentication as per RFC 7427.
+
 charon.start-scripts {}
        Section containing a list of scripts (name = path) that are executed when
        the daemon is started.

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index c386877bbc24098f0fda7ce06d793f1278bb020e..3581ceedf02fbd84684dce0d9d206b14218808f6 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -102,6 +102,11 @@ struct private_ike_init_t {
         * retries done so far after failure (cookie or bad dh group)
         */
        u_int retry;
+
+       /**
+        * Whether to use Signature Authentication as per RFC 7427
+        */
+       bool signature_authentication;
 };
 
 /**
@@ -235,7 +240,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
                }
        }
        /* submit supported hash algorithms for signature authentication */
-       if (!this->old_sa)
+       if (!this->old_sa && this->signature_authentication)
        {
                if (this->initiator ||
                        this->ike_sa->supports_extension(this->ike_sa,
@@ -305,7 +310,10 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                                                                                                           EXT_IKE_FRAGMENTATION);
                                                break;
                                        case SIGNATURE_HASH_ALGORITHMS:
-                                               handle_supported_hash_algorithms(this, notify);
+                                               if (this->signature_authentication)
+                                               {
+                                                       handle_supported_hash_algorithms(this, notify);
+                                               }
                                                break;
                                        default:
                                                /* other notifies are handled elsewhere */
@@ -716,6 +724,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
                .dh_group = MODP_NONE,
                .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
                .old_sa = old_sa,
+               .signature_authentication = lib->settings->get_bool(lib->settings,
+                                                               "%s.signature_authentication", TRUE, lib->ns),
        );
 
        if (initiator)