Charon refuses to make use of algorithms IDs from the private space
for unknown peer implementations [1]. If you chose to ignore and violate
that section of the RFC since you *know* your peers *must* support those
private IDs, there's no way to disable that behavior.
With this commit a strongswan.conf option is introduced which allows to
deliberately ignore parts of section 3.12 from the standard.
[1] http://tools.ietf.org/html/rfc7296#section-3.12
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
**charon-cmd** instead of **charon**). For many options defaults can be
defined in the **libstrongswan** section.
**charon-cmd** instead of **charon**). For many options defaults can be
defined in the **libstrongswan** section.
+charon.accept_private_algs = no
+ Deliberately violate the IKE standard's requirement and allow the use of
+ private algorithm identifiers, even if the peer implementation is unknown.
+
charon.accept_unencrypted_mainmode_messages = no
Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
charon.accept_unencrypted_mainmode_messages = no
Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
}
list = sa_payload->get_proposals(sa_payload);
}
list = sa_payload->get_proposals(sa_payload);
- if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+ && !lib->settings->get_bool(lib->settings,
+ "%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
list = sa_payload->get_proposals(sa_payload);
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
list = sa_payload->get_proposals(sa_payload);
- if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+ && !lib->settings->get_bool(lib->settings,
+ "%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
- if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+ && !lib->settings->get_bool(lib->settings,
+ "%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
DESTROY_IF(list);
list = sa_payload->get_proposals(sa_payload);
}
- if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+ && !lib->settings->get_bool(lib->settings,
+ "%s.accept_private_algs", FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
{
flags |= PROPOSAL_SKIP_DH;
}
{
flags |= PROPOSAL_SKIP_DH;
}
- if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+ !lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+ FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
my_id = this->ike_sa->get_my_id(this->ike_sa);
other_id = this->ike_sa->get_other_id(this->ike_sa);
ike_proposal = this->ike_sa->get_proposal(this->ike_sa);
my_id = this->ike_sa->get_my_id(this->ike_sa);
other_id = this->ike_sa->get_other_id(this->ike_sa);
ike_proposal = this->ike_sa->get_proposal(this->ike_sa);
- private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+ private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) ||
+ lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+ FALSE, lib->ns);
DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
me, my_id, other, other_id);
DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
me, my_id, other, other_id);
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
proposal_list = sa_payload->get_proposals(sa_payload);
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
proposal_list = sa_payload->get_proposals(sa_payload);
- if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+ !lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+ FALSE, lib->ns))
{
flags |= PROPOSAL_SKIP_PRIVATE;
}
{
flags |= PROPOSAL_SKIP_PRIVATE;
}