ikev2: Add option to prefer childless IKE_SAs as initiator

diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 56b37b77a5634047a17b970231b8e37aa0724652..873bd0d65eef20c0b37f3e0757d17923b2eec76c 100644 (file)
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -68,6 +68,8 @@ enum fragmentation_t {
 enum childless_t {
        /** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */
        CHILDLESS_ALLOW,
+       /** Initiate childless IKE_SAs if supported, allow them as responder */
+       CHILDLESS_PREFER,
        /** Don't accept childless IKE_SAs as responder, don't initiate them */
        CHILDLESS_NEVER,
        /** Only accept the creation of childless IKE_SAs (also as responder) */

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 52eee8c848577e35aa2211895f56f95d1fbd1f84..989939fbf2962bf0dd3036a0326876b5b48ccfbe 100644 (file)
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -1643,6 +1643,7 @@ CALLBACK(parse_childless, bool,
 {
        enum_map_t map[] = {
                { "allow",              CHILDLESS_ALLOW         },
+               { "prefer",             CHILDLESS_PREFER        },
                { "never",              CHILDLESS_NEVER         },
                { "force",              CHILDLESS_FORCE         },
        };

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 427bc97cf4e77305a7c8f11fb37cdb953fc378ee..daa56a9e5ded78471ba948a402e32f03427e4b31 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1044,7 +1044,8 @@ static status_t defer_child_sa(private_child_create_t *this)
                /* with SELinux, we prefer not to create a CHILD_SA when we only have
                 * the generic label available.  if the peer does not support it,
                 * creating the SA will most likely fail */
-               if (policy == CHILDLESS_FORCE ||
+               if (policy == CHILDLESS_PREFER ||
+                       policy == CHILDLESS_FORCE ||
                        generic_label_only(this))
                {
                        return NEED_MORE;

diff --git a/src/libcharon/tests/suites/test_childless.c b/src/libcharon/tests/suites/test_childless.c
index 9720e281381be7e518b3057424d2de8e48ecadd6..1a515ae060e858dded5eff72214fbdb821efa2d0 100644 (file)
--- a/src/libcharon/tests/suites/test_childless.c
+++ b/src/libcharon/tests/suites/test_childless.c
@@ -27,9 +27,13 @@
  */
 START_TEST(test_regular)
 {
+       childless_t childless[] = {
+               CHILDLESS_FORCE,
+               CHILDLESS_PREFER,
+       };
        exchange_test_sa_conf_t conf = {
                .initiator = {
-                       .childless = CHILDLESS_FORCE,
+                       .childless = childless[_i],
                        .esp = "aes128-sha256-modp3072",
                },
                .responder = {
@@ -281,7 +285,7 @@ Suite *childless_suite_create()
        s = suite_create("childless");
 
        tc = tcase_create("initiation");
-       tcase_add_test(tc, test_regular);
+       tcase_add_loop_test(tc, test_regular, 0, 2);
        tcase_add_test(tc, test_regular_manual);
        suite_add_tcase(s, tc);
 

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 70a4542aa9df4eadea9b007b48163ad84dce4090..a1218552b1137491bd07cbd529470ec9b5a91c80 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -169,19 +169,21 @@ connections.<conn>.fragmentation = yes
        irrespective of the value of this option (even when set to _no_).
 
 connections.<conn>.childless = allow
-       Use childless IKE_SA initiation (_allow_, _force_ or _never_).
-
-       Use childless IKE_SA initiation (RFC 6023) for IKEv2.  Acceptable values
-       are _allow_ (the default), _force_ and _never_. If set to _allow_,
-       responders will accept childless IKE_SAs (as indicated via notify in the
-       IKE_SA_INIT response) while initiators continue to create regular IKE_SAs
-       with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is
-       initiated explicitly without any children (which will fail if the responder
-       does not support or has disabled this extension).  If set to _force_, only
-       childless initiation is accepted and the first CHILD_SA is created with a
-       separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange
-       for all CHILD_SAs).  Finally, setting the option to _never_ disables support
-       for childless IKE_SAs as responder.
+       Use childless IKE_SA initiation (_allow_, _prefer_, _force_ or _never_).
+
+       Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first
+       CHILD_SA created with a separate CREATE_CHILD_SA exchange (e.g. to use an
+       independent DH exchange for all CHILD_SAs).  Acceptable values are _allow_
+       (the default), _prefer_, _force_ and _never_. If set to _allow_, responders
+       will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT
+       response) while initiators continue to create regular IKE_SAs with the first
+       CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly
+       without any children (which will fail if the responder does not support or
+       has disabled this extension). The effect of _prefer_ is the same as _allow_
+       on responders, but as initiator a childless IKE_SA is initiated if the
+       responder supports it. If set to _force_, only childless initiation is
+       accepted in either role.  Finally, setting the option to _never_ disables
+       support for childless IKE_SAs as responder.
 
 connections.<conn>.send_certreq = yes
        Send certificate requests payloads (_yes_ or _no_).