From: Thomas Egerer <thomas.egerer@secunet.com>
Date: Thu, 12 Sep 2019 14:58:46 +0000 (+0200)
Subject: ike: Optionally allow private algorithms for IKE/CHILD_SAs
X-Git-Tag: 5.8.3rc1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05e373aeb02f339cb2ae11f611904302ff0a9351;p=thirdparty%2Fstrongswan.git

ike: Optionally allow private algorithms for IKE/CHILD_SAs

Charon refuses to make use of algorithms IDs from the private space
for unknown peer implementations [1]. If you chose to ignore and violate
that section of the RFC since you *know* your peers *must* support those
private IDs, there's no way to disable that behavior.

With this commit a strongswan.conf option is introduced which allows to
deliberately ignore parts of section 3.12 from the standard.

[1] http://tools.ietf.org/html/rfc7296#section-3.12

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
---

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index cc58afda83..d9d98ef9c9 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -8,6 +8,10 @@ charon {}
 	**charon-cmd** instead of **charon**). For many options defaults can be
 	defined in the **libstrongswan** section.
 
+charon.accept_private_algs = no
+	Deliberately violate the IKE standard's requirement and allow the use of
+	private algorithm identifiers, even if the peer implementation is unknown.
+
 charon.accept_unencrypted_mainmode_messages = no
 	Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
 
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index eb77f5cb8c..24b2f24d17 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -386,7 +386,9 @@ METHOD(task_t, process_r, status_t,
 			}
 
 			list = sa_payload->get_proposals(sa_payload);
-			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+				&& !lib->settings->get_bool(lib->settings,
+									"%s.accept_private_algs", FALSE, lib->ns))
 			{
 				flags |= PROPOSAL_SKIP_PRIVATE;
 			}
@@ -641,7 +643,9 @@ METHOD(task_t, process_i, status_t,
 				return send_notify(this, INVALID_PAYLOAD_TYPE);
 			}
 			list = sa_payload->get_proposals(sa_payload);
-			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+				&& !lib->settings->get_bool(lib->settings,
+									"%s.accept_private_algs", FALSE, lib->ns))
 			{
 				flags |= PROPOSAL_SKIP_PRIVATE;
 			}
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 89d7444250..f494e48c83 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1132,7 +1132,9 @@ METHOD(task_t, process_r, status_t,
 				DESTROY_IF(list);
 				list = sa_payload->get_proposals(sa_payload);
 			}
-			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+				&& !lib->settings->get_bool(lib->settings,
+									"%s.accept_private_algs", FALSE, lib->ns))
 			{
 				flags |= PROPOSAL_SKIP_PRIVATE;
 			}
@@ -1370,7 +1372,9 @@ METHOD(task_t, process_i, status_t,
 				DESTROY_IF(list);
 				list = sa_payload->get_proposals(sa_payload);
 			}
-			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
+				&& !lib->settings->get_bool(lib->settings,
+									"%s.accept_private_algs", FALSE, lib->ns))
 			{
 				flags |= PROPOSAL_SKIP_PRIVATE;
 			}
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index e98c1dbcc4..a642a76861 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -564,7 +564,9 @@ static status_t select_and_install(private_child_create_t *this,
 	{
 		flags |= PROPOSAL_SKIP_DH;
 	}
-	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+		!lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+								 FALSE, lib->ns))
 	{
 		flags |= PROPOSAL_SKIP_PRIVATE;
 	}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index f95ec5c55b..6448d8baa9 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -330,7 +330,9 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	ike_proposal = this->ike_sa->get_proposal(this->ike_sa);
-	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) ||
+			  lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+									  FALSE, lib->ns);
 
 	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
 		 me, my_id, other, other_id);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index d15b5b107a..477d2caae5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -458,7 +458,9 @@ static void process_sa_payload(private_ike_init_t *this, message_t *message,
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 
 	proposal_list = sa_payload->get_proposals(sa_payload);
-	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
+		!lib->settings->get_bool(lib->settings, "%s.accept_private_algs",
+								 FALSE, lib->ns))
 	{
 		flags |= PROPOSAL_SKIP_PRIVATE;
 	}