From: Tobias Brunner Date: Fri, 3 Feb 2023 08:46:37 +0000 (+0100) Subject: ikev2: Add option to prefer childless IKE_SAs as initiator X-Git-Tag: 5.9.10rc1~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1efdb0f79187b0e16c8ad4d0b5883f19e0570bfb;p=thirdparty%2Fstrongswan.git ikev2: Add option to prefer childless IKE_SAs as initiator --- diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 56b37b77a5..873bd0d65e 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -68,6 +68,8 @@ enum fragmentation_t { enum childless_t { /** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */ CHILDLESS_ALLOW, + /** Initiate childless IKE_SAs if supported, allow them as responder */ + CHILDLESS_PREFER, /** Don't accept childless IKE_SAs as responder, don't initiate them */ CHILDLESS_NEVER, /** Only accept the creation of childless IKE_SAs (also as responder) */ diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 52eee8c848..989939fbf2 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1643,6 +1643,7 @@ CALLBACK(parse_childless, bool, { enum_map_t map[] = { { "allow", CHILDLESS_ALLOW }, + { "prefer", CHILDLESS_PREFER }, { "never", CHILDLESS_NEVER }, { "force", CHILDLESS_FORCE }, }; diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 427bc97cf4..daa56a9e5d 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -1044,7 +1044,8 @@ static status_t defer_child_sa(private_child_create_t *this) /* with SELinux, we prefer not to create a CHILD_SA when we only have * the generic label available. if the peer does not support it, * creating the SA will most likely fail */ - if (policy == CHILDLESS_FORCE || + if (policy == CHILDLESS_PREFER || + policy == CHILDLESS_FORCE || generic_label_only(this)) { return NEED_MORE; diff --git a/src/libcharon/tests/suites/test_childless.c b/src/libcharon/tests/suites/test_childless.c index 9720e28138..1a515ae060 100644 --- a/src/libcharon/tests/suites/test_childless.c +++ b/src/libcharon/tests/suites/test_childless.c @@ -27,9 +27,13 @@ */ START_TEST(test_regular) { + childless_t childless[] = { + CHILDLESS_FORCE, + CHILDLESS_PREFER, + }; exchange_test_sa_conf_t conf = { .initiator = { - .childless = CHILDLESS_FORCE, + .childless = childless[_i], .esp = "aes128-sha256-modp3072", }, .responder = { @@ -281,7 +285,7 @@ Suite *childless_suite_create() s = suite_create("childless"); tc = tcase_create("initiation"); - tcase_add_test(tc, test_regular); + tcase_add_loop_test(tc, test_regular, 0, 2); tcase_add_test(tc, test_regular_manual); suite_add_tcase(s, tc); diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 70a4542aa9..a1218552b1 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -169,19 +169,21 @@ connections..fragmentation = yes irrespective of the value of this option (even when set to _no_). connections..childless = allow - Use childless IKE_SA initiation (_allow_, _force_ or _never_). - - Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values - are _allow_ (the default), _force_ and _never_. If set to _allow_, - responders will accept childless IKE_SAs (as indicated via notify in the - IKE_SA_INIT response) while initiators continue to create regular IKE_SAs - with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is - initiated explicitly without any children (which will fail if the responder - does not support or has disabled this extension). If set to _force_, only - childless initiation is accepted and the first CHILD_SA is created with a - separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange - for all CHILD_SAs). Finally, setting the option to _never_ disables support - for childless IKE_SAs as responder. + Use childless IKE_SA initiation (_allow_, _prefer_, _force_ or _never_). + + Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first + CHILD_SA created with a separate CREATE_CHILD_SA exchange (e.g. to use an + independent DH exchange for all CHILD_SAs). Acceptable values are _allow_ + (the default), _prefer_, _force_ and _never_. If set to _allow_, responders + will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT + response) while initiators continue to create regular IKE_SAs with the first + CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly + without any children (which will fail if the responder does not support or + has disabled this extension). The effect of _prefer_ is the same as _allow_ + on responders, but as initiator a childless IKE_SA is initiated if the + responder supports it. If set to _force_, only childless initiation is + accepted in either role. Finally, setting the option to _never_ disables + support for childless IKE_SAs as responder. connections..send_certreq = yes Send certificate requests payloads (_yes_ or _no_).