From: Martin Willi <martin@revosec.ch>
Date: Wed, 13 Jun 2012 07:32:28 +0000 (+0200)
Subject: Require a scary option to respond to Aggressive Mode PSK requests
X-Git-Tag: 5.0.0~109
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b31a56f1281f51932d945f8f6ac9dfc34a30af6d;p=thirdparty%2Fstrongswan.git

Require a scary option to respond to Aggressive Mode PSK requests

While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.
---

diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 66e6451ea1..8fa2d525ed 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -380,6 +380,23 @@ METHOD(task_t, process_r, status_t,
 			this->method = sa_payload->get_auth_method(sa_payload);
 			this->lifetime = sa_payload->get_lifetime(sa_payload);
 
+			switch (this->method)
+			{
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_PSK:
+					if (!lib->settings->get_bool(lib->settings, "charon.i_dont_"
+						"care_about_security_and_use_aggressive_mode_psk", FALSE))
+					{
+						DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
+							 "security reasons");
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					break;
+				default:
+					break;
+			}
+
 			if (!this->proposal->get_algorithm(this->proposal,
 										DIFFIE_HELLMAN_GROUP, &group, NULL))
 			{