From: Tobias Brunner Date: Wed, 25 Feb 2015 15:23:03 +0000 (+0100) Subject: ikev2: Add a global option to disable RFC 7427 signature authentication X-Git-Tag: 5.3.0dr1~39^2~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fff3576b6b861acedb63399fa3f5479d935562a7;p=thirdparty%2Fstrongswan.git ikev2: Add a global option to disable RFC 7427 signature authentication This is mostly for testing. --- diff --git a/conf/options/charon.opt b/conf/options/charon.opt index f0969e6c61..380ce9305e 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -287,6 +287,9 @@ charon.send_delay_type = 0 charon.send_vendor_id = no Send strongSwan vendor ID payload +charon.signature_authentication = yes + Whether to enable Signature Authentication as per RFC 7427. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index c386877bbc..3581ceedf0 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -102,6 +102,11 @@ struct private_ike_init_t { * retries done so far after failure (cookie or bad dh group) */ u_int retry; + + /** + * Whether to use Signature Authentication as per RFC 7427 + */ + bool signature_authentication; }; /** @@ -235,7 +240,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message) } } /* submit supported hash algorithms for signature authentication */ - if (!this->old_sa) + if (!this->old_sa && this->signature_authentication) { if (this->initiator || this->ike_sa->supports_extension(this->ike_sa, @@ -305,7 +310,10 @@ static void process_payloads(private_ike_init_t *this, message_t *message) EXT_IKE_FRAGMENTATION); break; case SIGNATURE_HASH_ALGORITHMS: - handle_supported_hash_algorithms(this, notify); + if (this->signature_authentication) + { + handle_supported_hash_algorithms(this, notify); + } break; default: /* other notifies are handled elsewhere */ @@ -716,6 +724,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa) .dh_group = MODP_NONE, .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa), .old_sa = old_sa, + .signature_authentication = lib->settings->get_bool(lib->settings, + "%s.signature_authentication", TRUE, lib->ns), ); if (initiator)