| Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in |
| unencrypted form, probably to allow PSK lookup based on the ID payloads. We |
| by default reject that, but accept it if the |
| charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf. |
| |
| Initial patch courtesy of Paul Stewart. |
| |
| diff -ru strongswan-5.0.2-orig/src/libcharon/encoding/message.c strongswan-5.0.2/src/libcharon/encoding/message.c |
| --- strongswan-5.0.2-orig/src/libcharon/encoding/message.c 2014-04-17 10:43:46.814017374 -0700 |
| +++ strongswan-5.0.2/src/libcharon/encoding/message.c 2014-04-17 11:00:05.237621496 -0700 |
| @@ -1816,6 +1816,24 @@ |
| return SUCCESS; |
| } |
| |
| + /** |
| + * Do we accept unencrypted ID/HASH payloads in Main Mode, as seen from |
| + * some SonicWall boxes? |
| + */ |
| +static bool accept_unencrypted_mm(private_message_t *this, payload_type_t type) |
| +{ |
| + if (this->exchange_type == ID_PROT) |
| + { |
| + if (type == ID_V1 || type == HASH_V1) |
| + { |
| + return lib->settings->get_bool(lib->settings, |
| + "charon.accept_unencrypted_mainmode_messages", |
| + FALSE); |
| + } |
| + } |
| + return FALSE; |
| +} |
| + |
| /** |
| * Decrypt payload from the encryption payload |
| */ |
| @@ -1935,7 +1953,8 @@ |
| this->exchange_type != AGGRESSIVE) |
| { |
| rule = get_payload_rule(this, type); |
| - if (!rule || rule->encrypted) |
| + if (!rule || rule->encrypted && |
| + !accept_unencrypted_mm(this, type)) |
| { |
| DBG1(DBG_ENC, "payload type %N was not encrypted", |
| payload_type_names, type); |