I've noticed that many IKEv2/IPsec clients that rely on EAP-AKA authentication do not send the EAP_ONLY_AUTHENTICATION notification payload to the responder despite that RFC 5998 so requires in order to avoid the need to exchange certificates.
In particular, I have seen this behaviour in commercially available mobile phones from major brands. (I have captured this in pcaps and strongSwan logs, but NDAs prevent me from posting that here.) Basically, the extended feature makes strongSwan act as if the phone client (initiator) had indeed sent an EAP_ONLY_AUTHENTICATION payload in its IKE_AUTH MID=01 Initiator Request message. A while ago I wrote a feature extending patch (activated by a new charon yes/no key) but haven't come around to feed it back to the community until now. I have for your benefit ported it to/branched out from strongSwan v5.8.4 that as of writing is the latest release. I included the MIT X11 license text in the patch (I agree to those conditions) but leave it to the strongSwan maintainers to judge if my contribution is non-trivial or not if/when merging my patch into master =o) ------------------------ >From 1fd237e646527e78f89a9cef492767f9f4f7a22f Mon Sep 17 00:00:00 2001 From: Thomas Strangert <[email protected]> Date: Fri, 3 Apr 2020 18:03:00 +0200 Subject: [PATCH] Add key "charon.eap_only_authentication_peer_implied" to allow peers to do an EAP-only authentication without actually sending the RFC 5998 EAP_ONLY_AUTHENTICATION notification to the responder. --- conf/options/charon.opt | 4 ++ src/libcharon/sa/ikev2/tasks/ike_auth.c | 50 ++++++++++++++++++++++--- 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/conf/options/charon.opt b/conf/options/charon.opt index d9d98ef9c..829298b4d 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -106,6 +106,10 @@ charon.dns2 charon.dos_protection = yes Enable Denial of Service protection using cookies and aggressiveness checks. +charon.eap_only_authentication_peer_implied = no + Imply that an RFC 5998 EAP_ONLY_AUTHENTICATION notification was received + from the peer, eliminating the need for IKEv2 certificates when using EAP. + charon.ecp_x_coordinate_only = yes Compliance with the errata for RFC 4753. diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 6448d8baa..54db81968 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -15,6 +15,28 @@ * for more details. */ +/* + * Copyright (C) 2020 Thomas Strangert (Emblasoft Systems AB) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "ike_auth.h" #include <string.h> @@ -145,6 +167,15 @@ static bool multiple_auth_enabled() "%s.multiple_authentication", TRUE, lib->ns); } +/** + * check if eap only authentication extension is always implied, configuration-wise + */ +static bool eap_only_authentication_peer_implied() +{ + return lib->settings->get_bool(lib->settings, + "%s.eap_only_authentication_peer_implied", FALSE, lib->ns); +} + /** * collect the needed information in the IKE_SA_INIT exchange from our message */ @@ -1006,12 +1037,21 @@ METHOD(task_t, build_r, status_t, if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP) { /* EAP-only authentication */ - if (!this->ike_sa->supports_extension(this->ike_sa, - EXT_EAP_ONLY_AUTHENTICATION)) + if ( eap_only_authentication_peer_implied() ) { - DBG1(DBG_IKE, "configured EAP-only authentication, but peer " - "does not support it"); - goto peer_auth_failed; + DBG1(DBG_IKE, "allowing peer to do EAP-only " + "authentication, RFC 5998 " + "EAP_ONLY_AUTHENTICATION notification implied"); + } + else + { + if (!this->ike_sa->supports_extension(this->ike_sa, + EXT_EAP_ONLY_AUTHENTICATION)) + { + DBG1(DBG_IKE, "configured EAP-only authentication, but peer " + "does not support it"); + goto peer_auth_failed; + } } } else -- 2.21.0.windows.1
