Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | message: Limit maximum number of IKEv2 fragments | Tobias Brunner | 2014-10-10 | 1 | -1/+11 |
| | | | | | | | | The maximum for IKEv1 is already 255 due to the 8-bit fragment number. With an overhead of 17 bytes (x64) per fragment and a default maximum of 10000 bytes per packet the maximum memory required is 14 kB for a fragmented message. | ||||
* | packet: Define a global default maximum size for IKE packets | Tobias Brunner | 2014-10-10 | 1 | -6/+1 |
| | |||||
* | message: Ensure a minimum fragment length | Tobias Brunner | 2014-10-10 | 1 | -8/+18 |
| | |||||
* | message: Fragment and reassemble IKEv2 messages | Tobias Brunner | 2014-10-10 | 1 | -128/+366 |
| | |||||
* | message: Handle encrypted fragment payload similar to the encrypted payload | Tobias Brunner | 2014-10-10 | 1 | -16/+91 |
| | |||||
* | message: Split generate() in multiple functions | Tobias Brunner | 2014-10-10 | 1 | -67/+122 |
| | |||||
* | ikev1: Move defragmentation to message_t | Tobias Brunner | 2014-10-10 | 1 | -2/+194 |
| | |||||
* | message: fragment() generates message and fragments and caches them | Tobias Brunner | 2014-10-10 | 1 | -20/+71 |
| | |||||
* | message: Make packet argument optional in generate() | Tobias Brunner | 2014-10-10 | 1 | -1/+4 |
| | |||||
* | ikev1: Move fragment generation to message_t | Tobias Brunner | 2014-10-10 | 1 | -1/+105 |
| | |||||
* | ike: Rename encryption_payload to encrypted_payload | Tobias Brunner | 2014-10-10 | 1 | -13/+13 |
| | |||||
* | ikev1: Don't cache last block of INFORMATIONAL messages as IV | Tobias Brunner | 2014-09-12 | 1 | -2/+2 |
| | | | | | | | | | We don't expect a response with the same MID, but apparently some devices (e.g. FRITZ!Box) do that for DPDs, while still treating the response as a new exchange. By storing the last message block as IV we can't decrypt the first block of such a response. Fixes #661. | ||||
* | payload: Use common prefixes for all payload type identifiers | Martin Willi | 2014-06-04 | 1 | -367/+367 |
| | | | | | The old identifiers did not use a proper namespace and often clashed with other defines. | ||||
* | ikev1: Add an option to accept unencrypted ID/HASH payloads | Martin Willi | 2014-04-17 | 1 | -1/+20 |
| | | | | | | | | | Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in unencrypted form, probably to allow PSK lookup based on the ID payloads. We by default reject that, but accept it if the charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf. Initial patch courtesy of Paul Stewart. | ||||
* | iv_gen: Provide external sequence number (IKE, ESP) | Tobias Brunner | 2013-10-11 | 1 | -1/+1 |
| | | | | This prevents duplicate sequential IVs in case of a HA failover. | ||||
* | ikev1: Accept more than two certificate payloads | Martin Willi | 2013-10-11 | 1 | -2/+2 |
| | |||||
* | message: print type of configuration payload | Martin Willi | 2013-09-03 | 1 | -1/+21 |
| | |||||
* | message: print attributes for IKEv1 configuration payloads as well | Martin Willi | 2013-09-03 | 1 | -1/+2 |
| | |||||
* | linked-list: Remove barely used has_more() method | Tobias Brunner | 2013-07-17 | 1 | -83/+105 |
| | | | | | | | | This required some refactoring when handling encrypted payloads. Also changed log messages so that "encrypted payload" is logged instead of "encryption payload" (even if we internally still call it that) as that's the name used in RFC 5996. | ||||
* | Allow up to 10 NAT-D payloads in IKEv1 messages | Tobias Brunner | 2013-03-20 | 1 | -1/+1 |
| | |||||
* | Allow more than one CERTREQ payload for IKEv2 | Tobias Brunner | 2013-02-08 | 1 | -2/+2 |
| | | | | | | There is no reason not to do so (RFC 5996 explicitly mentions multiple CERTREQ payloads) and some implementations seem to use the same behavior as had to be used with IKEv1 (i.e. each CA in its own CERTREQ payload). | ||||
* | Add message rules to properly handle IKE fragments | Tobias Brunner | 2012-12-24 | 1 | -0/+8 |
| | | | | | These are sent in unencrypted messages and are the only payload contained in such messages. | ||||
* | Reset the encrypted flag when handling IKE messages that contain a fragment | Tobias Brunner | 2012-12-24 | 1 | -0/+6 |
| | | | | | Racoon sets the encrypted bit for messages containing a fragment, but these messages are not really encrypted (the fragmented message is though). | ||||
* | Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier | Volker Rümelin | 2012-12-19 | 1 | -0/+12 |
| | | | | | This adds support for early versions of the draft that eventually resulted in RFC 3947. | ||||
* | Increase the limit of acceptable IKEv1 CERTREQ payloads to 20 | Martin Willi | 2012-10-24 | 1 | -1/+1 |
| | |||||
* | Don't print hexdumps on loglevel 1 if hash verification fails | Martin Willi | 2012-07-20 | 1 | -3/+3 |
| | |||||
* | Cleaned up memory management and return values for encryption payload | Martin Willi | 2012-07-16 | 1 | -14/+11 |
| | |||||
* | Add a return value to keymat_v1_t.{get,update,confirm}_iv | Martin Willi | 2012-07-16 | 1 | -9/+36 |
| | |||||
* | Use a bool return value in keymat_v1_t.get_hash_phase2() | Martin Willi | 2012-07-16 | 1 | -4/+2 |
| | |||||
* | Store the major IKE version on ike_sa_id_t. | Tobias Brunner | 2012-03-20 | 1 | -0/+1 |
| | |||||
* | Print IKEv1 notify types in message summary | Martin Willi | 2012-03-20 | 1 | -1/+2 |
| | |||||
* | Support IKEv1 notifies in message_t.get_notify() | Martin Willi | 2012-03-20 | 1 | -1/+2 |
| | |||||
* | Accept unencrypted Aggressive Mode messages. | Tobias Brunner | 2012-03-20 | 1 | -1/+2 |
| | | | | Racoon does not encrypt the third message during Aggressive Mode. | ||||
* | Encrypt payloads of third aggressive mode message | Martin Willi | 2012-03-20 | 1 | -3/+3 |
| | |||||
* | Cast keymat safely, not based on external input | Martin Willi | 2012-03-20 | 1 | -36/+44 |
| | |||||
* | Accept NULL as keymat when generating a message | Martin Willi | 2012-03-20 | 1 | -4/+10 |
| | |||||
* | Separated libcharon/sa directory with ikev1 and ikev2 subfolders | Martin Willi | 2012-03-20 | 1 | -1/+1 |
| | |||||
* | Another set of cleanups in message.c | Martin Willi | 2012-03-20 | 1 | -18/+19 |
| | |||||
* | Some coding style cleanups | Martin Willi | 2012-03-20 | 1 | -3/+6 |
| | |||||
* | Do not trust unprotected INFORMATIONALS, just print that we got one | Martin Willi | 2012-03-20 | 1 | -13/+18 |
| | |||||
* | Remove executable flag from source code files | Martin Willi | 2012-03-20 | 1 | -0/+0 |
| | |||||
* | Encrypt INFORMATIONAL exchange if needed | Clavister OpenSource | 2012-03-20 | 1 | -11/+22 |
| | |||||
* | Handle incoming delete messages | Clavister OpenSource | 2012-03-20 | 1 | -0/+25 |
| | |||||
* | certificate handling for XAuth responder. | Clavister OpenSource | 2012-03-20 | 1 | -2/+2 |
| | |||||
* | IKEv1: Added basic support for INFORMATIONAL exchange types, and for ↵ | Clavister OpenSource | 2012-03-20 | 1 | -9/+13 |
| | | | | NOTIFY_V1 messages in the 3rd message in quick_mode. | ||||
* | Message rules for IKEv1 NAT-T payloads added. | Tobias Brunner | 2012-03-20 | 1 | -0/+17 |
| | |||||
* | Added payloads for IKEv1 NAT-Traversal negotiation. | Tobias Brunner | 2012-03-20 | 1 | -1/+1 |
| | |||||
* | Handle invalid IKEv1 hashes more specifically. | Tobias Brunner | 2012-03-20 | 1 | -1/+1 |
| | |||||
* | Handle unsupported IKEv1 exchange types more specifically. | Tobias Brunner | 2012-03-20 | 1 | -1/+1 |
| | |||||
* | Handle INFORMATIONAL_V1 messages when no keys have been derived yet. | Tobias Brunner | 2012-03-20 | 1 | -2/+3 |
| | | | | | | | | This allows to gracefully process the INFORMATIONAL_V1 message rules which require the payloads to be encrypted and thus the exchange to be authenticated with a HASH payload. If such an exchange is now initiated before the ISAKMP_SA is established, the message is simply sent unencrypted and without HASH payload. |