aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/encoding/payloads
Commit message (Collapse)AuthorAgeFilesLines
* encoding: Remove DH public value verification from KE payloadMartin Willi2015-03-231-73/+0
| | | | | | | | This commit reverts 84738b1a and 2ed5f569. As we have no DH group available in the KE payload for IKEv1, the verification can't work in that stage. Instead, we now verify DH groups in the DH backends, which works for any IKE version or any other purpose.
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-231-2/+8
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-231-1/+1
|
* encoding: Add getter for IKE SPIs in IKEv1 DELETE payloadsTobias Brunner2015-03-232-0/+25
|
* encoding: Don't verify length of IKEv1 KE payloadsTobias Brunner2015-03-201-0/+6
| | | | | | The verification introduced with 84738b1aed95 ("encoding: Verify the length of KE payload data for known groups") can't be done for IKEv1 as the KE payload does not contain the DH group.
* encoding: Verify the length of KE payload data for known groupsMartin Willi2015-03-181-0/+67
| | | | | | | IKE is very strict in the length of KE payloads, and it should be safe to strictly verify their length. Not doing so is no direct threat, but allows DDoS amplification by sending short KE payloads for large groups using the target as the source address.
* ikev2: Add SIGNATURE_HASH_ALGORITHMS notify payloadTobias Brunner2015-03-042-6/+18
|
* ike: Allow creation of internally used payloadsTobias Brunner2014-12-121-1/+1
| | | | | | | Since 42e0a317c64b ("ike: Only parse payloads valid for the current IKE version") payload types are checked before creating objects. This check failed for internally used payload types (e.g. proposal substructures), which have a type >= 256, i.e. outside the IKE payload type range.
* ikev1: Use same map for AH and ESP authentication algorithmsTobias Brunner2014-12-091-152/+120
| | | | | | The transform identifier used in AH transforms is not the same as the authentication algorithm identifier used in the transform attributes in AH (and ESP) transforms.
* ikev1: Accept IPComp proposals with 4 octet long CPI valuesTobias Brunner2014-12-051-2/+2
| | | | | While they SHOULD be sent as 16-bit values according to RFC 3173 a responder MUST be able to accept CPI values encoded in four bytes.
* ike: Only parse payloads valid for the current IKE versionTobias Brunner2014-12-051-0/+1
|
* ike: Make check for known payloads depend on IKE versionTobias Brunner2014-12-052-24/+39
|
* id-payload: Enable multiple calls to get_ts() for subnet traffic selectorsTobias Brunner2014-12-051-2/+5
| | | | The second call resulted in a /32 subnet previously.
* ikev2: Add encrypted fragment payloadTobias Brunner2014-10-104-12/+454
|
* encrypted_payload: Encrypted payload can be constructed from plaintextTobias Brunner2014-10-102-0/+38
|
* encrypted_payload: Expose generate() to generate the plaintextTobias Brunner2014-10-102-1/+17
|
* encrypted_payload: Extract some utility functionsTobias Brunner2014-10-101-74/+110
|
* ikev2: Add notify for IKEv2 fragmentationTobias Brunner2014-10-102-7/+15
|
* ike: Rename encryption_payload to encrypted_payloadTobias Brunner2014-10-104-84/+80
|
* encoding: Accept all exchange types for non IKEv1/IKEv2 major versionsMartin Willi2014-09-221-5/+11
|
* ikev1: Log IV when encrypting messagesTobias Brunner2014-09-121-0/+1
|
* ikev1: Skip unusable IPComp proposalsTobias Brunner2014-09-121-1/+1
| | | | Fixes #661.
* ikev1: Properly handle different proposal numbering schemesTobias Brunner2014-09-121-5/+10
| | | | | | | | | | | | | | | | | | While the examples in RFC 2408 show proposal numbers starting at 1 and increasing by one for each subsequent proposal this is not mandatory. Actually, IKEv1 proposals may start at any number, the only requirement is that the proposal numbers increase monotonically they don't have to do so consecutively. Most implementations follow the examples and start numbering at 1 (charon, racoon, Shrew, Cisco, Windows XP, FRITZ!Box) but pluto was one of the implementations that started with 0 and there might be others out there. The previous assumption that implementations always start numbering proposals at 0 caused problems with clients that start numbering with 1 and whose first proposal consists of multiple protocols (e.g. ESP+IPComp). Fixes #661.
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-0440-296/+296
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev1: Accept SPI size of any length <= 16 in ISAKMP proposalTobias Brunner2014-03-311-4/+12
| | | | Fixes #533.
* ike: Support encoding of attribute certificates in CERT payloadsMartin Willi2014-03-311-1/+6
|
* Added IFOM_CAPABILITY notify message typeAndreas Steffen2013-11-012-6/+10
|
* iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-112-4/+6
| | | | This prevents duplicate sequential IVs in case of a HA failover.
* ikev2: Use IV generator to encrypt encrypted payloadTobias Brunner2013-10-111-1/+9
|
* ikev1: Support parsing of AH+IPComp proposalsMartin Willi2013-10-111-9/+11
|
* ikev1: Support en-/decoding of SA payloads with AH algorithmsMartin Willi2013-10-111-31/+99
|
* Fix crash if the initiator has no suitable proposal availableTobias Brunner2013-06-211-0/+5
| | | | Could be triggered with a typo in the ike or esp options when ! is used.
* proposals: try next if IKEv2 algorithm could not be mapped to IKEv1Martin Willi2013-05-061-2/+4
|
* added ERX_SUPPORTED IKEv2 NotifyAndreas Steffen2013-03-022-7/+11
|
* Don't reject OPAQUE ports while verifying traffic selector substructureMartin Willi2013-02-211-1/+5
|
* Merge branch 'ikev1-fragmentation'Tobias Brunner2013-01-124-11/+342
|\ | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS
| * Add support to create IKE fragmentsTobias Brunner2012-12-242-0/+30
| | | | | | | | | | All fragments currently use the same fragment ID (1) as that's what other implementations are doing.
| * Payload added to handle IKE fragmentsTobias Brunner2012-12-244-11/+312
| |
* | Don't use bio_writer_t.skip() to write length field when appending more dataMartin Willi2013-01-111-4/+4
| | | | | | | | | | If the writer reallocates its buffer, the length pointer might not be valid anymore, or even worse, point to an arbitrary allocation.
* | IKEv1 support for PKCS#7 wrapped certificatesVolker Rümelin2013-01-112-0/+26
| |
* | Fixed some typos in commentsVolker Rümelin2013-01-112-4/+4
|/
* Fixed some typos, courtesy of codespellTobias Brunner2012-12-201-1/+1
|
* Add support for draft-ietf-ipsec-nat-t-ike-03 and earlierVolker Rümelin2012-12-197-54/+88
| | | | | This adds support for early versions of the draft that eventually resulted in RFC 3947.
* Moved data structures to new collections subfolderTobias Brunner2012-10-2414-14/+14
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-241-1/+1
|
* Correctly initialize payload length of encrypted payloadTobias Brunner2012-09-281-1/+1
|
* Added method to enumerate EAP types contained in an EAP-NakTobias Brunner2012-08-312-11/+79
|
* Encode EAP-Naks in expanded format if we got an expanded type requestTobias Brunner2012-08-312-2/+15
| | | | | Since methods defined by the IETF (vendor ID 0) could also be encoded in expanded type format the previous check was insufficient.
* Allow clients to request a configured EAP method via EAP-NakTobias Brunner2012-08-312-2/+11
|
* Send EAP-Nak with supported types if requested type is unsupportedTobias Brunner2012-08-312-6/+71
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 04:08:02 +0000