aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/encoding
Commit message (Collapse)AuthorAgeFilesLines
* message: Limit maximum number of IKEv2 fragmentsTobias Brunner2014-10-101-1/+11
| | | | | | | | The maximum for IKEv1 is already 255 due to the 8-bit fragment number. With an overhead of 17 bytes (x64) per fragment and a default maximum of 10000 bytes per packet the maximum memory required is 14 kB for a fragmented message.
* packet: Define a global default maximum size for IKE packetsTobias Brunner2014-10-101-6/+1
|
* message: Ensure a minimum fragment lengthTobias Brunner2014-10-101-8/+18
|
* message: Fragment and reassemble IKEv2 messagesTobias Brunner2014-10-102-133/+366
|
* message: Handle encrypted fragment payload similar to the encrypted payloadTobias Brunner2014-10-101-16/+91
|
* ikev2: Add encrypted fragment payloadTobias Brunner2014-10-104-12/+454
|
* encrypted_payload: Encrypted payload can be constructed from plaintextTobias Brunner2014-10-102-0/+38
|
* encrypted_payload: Expose generate() to generate the plaintextTobias Brunner2014-10-102-1/+17
|
* encrypted_payload: Extract some utility functionsTobias Brunner2014-10-101-74/+110
|
* message: Split generate() in multiple functionsTobias Brunner2014-10-101-67/+122
|
* ikev2: Add notify for IKEv2 fragmentationTobias Brunner2014-10-102-7/+15
|
* ikev1: Move defragmentation to message_tTobias Brunner2014-10-102-2/+224
|
* message: fragment() generates message and fragments and caches themTobias Brunner2014-10-102-27/+98
|
* message: Make packet argument optional in generate()Tobias Brunner2014-10-101-1/+4
|
* ikev1: Move fragment generation to message_tTobias Brunner2014-10-102-2/+125
|
* ike: Rename encryption_payload to encrypted_payloadTobias Brunner2014-10-107-99/+95
|
* encoding: Accept all exchange types for non IKEv1/IKEv2 major versionsMartin Willi2014-09-221-5/+11
|
* ikev1: Don't cache last block of INFORMATIONAL messages as IVTobias Brunner2014-09-121-2/+2
| | | | | | | | | We don't expect a response with the same MID, but apparently some devices (e.g. FRITZ!Box) do that for DPDs, while still treating the response as a new exchange. By storing the last message block as IV we can't decrypt the first block of such a response. Fixes #661.
* ikev1: Log IV when encrypting messagesTobias Brunner2014-09-121-0/+1
|
* ikev1: Skip unusable IPComp proposalsTobias Brunner2014-09-121-1/+1
| | | | Fixes #661.
* ikev1: Properly handle different proposal numbering schemesTobias Brunner2014-09-121-5/+10
| | | | | | | | | | | | | | | | | | While the examples in RFC 2408 show proposal numbers starting at 1 and increasing by one for each subsequent proposal this is not mandatory. Actually, IKEv1 proposals may start at any number, the only requirement is that the proposal numbers increase monotonically they don't have to do so consecutively. Most implementations follow the examples and start numbering at 1 (charon, racoon, Shrew, Cisco, Windows XP, FRITZ!Box) but pluto was one of the implementations that started with 0 and there might be others out there. The previous assumption that implementations always start numbering proposals at 0 caused problems with clients that start numbering with 1 and whose first proposal consists of multiple protocols (e.g. ESP+IPComp). Fixes #661.
* encoding: Don't explicitly include <arpa/inet.h>Martin Willi2014-06-042-2/+0
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-0443-681/+681
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev1: Add an option to accept unencrypted ID/HASH payloadsMartin Willi2014-04-171-1/+20
| | | | | | | | | Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in unencrypted form, probably to allow PSK lookup based on the ID payloads. We by default reject that, but accept it if the charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf. Initial patch courtesy of Paul Stewart.
* ikev1: Accept SPI size of any length <= 16 in ISAKMP proposalTobias Brunner2014-03-311-4/+12
| | | | Fixes #533.
* ike: Support encoding of attribute certificates in CERT payloadsMartin Willi2014-03-311-1/+6
|
* Added IFOM_CAPABILITY notify message typeAndreas Steffen2013-11-012-6/+10
|
* iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-113-5/+7
| | | | This prevents duplicate sequential IVs in case of a HA failover.
* ikev2: Use IV generator to encrypt encrypted payloadTobias Brunner2013-10-111-1/+9
|
* ikev1: Support parsing of AH+IPComp proposalsMartin Willi2013-10-111-9/+11
|
* ikev1: Accept more than two certificate payloadsMartin Willi2013-10-111-2/+2
|
* ikev1: Support en-/decoding of SA payloads with AH algorithmsMartin Willi2013-10-111-31/+99
|
* message: print type of configuration payloadMartin Willi2013-09-031-1/+21
|
* message: print attributes for IKEv1 configuration payloads as wellMartin Willi2013-09-031-1/+2
|
* Fix various API doc issues and typosTobias Brunner2013-07-181-5/+5
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* linked-list: Remove barely used has_more() methodTobias Brunner2013-07-171-83/+105
| | | | | | | | This required some refactoring when handling encrypted payloads. Also changed log messages so that "encrypted payload" is logged instead of "encryption payload" (even if we internally still call it that) as that's the name used in RFC 5996.
* Fix crash if the initiator has no suitable proposal availableTobias Brunner2013-06-211-0/+5
| | | | Could be triggered with a typo in the ike or esp options when ! is used.
* proposals: try next if IKEv2 algorithm could not be mapped to IKEv1Martin Willi2013-05-061-2/+4
|
* Allow up to 10 NAT-D payloads in IKEv1 messagesTobias Brunner2013-03-201-1/+1
|
* added ERX_SUPPORTED IKEv2 NotifyAndreas Steffen2013-03-022-7/+11
|
* Merge branch 'opaque-ports'Martin Willi2013-03-011-1/+5
|\ | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * Don't reject OPAQUE ports while verifying traffic selector substructureMartin Willi2013-02-211-1/+5
| |
* | Allow more than one CERTREQ payload for IKEv2Tobias Brunner2013-02-081-2/+2
|/ | | | | | There is no reason not to do so (RFC 5996 explicitly mentions multiple CERTREQ payloads) and some implementations seem to use the same behavior as had to be used with IKEv1 (i.e. each CA in its own CERTREQ payload).
* Merge branch 'ikev1-fragmentation'Tobias Brunner2013-01-125-11/+356
|\ | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS
| * Add support to create IKE fragmentsTobias Brunner2012-12-242-0/+30
| | | | | | | | | | All fragments currently use the same fragment ID (1) as that's what other implementations are doing.
| * Add message rules to properly handle IKE fragmentsTobias Brunner2012-12-241-0/+8
| | | | | | | | | | These are sent in unencrypted messages and are the only payload contained in such messages.
| * Reset the encrypted flag when handling IKE messages that contain a fragmentTobias Brunner2012-12-241-0/+6
| | | | | | | | | | Racoon sets the encrypted bit for messages containing a fragment, but these messages are not really encrypted (the fragmented message is though).
| * Payload added to handle IKE fragmentsTobias Brunner2012-12-244-11/+312
| |
* | Don't use bio_writer_t.skip() to write length field when appending more dataMartin Willi2013-01-111-4/+4
| | | | | | | | | | If the writer reallocates its buffer, the length pointer might not be valid anymore, or even worse, point to an arbitrary allocation.
* | IKEv1 support for PKCS#7 wrapped certificatesVolker RĂ¼melin2013-01-112-0/+26
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 22:37:44 +0000