Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | treat EAP identities as user IDs | Andreas Steffen | 2013-02-12 | 1 | -3/+3 |
| | |||||
* | make TNC client authentication type available to IMVs | Andreas Steffen | 2013-02-12 | 9 | -27/+204 |
| | |||||
* | determine underlying IF-T transport protocol | Andreas Steffen | 2013-02-12 | 10 | -62/+184 |
| | |||||
* | make AR identities available to IMVs via IF-IMV 1.4 draft | Andreas Steffen | 2013-02-11 | 5 | -0/+146 |
| | |||||
* | Make IKE/EAP IDs available to TNC server/client | Andreas Steffen | 2013-02-11 | 8 | -24/+81 |
| | |||||
* | Allow more than one CERTREQ payload for IKEv2 | Tobias Brunner | 2013-02-08 | 1 | -2/+2 |
| | | | | | | There is no reason not to do so (RFC 5996 explicitly mentions multiple CERTREQ payloads) and some implementations seem to use the same behavior as had to be used with IKEv1 (i.e. each CA in its own CERTREQ payload). | ||||
* | Use proper buffer sizes for parse_smartcard() | Tobias Brunner | 2013-01-24 | 1 | -7/+10 |
| | |||||
* | Removed unused command name when printing usage info for lookip | Tobias Brunner | 2013-01-24 | 1 | -1/+1 |
| | |||||
* | Fix check-in of IKE_SA when IKE_SA_INIT fails and hash table is enabled | Tobias Brunner | 2013-01-24 | 1 | -2/+13 |
| | | | | | | | Setting the responder SPI to 0 can only be done while generating the response, otherwise we'd fail to check in the IKE_SA again in case the hash table is enabled. That's because we use the responder SPI as hash value since 5.0.0. | ||||
* | Avoid a deadlock when installing a trap policy failed | Tobias Brunner | 2013-01-23 | 1 | -1/+5 |
| | |||||
* | Fix IKE SA inherit API doc | Adrian-Ken Rueegsegger | 2013-01-22 | 1 | -2/+1 |
| | |||||
* | Filter TS list for Split-Includes before printing them to debug log | Martin Willi | 2013-01-21 | 1 | -10/+34 |
| | |||||
* | Properly send IKEv1 packets if no ike_cfg is known yet | Tobias Brunner | 2013-01-14 | 1 | -2/+5 |
| | | | | This applies for error notifies. | ||||
* | Don't handle right=%any6 as "loose" identity, but as %any | Martin Willi | 2013-01-14 | 1 | -2/+1 |
| | |||||
* | Merge branch 'ikev1-fragmentation' | Tobias Brunner | 2013-01-12 | 25 | -55/+832 |
|\ | | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS | ||||
| * | Added an option to configure the maximum size of a fragment | Tobias Brunner | 2013-01-12 | 1 | -3/+10 |
| | | |||||
| * | Properly detect fragmentation capabilities | Tobias Brunner | 2013-01-12 | 1 | -3/+27 |
| | | | | | | | | Cisco sends 0xc0000000 so we check that part of the VID separately. | ||||
| * | Added an option that allows to force IKEv1 fragmentation | Tobias Brunner | 2013-01-12 | 12 | -19/+43 |
| | | |||||
| * | Use a connection specific option to en-/disable IKEv1 fragmentation | Tobias Brunner | 2012-12-24 | 13 | -25/+47 |
| | | |||||
| * | Include source port in init hash for fragmented messages | Tobias Brunner | 2012-12-24 | 1 | -1/+8 |
| | | |||||
| * | Add an option to en-/disable IKE fragmentation | Tobias Brunner | 2012-12-24 | 2 | -5/+20 |
| | | | | | | | | | | Fragments are always accepted but will not be sent if disabled. The vendor ID is only sent if the option is enabled. | ||||
| * | Split larger messages into fragments if IKE fragmentation is supported by peer | Tobias Brunner | 2012-12-24 | 1 | -14/+114 |
| | | |||||
| * | Log message size for in- and outbound IKE messages | Tobias Brunner | 2012-12-24 | 2 | -4/+7 |
| | | |||||
| * | Add support to create IKE fragments | Tobias Brunner | 2012-12-24 | 2 | -0/+30 |
| | | | | | | | | | | All fragments currently use the same fragment ID (1) as that's what other implementations are doing. | ||||
| * | Log added NAT-T vendor IDs | Tobias Brunner | 2012-12-24 | 1 | -0/+1 |
| | | |||||
| * | Detect a peer's support for IKE fragmentation | Tobias Brunner | 2012-12-24 | 2 | -0/+9 |
| | | | | | | | | Fragments are accepted even if this vendor ID is not seen. | ||||
| * | Map fragmented initial initial Main or Aggressive Mode messages to the same ↵ | Tobias Brunner | 2012-12-24 | 1 | -1/+17 |
| | | | | | | | | IKE_SA | ||||
| * | Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain ↵ | Tobias Brunner | 2012-12-24 | 1 | -1/+2 |
| | | | | | | | | | | | | | | fragments Other implementations send fragments always in an initial message type even for transaction or quick mode exchanges. | ||||
| * | Don't handle fragmented messages larger than charon.max_packet | Tobias Brunner | 2012-12-24 | 1 | -4/+39 |
| | | |||||
| * | Don't update an IKE_SA-entry's cached message ID when handling fragments | Tobias Brunner | 2012-12-24 | 1 | -1/+4 |
| | | |||||
| * | Store inbound IKE fragments and reassemble the message when all fragments ↵ | Tobias Brunner | 2012-12-24 | 1 | -3/+166 |
| | | | | | | | | are received | ||||
| * | Add message rules to properly handle IKE fragments | Tobias Brunner | 2012-12-24 | 1 | -0/+8 |
| | | | | | | | | | | These are sent in unencrypted messages and are the only payload contained in such messages. | ||||
| * | Reset the encrypted flag when handling IKE messages that contain a fragment | Tobias Brunner | 2012-12-24 | 1 | -0/+6 |
| | | | | | | | | | | Racoon sets the encrypted bit for messages containing a fragment, but these messages are not really encrypted (the fragmented message is though). | ||||
| * | Payload added to handle IKE fragments | Tobias Brunner | 2012-12-24 | 6 | -11/+314 |
| | | |||||
* | | Don't use bio_writer_t.skip() to write length field when appending more data | Martin Willi | 2013-01-11 | 1 | -4/+4 |
| | | | | | | | | | | If the writer reallocates its buffer, the length pointer might not be valid anymore, or even worse, point to an arbitrary allocation. | ||||
* | | Streamline debug output when receiving intermediate CA certificates in IKEv1 | Martin Willi | 2013-01-11 | 1 | -1/+1 |
| | | |||||
* | | Refactored IKEv2 cert/certreq payload processing to multiple functions | Martin Willi | 2013-01-11 | 1 | -112/+141 |
| | | |||||
* | | Refactored IKEv1 cert payload processing to multiple functions | Martin Willi | 2013-01-11 | 1 | -73/+102 |
| | | |||||
* | | IKEv1 support for PKCS#7 wrapped certificates | Volker Rümelin | 2013-01-11 | 3 | -0/+96 |
| | | |||||
* | | Fixed some typos in comments | Volker Rümelin | 2013-01-11 | 4 | -6/+6 |
|/ | |||||
* | Add parantheses to avoid compiler warning | Martin Willi | 2012-12-24 | 1 | -1/+1 |
| | |||||
* | Send empty CDATA batch if TNC client has no data to send | Andreas Steffen | 2012-12-23 | 1 | -16/+28 |
| | |||||
* | Fixed some typos, courtesy of codespell | Tobias Brunner | 2012-12-20 | 7 | -7/+7 |
| | |||||
* | Raise an alert if IKE SA is kept | Adrian-Ken Rueegsegger | 2012-12-20 | 2 | -0/+3 |
| | | | | | This alert is raised when the establishment of a child SA fails but the IKE SA is kept. | ||||
* | Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier | Volker Rümelin | 2012-12-19 | 14 | -90/+311 |
| | | | | | This adds support for early versions of the draft that eventually resulted in RFC 3947. | ||||
* | Add missing error_notify_msg.h to distribution tarball | Martin Willi | 2012-12-19 | 1 | -1/+2 |
| | |||||
* | Add an error-notify sample application to listen to error notifications | Martin Willi | 2012-12-19 | 3 | -0/+66 |
| | |||||
* | Add an error-notify plugin to send catched alerts to listening applications | Martin Willi | 2012-12-19 | 9 | -0/+743 |
| | |||||
* | Raise an alert if half-open timeout limit reached | Martin Willi | 2012-12-19 | 2 | -0/+3 |
| | |||||
* | Raise an alert if an authorize() hook fails | Martin Willi | 2012-12-19 | 2 | -0/+6 |
| |