bd8d1f1d9c
Accept unencrypted Aggressive Mode messages.
...
Racoon does not encrypt the third message during Aggressive Mode.
2012-03-20 17:31:34 +01:00
ebc7bcb550
Encrypt payloads of third aggressive mode message
2012-03-20 17:31:33 +01:00
927c1dd9d2
Support IKEv1 proposal encodings having both lifebytes and a lifetime
2012-03-20 17:31:33 +01:00
e32820f593
Add functions to set mode cfg identifier
2012-03-20 17:31:32 +01:00
96f98a8c11
Accept IKEv1 INVALID_KE_INFORMATION notifies without data
2012-03-20 17:31:30 +01:00
db1dc81329
IKEv1 ATTRIBUTES_NOT_SUPPORTED error notify added.
2012-03-20 17:31:30 +01:00
dd5c3787dc
Give a hint that decryption failed if payload length invalid
2012-03-20 17:31:30 +01:00
07b8ec7c00
Cast keymat safely, not based on external input
2012-03-20 17:31:30 +01:00
fd5d6bb08e
Use IPSEC DOI also for ISAKMP SA deletes.
2012-03-20 17:31:29 +01:00
82b1e5e270
Accept NULL as keymat when generating a message
2012-03-20 17:31:29 +01:00
15a682f4c2
Separated libcharon/sa directory with ikev1 and ikev2 subfolders
2012-03-20 17:31:26 +01:00
8833068877
Doxygen fixes
2012-03-20 17:31:25 +01:00
26b02f50f4
Always use a transform number of 1 when encoding a single transform
2012-03-20 17:31:25 +01:00
5d0458af0a
Another set of cleanups in message.c
2012-03-20 17:31:25 +01:00
b9a707e696
Some coding style cleanups
2012-03-20 17:31:25 +01:00
2f58f6cba1
Fixed notify enum names
2012-03-20 17:31:25 +01:00
b46b56fac1
Log parsed unsigned ints with proper format strings.
2012-03-20 17:31:24 +01:00
ca26065745
Add some additional IKEv1 notify types
2012-03-20 17:31:23 +01:00
a4cc071364
Do not trust unprotected INFORMATIONALS, just print that we got one
2012-03-20 17:31:23 +01:00
3ba15819ed
Remove executable flag from source code files
2012-03-20 17:31:22 +01:00
51da01a722
Support encoding of Hybrid initiator authentication method
2012-03-20 17:31:21 +01:00
33493a5253
Added method to get encoded version if ID_V1 payload.
2012-03-20 17:31:21 +01:00
226b0f36c7
Fixed SPI size calculation in DELETE payload
2012-03-20 17:31:19 +01:00
0acb520758
Support IKEv1 SPIs in IKEv1 delete payload
2012-03-20 17:31:19 +01:00
9626164e9a
Don't complain when receiving XAuth or Unity configuration attributes
2012-03-20 17:31:16 +01:00
c9e5998d7f
Interpret attribute format correctly in IKEv1 configuration format
2012-03-20 17:31:16 +01:00
b8383f1f2d
Encrypt INFORMATIONAL exchange if needed
2012-03-20 17:31:14 +01:00
9ce5d0c0e8
added functions for getting/setting ISAKMP SPI to notify payload
2012-03-20 17:31:14 +01:00
9bb4de1d83
En- and decode DH group attribute in quick mode SA payloads
2012-03-20 17:31:14 +01:00
5d1eeec297
Handle incoming delete messages
2012-03-20 17:31:13 +01:00
6f6380e670
use untoh64 instead of non-portable be64toh
2012-03-20 17:31:13 +01:00
9ad5b8fa95
Cleanup CERT payload constructors
2012-03-20 17:31:13 +01:00
df06ef2098
Cleaned up certreq payload for IKEv2/IKEv1 use
2012-03-20 17:31:13 +01:00
695aff41f5
Encode a single IP traffic selector as ID_IPV?_ADDRESS identity
2012-03-20 17:31:12 +01:00
caa6f772c8
Added missing break;s when converting ID_IP_ADDRESS types to ts, extracted function
2012-03-20 17:31:12 +01:00
bd8700f055
Don't use unportable htobe64 macro directly
2012-03-20 17:31:12 +01:00
7d9269bfce
certificate handling for XAuth responder.
2012-03-20 17:31:11 +01:00
e102f86e88
Setting transform number in esp proposal.
...
iPhone (racoon) fails quick mode when transform number is 0
2012-03-20 17:31:11 +01:00
8a9ab2035f
ID_IPV4_ADDR and ID_IPV6_ADDR cases added to get_ts
2012-03-20 17:31:11 +01:00
07abb470c6
IKEv1: Added basic support for INFORMATIONAL exchange types, and for NOTIFY_V1 messages in the 3rd message in quick_mode.
2012-03-20 17:31:11 +01:00
a0bea44a97
Message rules for IKEv1 NAT-T payloads added.
2012-03-20 17:31:10 +01:00
1e97783c99
Added payloads for IKEv1 NAT-Traversal negotiation.
2012-03-20 17:31:09 +01:00
24ddf03f52
Added an option to create a generator that does not log debug messages.
2012-03-20 17:31:09 +01:00
37639e94fb
Handle invalid IKEv1 hashes more specifically.
2012-03-20 17:31:08 +01:00
29a5e0707e
Handle unsupported IKEv1 exchange types more specifically.
2012-03-20 17:31:08 +01:00
983e852af8
Handle INFORMATIONAL_V1 messages when no keys have been derived yet.
...
This allows to gracefully process the INFORMATIONAL_V1 message rules which
require the payloads to be encrypted and thus the exchange to be
authenticated with a HASH payload. If such an exchange is now initiated
before the ISAKMP_SA is established, the message is simply sent unencrypted
and without HASH payload.
2012-03-20 17:31:08 +01:00
fd24c700fb
Use proper enum types in proposal_substructure.
2012-03-20 17:31:07 +01:00
b4e815354c
Map auth_class to auth method and IKEv1 proposal attribute
2012-03-20 17:30:53 +01:00
eeca2af81c
Removed obsolete transform attribute setters
2012-03-20 17:30:53 +01:00
914ec2dbf2
Implemented IKEv1 attribute encoding in SA payload
2012-03-20 17:30:53 +01:00
fbebc2a068
Implemented encoding of additional IKEv1 proposal attributes
2012-03-20 17:30:53 +01:00
e174e0d445
Added not-yet used sa_payload parameters used in IKEv1
2012-03-20 17:30:52 +01:00
8b30286fcf
IKEv1 XAuth: Add XAUTH authentication types to the enum. Added the ability to switch between hardcoded PSK and XAUTH_INIT_PSK authentications using a flag, default to PSK.
2012-03-20 17:30:52 +01:00
ece4ed3fcd
IKEv1 ConfigMode: Fix configuration_attribute encoding rules for IKEv1 to use the attribute type instead of the internal only payload type.
2012-03-20 17:30:52 +01:00
0b6811b4a7
IKEv1 ConfigMode: Fixed cp_payload to use CONFIGURATION_ATTRIBUTE_V1 in all appropriate places, so the parsing is done correctly.
2012-03-20 17:30:51 +01:00
97265a8927
Removed redundant '=>' when logging binary data in parser and generator.
2012-03-20 17:30:51 +01:00
f4e21faa98
Fixed encryption of IKEv2 messages.
2012-03-20 17:30:50 +01:00
d020d4d695
Print message payload names after prepending IKEv1 HASH payload
2012-03-20 17:30:50 +01:00
7a7f486df6
Include hardcoded tunnel mode attribute in porposal, remove ESN attribute
2012-03-20 17:30:50 +01:00
cd200cb821
Authenticate and verify Phase 2 IKEv1 messages with appropriate hashes.
2012-03-20 17:30:50 +01:00
1e5dd62bb2
Fixed verification of DELETE_V1 payloads.
2012-03-20 17:30:50 +01:00
f3cc8589b1
Fixed header length calculation of DELETE payload.
2012-03-20 17:30:50 +01:00
d6cec44b24
Fixed conftests after extending CERT payload.
2012-03-20 17:30:50 +01:00
017d98bf39
Merged IKEv1 attribute payload/data into configuration payload/attribute
2012-03-20 17:30:49 +01:00
c71760570e
IKEv1 ConfigMode: Added the payload handlers for attribute_payload and data_attribute payload types.
2012-03-20 17:30:49 +01:00
54a8a94fa9
IKEv1 ConfigMode: Added TRANSACTION exchange type. Added attribute_payload (IKEv2 equiv cp_payload) and data_attribute (IKEv2 equiv configuration_attribute) payload types. Did not combine with IKEv2 because it wasn't trivial to do so. This might be a task worth investigating in the future, because there is a decent amount of shared code here.
2012-03-20 17:30:49 +01:00
9769b76cab
Updated the CERT payload to work for both IKEv1 and IKEv2.
2012-03-20 17:30:49 +01:00
d50152a70b
Parse proposal substructure with multiple IKEv1 transforms to multiple proposals
2012-03-20 17:30:49 +01:00
62a27ba347
Encode multiple IKEv1 proposals in a single transform substructure
2012-03-20 17:30:48 +01:00
f9450fc9f7
Remove public sa_payload.add_proposal() method
2012-03-20 17:30:48 +01:00
cd89f1a074
Only add the first algorithm of a kind to IKEv1 transforms
2012-03-20 17:30:48 +01:00
f5c0096086
Hardcode some SA lifetimes until we can configure them dynamically
2012-03-20 17:30:48 +01:00
4c6dfbb26b
Added missing comma after ME_CONNECT declaration.
2012-03-20 17:30:48 +01:00
8c5e78ae4f
Fixed creation of endpoint notifies.
2012-03-20 17:30:48 +01:00
21da1087a5
Fixed diagram of IKEv1 encrypted "payload".
2012-03-20 17:30:47 +01:00
cc9629d87c
Partially implemented IKEv1 ESP proposal en-/decoding
2012-03-20 17:30:47 +01:00
e1f9d6476e
Register HASH_V1 in payload factory
2012-03-20 17:30:46 +01:00
7fcd26f4fc
Fix payload length of id_payload created from a traffic selector
2012-03-20 17:30:46 +01:00
42a69b05ab
String for ENCRYPTED_DATA fixed.
2012-03-20 17:30:46 +01:00
780ce7724d
Strings for ENCRYPTED_V1 payload added.
2012-03-20 17:30:46 +01:00
d66199884f
Set flags on message according to IKE version when parsing header.
2012-03-20 17:30:46 +01:00
c92f2cf36d
Encrypt IKEv1 messages.
2012-03-20 17:30:46 +01:00
477e856a15
Decrypt IKEv1 messages.
2012-03-20 17:30:46 +01:00
6f5f8ee4b5
Use modified encryption payload to encrypt/decrypt complete IKEv1 messages.
2012-03-20 17:30:46 +01:00
0cec72df40
Provide keymat_t to message_t to encrypt/decrypt data.
2012-03-20 17:30:45 +01:00
50d493808c
Avoid compiler warnings due to extended enums.
2012-03-20 17:30:45 +01:00
3bd5fcc832
Print message ID as unsigned integer
2012-03-20 17:30:45 +01:00
9e40e3e9fa
Added message encoding rules for quick mode
2012-03-20 17:30:45 +01:00
cbb6d765bc
Fixed length calculation of delete payload
2012-03-20 17:30:44 +01:00
4ea258538e
Update header length after each parsed rule, as it might change when parsing SPI size
2012-03-20 17:30:44 +01:00
5789320f5c
Fix rule selection in transform substructure
2012-03-20 17:30:44 +01:00
5f1aef65ce
Fixed proposal numbering check in sa_payload
2012-03-20 17:30:44 +01:00
c311d22d0f
Don't clone chunk in message.get_packet_data
2012-03-20 17:30:44 +01:00
31fc14e394
Verify IKEv1 nonce size, send 32 byte nonces
2012-03-20 17:30:44 +01:00
e4a8fd72cb
Added IKEv1 ID payload <-> traffic selector conversion functions
2012-03-20 17:30:44 +01:00
72b3146092
Re-enable static inclusion of PSK auth method into IKEv1 proposal
2012-03-20 17:30:43 +01:00
cf6cd5aa4b
Added IKEv1 support to delete payload
2012-03-20 17:30:43 +01:00
04ee2b7fed
Added IKEv1 support to notify payload
2012-03-20 17:30:43 +01:00
f62a7c7c71
Use a generic list encoding rule we can use to specify the wrapped payload type
2012-03-20 17:30:42 +01:00
95a26523af
Use a generic encoding type for all variable length chunks
2012-03-20 17:30:42 +01:00
ee50a29385
Implemented IKEv1 hash payload
2012-03-20 17:30:42 +01:00
2a36037ec7
Extended ID payload for (non-TS) IKEv1 use
2012-03-20 17:30:42 +01:00
38fb67fbf1
Add a payload.get_header_length() method, remove header length definitions
2012-03-20 17:30:42 +01:00
e9b55b8325
Simplify signature of get_encoding_rules(), make all rules static
2012-03-20 17:30:42 +01:00
683d83ed3e
Extended KE payload for IKEv1 support
2012-03-20 17:30:42 +01:00
bcfb0f4096
Extended nonce payload for IKEv1 support
2012-03-20 17:30:42 +01:00
717333da98
Add fixed PSK authentication method to IKEv1 proposal for now
2012-03-20 17:30:41 +01:00
3a470f3035
Added limiting encoding of IKEv1 SA payloads
2012-03-20 17:30:41 +01:00
2bcd51b389
Added SA payload IKEv1 encoding types to generator
2012-03-20 17:30:41 +01:00
bce8d3be11
Don't set IKEv2 only header flags when using IKEv1
2012-03-20 17:30:41 +01:00
da8cadbd93
Set default IKE header initiator flag in IKEv2 only
2012-03-20 17:30:41 +01:00
354ac9579f
Compile error fixed.
2012-03-20 17:30:41 +01:00
7f56cf1a65
Message parsing slightly refactored, allows parsing of unencrypted IKEv1 messages.
2012-03-20 17:30:40 +01:00
4ed52db2bb
Allow creation of message_t objects for IKEv1 packets.
2012-03-20 17:30:40 +01:00
8a2d079d78
Certificate request payloads can be sent in pretty much any IKEv1 message.
2012-03-20 17:30:40 +01:00
1bf2971ff2
Implemented limited payload parsing for IKEv1 SA payloads
2012-03-20 17:30:40 +01:00
3f6d1b13a7
Added additional IKEv1 payload and encoding identifiers
2012-03-20 17:30:40 +01:00
b0b9d18593
Extend sa_payload for IKEv1 support
2012-03-20 17:30:40 +01:00
8f3aea2f77
Message rules for IKEv1 INFORMATIONAL exchange added.
...
Since INFORMATIONAL "exchanges" are actually unidirectionally sent
message we don't have any responder rules.
2012-03-20 17:30:40 +01:00
130c9a54c2
Message rules for IKEv1 AGGRESSIVE exchange added.
...
These are basically the same as for ID_PROT but no payloads are expected
to be encrypted (at least if using PSK or signatures for authentication).
2012-03-20 17:30:40 +01:00
6ba70ba8dd
Message rules for IKEv1 ID_PROT exchange added.
...
These rules are quite broad and cover main mode with at least PSK and
signature based authentication.
2012-03-20 17:30:40 +01:00
fdb8421f36
Typo fixed.
2012-03-20 17:30:40 +01:00
837298c590
Use vendor id payload for IKEv1 payloads, too
2012-03-20 17:30:39 +01:00
ecf854a00b
Added IKEv1 payload identifiers to "known" payload list
2012-03-20 17:30:39 +01:00
e33b41e7b0
Added IKEv1 payload identifiers
2012-03-20 17:30:39 +01:00
526b5afb45
Extended IKE header for IKEv1 support
2012-03-20 17:30:39 +01:00
007d5b9218
Defined a private status notify to transport arbitrary RADIUS attributes
2012-03-05 18:06:14 +01:00
b2e493ab58
Fixed proposal numbering check in sa_payload
2011-11-21 09:12:00 +01:00
055a823d08
Made create_endpoint_notify_create() private.
2011-10-04 15:59:20 +02:00
13e5a32a1e
Migrated parser_t to INIT/METHOD macros.
2011-10-04 11:50:22 +02:00
4459ae8cf5
Fixed compiler warnings for endpoint_notify_t.
2011-10-04 10:17:36 +02:00
6b44a99f9e
Migrated endpoint_notify to INIT/METHOD macros
2011-10-03 21:30:49 +02:00
a022f0863d
increased message buffer to cope with NCP's innumerable UNITY Configuration Payloads
2011-08-16 23:22:20 +02:00
7ebf021d37
typos: initator->initiator, authenticaion->authentication.
2011-08-15 16:31:04 +02:00
4c199e6f81
Add a non-clonig variant of eap_payload_create_data
2011-08-08 13:36:55 +02:00
61e13630f8
Show error code of Microsoft specific error notify
2011-08-03 12:01:15 +02:00
06912a5eb4
Added Microsoft specific error notify
2011-08-03 12:00:50 +02:00
f3bb1bd039
Fixed common misspellings.
...
Mostly found by 'codespell'.
2011-07-20 16:14:10 +02:00
152d7b373d
added IKEv2 exchange type IKE_SESSION_RESUME from RFC 5723
2011-07-15 07:48:36 +02:00
895ac29719
fixed typo
2011-07-14 10:53:37 +02:00
9f181e7fd5
updated IANA IKEv2 Notify Message Types
2011-07-14 10:51:24 +02:00
a07568cf6a
Use has_more in decrypt_payloads instead of calling enumerate twice.
2011-07-06 09:43:46 +02:00
e26304348c
Replaced simple iterator usages.
2011-07-06 09:43:45 +02:00
513701f41b
Fix some warnings triggered by gcc 4.6 -Wunused-but-set-variable
2011-05-19 15:47:40 +02:00
6d41218ced
Be a little more liberal in checking maximum payload count
2011-04-20 15:15:00 +02:00
f7aca91603
Accept IKE_SA_INIT responses without CERTIFICATE_REQUESTs
2011-04-20 15:04:02 +02:00
35fe7f8cbd
Compiler warning fixed.
2011-02-10 16:49:42 +01:00
0700c153e7
Fixed function parameter description
2011-02-08 10:14:56 +01:00
84545f6e7c
Some typos fixed.
2011-02-07 11:39:41 +01:00
fe79cd4257
Accept non-encrypted INFORMATIONALs for ME connectivity checks
2011-02-01 09:47:36 +01:00
3a89b3c52f
Provide CRLs received in CERT payloads to trustchain verification
2011-01-05 16:46:06 +01:00
54f2bdd656
Added substructure enumerators to sa_payload, proposal_substructure
2011-01-05 16:45:52 +01:00
9ca5d0280e
Moved check if packet already encoded to ike_sa, avoids message() hook invocation twice
2011-01-05 16:45:52 +01:00
2813be18f5
Added a message method to set the "higher version supported" flag
2011-01-05 16:45:52 +01:00
166a2a45d9
Added reserved bit mangling wrapper functions to message
2011-01-05 16:45:51 +01:00
e662d62a76
Implemented a generic payload field lookup function
2011-01-05 16:45:51 +01:00
bf029696c6
Reserved field get parsed/generated like any other bit/byte field
2011-01-05 16:45:51 +01:00
c93c7a7560
Added member fields for reserved bits and bytes in all payloads
2011-01-05 16:45:51 +01:00
1b671248c2
Migrated vendor_id_payload to INIT/METHOD macros
2011-01-05 16:45:51 +01:00
102adb9bfd
Migrated ts_payload to INIT/METHOD macros
2011-01-05 16:45:51 +01:00
1f5b2bec4b
Use enumerator instead of deprecated iterator
2011-01-05 16:45:51 +01:00
9f8ecff2e2
Migrated transform_substructure to INIT/METHOD macros
2011-01-05 16:45:51 +01:00
6844c156fc
Removed obsolete clone mehtod from proposal_substructure
2011-01-05 16:45:51 +01:00
6b69c03d13
Migrated transform_attribute to INIT/METHOD macros
2011-01-05 16:45:51 +01:00
423745b652
Migrated traffic_selector_substructre to INIT/METHOD macros
2011-01-05 16:45:51 +01:00
3f0a2af2a6
Migrated notify_payload to INIT/METHOD macros
2011-01-05 16:45:51 +01:00
e3c4c6a5ac
Migrated nonce_payload to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
19ee0762e7
Migrated ke_payload to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
ffb980572f
Migrated id_payload to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
a11cfe2960
Migrated cp_payload to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
bda62cedb9
Migrated configuration_attribute to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
1cc58e7ed2
Migrated certreq_payload to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
2aa1bffb02
Migrated cert_payload to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
9c0ccf5e26
Migrated auth_payload to INIT/METHOD macros
2011-01-05 16:45:50 +01:00
2ecbd6186e
Do not update payload length during generation, allows hooks override payload length
2011-01-05 16:45:47 +01:00
d58127af84
Do not recalculate payload header length after generation, payloads do length calculation
2011-01-05 16:45:47 +01:00
2a19095e4c
Apply IKE major/minor version set on message to IKE header
2011-01-05 16:45:46 +01:00
7e7c7c1d84
Added setters for IKE major/minor version to ike_header
2011-01-05 16:45:46 +01:00
1c22c529a7
Migrated ike_header_t to INIT/METHOD macros
2011-01-05 16:45:46 +01:00
b0f6b31db8
Fixed length calculation of unknown payload
2011-01-05 16:45:44 +01:00
c67de660d2
Move critical bit checking to ike_sa, notify payload includes unsupported payload type
2011-01-05 16:45:44 +01:00
24384f352f
Support encoding of UKNOWN_DATA
2011-01-05 16:45:44 +01:00
958c1d75d7
Moved our substructure identifiers above 255, ignore private payloads properly
2011-01-05 16:45:44 +01:00
fea3aa5d12
Check for exceeded payload count even if we have a found one flagged as sufficient
2011-01-05 16:45:43 +01:00
ca93b54e65
Added a constructor for custom uknown payloads
2011-01-05 16:45:43 +01:00
b6c796464d
Use the payloads actual type in unknown_payload_t
2011-01-05 16:45:43 +01:00
9431023ce6
Migrated unknown payload to INIT/METHOD macros
2011-01-05 16:45:43 +01:00
a30dba9282
Fail silently without INVALID_SYNTAX if message not verified
2011-01-05 16:45:42 +01:00
e6c6a4d304
Support removal of payloads from messages
2011-01-05 16:45:41 +01:00
363ec8986c
Added a message_t option to disable automatic payload sorting
2011-01-05 16:45:41 +01:00
dacf658036
Implemented cert payload constructor for custom encoding types
2011-01-05 16:45:41 +01:00
bb16217581
Store proposal number in proposal_t to reuse it in the selected proposal
...
According to RFC 5996 3.3.1, we MUST reuse the proposal number of
the selected proposal in the SA payload reply.
2010-10-28 15:08:14 +02:00
806b69a467
Migrated proposal_substructure to INIT/METHOD macros, removed unused methods
2010-10-28 13:06:20 +00:00
80f93f20a4
Migrated sa_payload to INIT/METHOD macros, removed unused methods
2010-10-28 13:06:19 +00:00
f22ba072e8
draft-ietf-ipsecme-eap-mutual will be released as RFC 5998.
2010-09-16 10:27:49 +02:00
004de55235
added notify messages defined in RFC 5996
2010-09-15 12:48:58 +02:00
9b698a771c
Enable the generation of unencrypted messages (e.g. ME connectivity checks).
2010-08-30 17:25:12 +02:00
dfde6570c7
Update delete_payload length when adding SPIs
2010-08-25 17:04:25 +02:00
5299719569
Migrated delete_payload to INIT/METHOD macros, replaced iterator
2010-08-25 17:03:00 +02:00
e5c6ebb697
Use different return values in payload decryption to distinguish between integrity and syntax errors
2010-08-25 15:29:53 +02:00
Tobias Brunner