Add an option to en-/disable IKE fragmentation

author Tobias Brunner <tobias@strongswan.org>

Fri, 21 Dec 2012 17:27:02 +0000 (18:27 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Mon, 24 Dec 2012 11:29:31 +0000 (12:29 +0100)
author Tobias Brunner <tobias@strongswan.org>
Fri, 21 Dec 2012 17:27:02 +0000 (18:27 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Mon, 24 Dec 2012 11:29:31 +0000 (12:29 +0100)
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in

index 8000951ab48236742809e4b4e39987b3790d801a..14caccb3a58c1ee62698993e1028c5fdf3b57306 100644 (file)
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -178,6 +178,11 @@ openly transmitted hash of the PSK)
  .BR charon.ignore_routing_tables
  A space-separated list of routing tables to be excluded from route lookups
  .TP
+.BR charon.ike_fragmentation " [no]"
+Enables IKE fragmentation (proprietary IKEv1 extension). Fragmented messages
+are always accepted irrespective of the value of this option. If the peer
+supports it larger messages will be sent in fragments.
+.TP
  .BR charon.ikesa_table_segments " [1]"
  Number of exclusively locked segments in the hash table
  .TP
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c

index e56f4be968473e953679765c43eca18dc84e97d0..606a981d0971172f67712b51410bc4fb132e217a 100644 (file)
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -225,6 +225,11 @@ struct private_task_manager_t {
  
         } frag;
  
+       /**
+        * TRUE if fragmentation (as sender) is enabled in config
+        */
+       bool fragmentation;
+
         /**
          * List of queued tasks not yet in action
          */
@@ -411,7 +416,7 @@ static bool send_packet(private_task_manager_t *this, bool request,
  
         data = packet->get_data(packet);
         if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_FRAGMENTATION) &&
-               data.len > MAX_FRAGMENT_SIZE)
+               this->fragmentation && data.len > MAX_FRAGMENT_SIZE)
         {
                 fragment_payload_t *fragment;
                 u_int8_t num, count;
@@ -1996,6 +2001,8 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
                                         "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
                 .retransmit_base = lib->settings->get_double(lib->settings,
                                         "%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+               .fragmentation = lib->settings->get_bool(lib->settings,
+                                       "%s.ike_fragmentation", FALSE, charon->name),
         );
  
         if (!this->rng)
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c

index bf822b548535183f515995c3e60f64e97809ca4b..f83f114b9474fcc45adc9205de341f7477fc11ad 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -155,18 +155,26 @@ METHOD(task_t, build, status_t,
         private_isakmp_vendor_t *this, message_t *message)
  {
         vendor_id_payload_t *vid_payload;
-       bool strongswan, cisco_unity;
+       bool strongswan, cisco_unity, fragmentation;
         int i;
  
         strongswan = lib->settings->get_bool(lib->settings,
-                                                                       "%s.send_vendor_id", FALSE, charon->name);
+                                                               "%s.send_vendor_id", FALSE, charon->name);
         cisco_unity = lib->settings->get_bool(lib->settings,
-                                                                       "%s.cisco_unity", FALSE, charon->name);
+                                                               "%s.cisco_unity", FALSE, charon->name);
+       fragmentation = lib->settings->get_bool(lib->settings,
+                                                               "%s.ike_fragmentation", FALSE, charon->name);
+       if (!this->initiator && fragmentation)
+       {
+               fragmentation = this->ike_sa->supports_extension(this->ike_sa,
+                                                                                                                EXT_IKE_FRAGMENTATION);
+       }
         for (i = 0; i < countof(vendor_ids); i++)
         {
                 if (vendor_ids[i].send ||
                    (vendor_ids[i].extension == EXT_STRONGSWAN && strongswan) ||
-                  (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity))
+                  (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity) ||
+                  (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation))
                 {
                         DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc);
                         vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,
author	Tobias Brunner <tobias@strongswan.org>
	Fri, 21 Dec 2012 17:27:02 +0000 (18:27 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Mon, 24 Dec 2012 11:29:31 +0000 (12:29 +0100)
man/strongswan.conf.5.in		patch \| blob \| blame \| history
src/libcharon/sa/ikev1/task_manager_v1.c		patch \| blob \| blame \| history
src/libcharon/sa/ikev1/tasks/isakmp_vendor.c		patch \| blob \| blame \| history