1 files changed, 27 insertions, 1 deletions

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index d3b72ea95..28fdda735 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -57,7 +57,7 @@
 /**
  * Max number of certificate request payloads per IKEv1 message
  */
-#define MAX_CERTREQ_PAYLOADS 5
+#define MAX_CERTREQ_PAYLOADS 20
 
 /**
  * Max number of NAT-D payloads per IKEv1 message
@@ -437,10 +437,12 @@ static payload_rule_t id_prot_i_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						TRUE,	FALSE},
 	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -459,6 +461,8 @@ static payload_order_t id_prot_i_order[] = {
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -473,10 +477,12 @@ static payload_rule_t id_prot_r_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						TRUE,	FALSE},
 	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -495,6 +501,8 @@ static payload_order_t id_prot_r_order[] = {
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -509,10 +517,12 @@ static payload_rule_t aggressive_i_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						FALSE,	FALSE},
 	{CERTIFICATE_V1,			0,	1,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -526,11 +536,13 @@ static payload_order_t aggressive_i_order[] = {
 	{ID_V1,						0},
 	{CERTIFICATE_V1,			0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
 	{SIGNATURE_V1,				0},
 	{HASH_V1,					0},
 	{CERTIFICATE_REQUEST_V1,	0},
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -545,10 +557,12 @@ static payload_rule_t aggressive_r_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						FALSE,	FALSE},
 	{CERTIFICATE_V1,			0,	1,						FALSE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						FALSE,	FALSE},
 	{HASH_V1,					0,	1,						FALSE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -562,11 +576,13 @@ static payload_order_t aggressive_r_order[] = {
 	{ID_V1,						0},
 	{CERTIFICATE_V1,			0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
 	{SIGNATURE_V1,				0},
 	{HASH_V1,					0},
 	{CERTIFICATE_REQUEST_V1,	0},
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -624,6 +640,7 @@ static payload_rule_t quick_mode_i_rules[] = {
 	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
 	{ID_V1,						0,	2,						TRUE,	FALSE},
 	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
 };
 
 /**
@@ -639,6 +656,7 @@ static payload_order_t quick_mode_i_order[] = {
 	{KEY_EXCHANGE_V1,			0},
 	{ID_V1,						0},
 	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
 };
 
 /**
@@ -654,6 +672,7 @@ static payload_rule_t quick_mode_r_rules[] = {
 	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
 	{ID_V1,						0,	2,						TRUE,	FALSE},
 	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
 };
 
 /**
@@ -669,6 +688,7 @@ static payload_order_t quick_mode_r_order[] = {
 	{KEY_EXCHANGE_V1,			0},
 	{ID_V1,						0},
 	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
 };
 
 /**
@@ -1681,6 +1701,12 @@ METHOD(message_t, parse_header, status_t,
 	}
 	this->first_payload = ike_header->payload_interface.get_next_type(
 												&ike_header->payload_interface);
+	if (this->first_payload == FRAGMENT_V1 && this->is_encrypted)
+	{	/* racoon sets the encryted bit when sending a fragment, but these
+		 * messages are really not encrypted */
+		this->is_encrypted = FALSE;
+	}
+
 	for (i = 0; i < countof(this->reserved); i++)
 	{
 		reserved = payload_get_field(&ike_header->payload_interface,