Age | Commit message (Collapse) | Author |
|
author: angelos
Careful when copying IDs.
author: angelos
Oops, what am I thinking ?
author: angelos
Ooops again, I reverted the wrong patch.
author: angelos
Oops, shouldn't have committed this.
author: angelos
x509_hash() should also skip the cert length (willey@serasystems.com)
author: angelos
If it's a dynamically established Phase 2 SA, don't keep a copy of it
in isakmpd (the kernel keeps track of everything in this case).
author: angelos
Comment.
author: angelos
If no time-based lifetime was negotiated, don't release the SA.
|
|
|
|
timeout routine (should there be a default expiration if none is
negotiated ?)
|
|
author: provos
better referencing. okay niklas@
|
|
author: angelos
Use Default entry for Phase 1 configuration if none is found.
|
|
author: niklas
style
author: ho
(c)-2000
author: provos
proper reference counting for isakmp_sa in struct message, remove bogus
calls to sa_reference; fix some more memory leaks in conf.c
|
|
author: provos
dont strdup exchange->recv_cert, it is not always a 0 terminated string
for CERTENC_NONE. we need to malloc and memcpy instead. found by
electric fence.
author: provos
provide transport dependent ID decoding; hope indentation is right now ;)
author: ho
ISAKMP peer transport defaults to UDP.
author: provos
make a DOI specific decode_ids, but have isakmp doi decode point to
ipsec.
author: provos
indent
author: provos
introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now.
new ipsec_clone_id to copy IDs to phase 2 SAs for better status
reports. okay angelos@
|
|
author: angelos
Reset policy_id and recv_key after we've moved them over from the
exchange to the isakmp_sa, so they don't get free'ed.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
Add CERTENC_KEYNOTE.
author: ho
DOI IPSEC is default if not specified.
|
|
author: niklas
log_fatal is only OK during initialization
author: ho
Missing #ifdef USE_X509 added
author: ho
Add #ifdef USE_X509
|
|
regress/dh/Makefile: Merge with EOM 1.7
regress/group/Makefile: Merge with EOM 1.9
regress/prf/Makefile: Merge with EOM 1.4
regress/rsakeygen/Makefile: Merge with EOM 1.8
regress/x509/Makefile: Merge with EOM 1.10
Makefile: Merge with EOM 1.62
attribute.c: Merge with EOM 1.10
sa.c: Merge with EOM 1.99
conf.c: Merge with EOM 1.20
crypto.c: Merge with EOM 1.28
isakmpd.c: Merge with EOM 1.45
connection.c: Merge with EOM 1.19
doi.h: Merge with EOM 1.28
field.c: Merge with EOM 1.11
exchange.c: Merge with EOM 1.116
ike_auth.c: Merge with EOM 1.44
pf_key_v2.c: Merge with EOM 1.37
ike_phase_1.c: Merge with EOM 1.22
ipsec.c: Merge with EOM 1.118
isakmp_doi.c: Merge with EOM 1.40
log.c: Merge with EOM 1.26
log.h: Merge with EOM 1.18
math_group.c: Merge with EOM 1.23
message.c: Merge with EOM 1.144
pf_encap.c: Merge with EOM 1.70
policy.c: Merge with EOM 1.18
timer.c: Merge with EOM 1.13
transport.c: Merge with EOM 1.41
udp.c: Merge with EOM 1.47
ui.c: Merge with EOM 1.37
x509.c: Merge with EOM 1.36
author: niklas
Made debug logging a compile time selectable feature
|
|
crypto.c: Merge with EOM 1.27
exchange.c: Merge with EOM 1.115
ike_quick_mode.c: Merge with EOM 1.115
x509.c: Merge with EOM 1.35
features/ec: Merge with EOM 1.1
features/aggressive: Merge with EOM 1.1
features/policy: Merge with EOM 1.1
features/x509: Merge with EOM 1.1
author: niklas
Allow isakmpd builders to remove optional parts and save bytes.
|
|
apps/certpatch/certpatch.c: Merge with EOM 1.6
exchange.c: Merge with EOM 1.114
ike_quick_mode.c: Merge with EOM 1.110
ike_phase_1.c: Merge with EOM 1.16
ike_auth.c: Merge with EOM 1.41
ike_aggressive.c: Merge with EOM 1.4
libcrypto.c: Merge with EOM 1.10
libcrypto.h: Merge with EOM 1.10
isakmpd.8: Merge with EOM 1.19
isakmpd.c: Merge with EOM 1.42
ipsec.h: Merge with EOM 1.40
init.c: Merge with EOM 1.22
message.c: Merge with EOM 1.143
message.h: Merge with EOM 1.49
sa.c: Merge with EOM 1.98
sa.h: Merge with EOM 1.54
policy.c: Merge with EOM 1.14
pf_key_v2.c: Merge with EOM 1.36
x509.c: Merge with EOM 1.32
x509.h: Merge with EOM 1.9
udp.c: Merge with EOM 1.46
author: niklas
Angelos copyrights
|
|
author: ho
Lower common log message from log_print to log_debug 'level'.
author: niklas
style & wording
|
|
author: niklas
Check that ISAKMP-peer's are phase 1
author: angelos
Complete policy work; tested for the shared-key case. Documentation needed.
|
|
regress/rsakeygen/rsakeygen.c: Merge with EOM 1.8
regress/x509/Makefile: Merge with EOM 1.6
regress/x509/x509test.c: Merge with EOM 1.6
regress/Makefile: Merge with EOM 1.8
samples/VPN-east.conf: Merge with EOM 1.6
samples/VPN-west.conf: Merge with EOM 1.6
samples/singlehost-east.conf: Merge with EOM 1.3
samples/singlehost-west.conf: Merge with EOM 1.3
sysdep/openbsd/Makefile.sysdep: Merge with EOM 1.5
x509.h: Merge with EOM 1.6
x509.c: Merge with EOM 1.17
DESIGN-NOTES: Merge with EOM 1.46
Makefile: Merge with EOM 1.55
cert.c: Merge with EOM 1.11
cert.h: Merge with EOM 1.6
exchange.c: Merge with EOM 1.109
exchange.h: Merge with EOM 1.26
ike_auth.c: Merge with EOM 1.32
ike_phase_1.c: Merge with EOM 1.7
init.c: Merge with EOM 1.16
isakmpd.conf.5: Merge with EOM 1.27
README.PKI: Merge with EOM 1.1
author: niklas
From Niels Provos, edited by me: certificate support using SSLeay
|
|
author: ho
Connection names only match phase 2 exchanges, so let a
phase 2 stayalive imply stayalive of the "parent" ISAKMP SA.
author: ho
'Connections' should stay alive (SA_FLAG_STAYALIVE)
|
|
timer.c: Merge with EOM 1.12
author: ho
Logging nitpicks
|
|
author: niklas
Free SAs left in the exchange's SA list always when freeing
the exchange.
author: niklas
disconnect SAs from the exchange when they are ready
author: ho
Don't create SAs for informational exchanges.
|
|
author: niklas
Remove larval SAs if an exchange dies. Also use the DOI from the isakmp_sa
if doing an informational exchange in phase 2.
|
|
author: niklas
Do not free a message twice
|
|
author: niklas
Try to fix the retransmit business, so info exchanges does not retransmit
author: niklas
Remove unneccesary code
author: niklas
Keep track of messages in the send queue from the exchange point of view.
author: niklas
Free the last sent message when freeing an exchange
author: niklas
New message_drop API. Generate real INVALID_COOKIE notification.
Generate informational exchanges in phase 1 too. Really get these
messages to the wire
|
|
author: niklas
Handle leftover payloads.
author: niklas
Simplify exchange life logic some. Some style too.
author: niklas
Collapse MSG_NO_RETRANS & MSG_KEEP into MSG_LAST.
author: niklas
Style
author: ho
Keep track of trailing retransmissions by keeping exchanges around longer.
Removed references to sa->last_sent_in_setup, use last_sent and
last_received in exchange instead. Free setup exchanges by expiration only.
author: ho
Backout last change. (Go with exchange directly instead of sa->msg)
author: ho
Handle phase 2 late retransmissions.
|
|
Check should be for step > 1, not step > 0.
Don't drop new incoming phase 1 exchange request if our existing
exchange hasn't gotten past step 0.
Style. alloc error reporting. Math error propagation. Allocate right
sizes.
Off by one (< -> <=)
Let's get aggressive\!
Added classes LOG_SA and LOG_EXCHANGE, converted
many LOG_MISC to new classes, adjusted levels slightly.
More SA logging.
Simplify the checks of existing exchanges by moving it into
exchange_establish. This means we need to change the finalize API.
Try to make PF_ENCAP support handle multiple connections to a single
security gateway.
Include sa_list in exchange_dump
Add finalization to exchange when we initiate a new exchange
while an old one is being setup.
Add LOG_REPORT to always go to logchannel regardless of level; misc small fixes
Deal with incoming informational exchanges
style
At end of an exchange, mark the old SAs as replaced.
Do not answer on main-mode initiations from peers we already talk to.
|
|
Plug the leak of the last QM message. More error reporting from
insufficient memory. Move the finalize call of exchanges as close to
the real deallocation as possible.
New finalize API so we can call it when failing too, so we do not leak
resources. Plug memory leaks in general. More memory allocation error
reporting.
|
|
refcounting on exchanges
Do not malloc zero bytes, some implementations dislike
resource track exchange->name and sa->name
|
|
Make it possible to send a notification in a phase 1 informational exchange.
|
|
Do not overwrite the last-sent-message of phase 1 with last-sent dittos
of phase2. Add some debugging. Make exchange finalization accept added
hooks to run. Try to protect better against multiple equal exchanges
getting started concurrently. Set the SA names from the exchange name up
early. Change "Attributes" to "Flags" to not be mistaken for ISAKMP
attributes. Let phase 2 exchanges take finalization functions too.
|
|
Only get the destination address when needed
If no exchange name, do not look for attributes
The SA name is not yet setup, use the exchange name instead
|
|
Add SA attributes, specifically stayalive
sa.h: Merge with EOM 1.42
Add SA attributes, specifically stayalive
pf_encap.c: Merge with EOM 1.46
Add SA attributes, specifically stayalive
exchange.c: Merge with EOM 1.65
Add SA attributes, specifically stayalive
|
|
| revision 1.64
| date: 1999/02/25 11:38:53; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------
| revision 1.63
| date: 1999/02/25 11:09:33; author: niklas; state: Exp; lines: +3 -5
| Make conf_get_num take a default value to give back when tag does not exist
| ----------------------------
| revision 1.62
| date: 1999/02/06 14:57:51; author: niklas; state: Exp; lines: +3 -3
| Export exchange_lookup_by_name
| ----------------------------
| revision 1.61
| date: 1999/01/31 01:14:58; author: niklas; state: Exp; lines: +2 -2
| commentary
| ----------------------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by
Ericsson Radio Systems. It is not yet complete or usable in a real scenario
but the missing pieces will soon be there. The early commit is for people
who wants early access and who are not afraid of looking at source.
isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so
far, so it is not that incomplete. It is really mostly configuration that
is lacking.
|