| Age | Commit message (Collapse) | Author |
|---|
|
author: ho
Lower common log message from log_print to log_debug 'level'.
author: niklas
style & wording
|
|
author: niklas
Check that ISAKMP-peer's are phase 1
author: angelos
Complete policy work; tested for the shared-key case. Documentation needed.
|
|
regress/rsakeygen/rsakeygen.c: Merge with EOM 1.8
regress/x509/Makefile: Merge with EOM 1.6
regress/x509/x509test.c: Merge with EOM 1.6
regress/Makefile: Merge with EOM 1.8
samples/VPN-east.conf: Merge with EOM 1.6
samples/VPN-west.conf: Merge with EOM 1.6
samples/singlehost-east.conf: Merge with EOM 1.3
samples/singlehost-west.conf: Merge with EOM 1.3
sysdep/openbsd/Makefile.sysdep: Merge with EOM 1.5
x509.h: Merge with EOM 1.6
x509.c: Merge with EOM 1.17
DESIGN-NOTES: Merge with EOM 1.46
Makefile: Merge with EOM 1.55
cert.c: Merge with EOM 1.11
cert.h: Merge with EOM 1.6
exchange.c: Merge with EOM 1.109
exchange.h: Merge with EOM 1.26
ike_auth.c: Merge with EOM 1.32
ike_phase_1.c: Merge with EOM 1.7
init.c: Merge with EOM 1.16
isakmpd.conf.5: Merge with EOM 1.27
README.PKI: Merge with EOM 1.1
author: niklas
From Niels Provos, edited by me: certificate support using SSLeay
|
|
author: ho
Connection names only match phase 2 exchanges, so let a
phase 2 stayalive imply stayalive of the "parent" ISAKMP SA.
author: ho
'Connections' should stay alive (SA_FLAG_STAYALIVE)
|
|
timer.c: Merge with EOM 1.12
author: ho
Logging nitpicks
|
|
author: niklas
Free SAs left in the exchange's SA list always when freeing
the exchange.
author: niklas
disconnect SAs from the exchange when they are ready
author: ho
Don't create SAs for informational exchanges.
|
|
author: niklas
Remove larval SAs if an exchange dies. Also use the DOI from the isakmp_sa
if doing an informational exchange in phase 2.
|
|
author: niklas
Do not free a message twice
|
|
author: niklas
Try to fix the retransmit business, so info exchanges does not retransmit
author: niklas
Remove unneccesary code
author: niklas
Keep track of messages in the send queue from the exchange point of view.
author: niklas
Free the last sent message when freeing an exchange
author: niklas
New message_drop API. Generate real INVALID_COOKIE notification.
Generate informational exchanges in phase 1 too. Really get these
messages to the wire
|
|
author: niklas
Handle leftover payloads.
author: niklas
Simplify exchange life logic some. Some style too.
author: niklas
Collapse MSG_NO_RETRANS & MSG_KEEP into MSG_LAST.
author: niklas
Style
author: ho
Keep track of trailing retransmissions by keeping exchanges around longer.
Removed references to sa->last_sent_in_setup, use last_sent and
last_received in exchange instead. Free setup exchanges by expiration only.
author: ho
Backout last change. (Go with exchange directly instead of sa->msg)
author: ho
Handle phase 2 late retransmissions.
|
|
Check should be for step > 1, not step > 0.
Don't drop new incoming phase 1 exchange request if our existing
exchange hasn't gotten past step 0.
Style. alloc error reporting. Math error propagation. Allocate right
sizes.
Off by one (< -> <=)
Let's get aggressive\!
Added classes LOG_SA and LOG_EXCHANGE, converted
many LOG_MISC to new classes, adjusted levels slightly.
More SA logging.
Simplify the checks of existing exchanges by moving it into
exchange_establish. This means we need to change the finalize API.
Try to make PF_ENCAP support handle multiple connections to a single
security gateway.
Include sa_list in exchange_dump
Add finalization to exchange when we initiate a new exchange
while an old one is being setup.
Add LOG_REPORT to always go to logchannel regardless of level; misc small fixes
Deal with incoming informational exchanges
style
At end of an exchange, mark the old SAs as replaced.
Do not answer on main-mode initiations from peers we already talk to.
|
|
Plug the leak of the last QM message. More error reporting from
insufficient memory. Move the finalize call of exchanges as close to
the real deallocation as possible.
New finalize API so we can call it when failing too, so we do not leak
resources. Plug memory leaks in general. More memory allocation error
reporting.
|
|
refcounting on exchanges
Do not malloc zero bytes, some implementations dislike
resource track exchange->name and sa->name
|
|
Make it possible to send a notification in a phase 1 informational exchange.
|
|
Do not overwrite the last-sent-message of phase 1 with last-sent dittos
of phase2. Add some debugging. Make exchange finalization accept added
hooks to run. Try to protect better against multiple equal exchanges
getting started concurrently. Set the SA names from the exchange name up
early. Change "Attributes" to "Flags" to not be mistaken for ISAKMP
attributes. Let phase 2 exchanges take finalization functions too.
|
|
Only get the destination address when needed
If no exchange name, do not look for attributes
The SA name is not yet setup, use the exchange name instead
|
|
Add SA attributes, specifically stayalive
sa.h: Merge with EOM 1.42
Add SA attributes, specifically stayalive
pf_encap.c: Merge with EOM 1.46
Add SA attributes, specifically stayalive
exchange.c: Merge with EOM 1.65
Add SA attributes, specifically stayalive
|
|
| revision 1.64
| date: 1999/02/25 11:38:53; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------
| revision 1.63
| date: 1999/02/25 11:09:33; author: niklas; state: Exp; lines: +3 -5
| Make conf_get_num take a default value to give back when tag does not exist
| ----------------------------
| revision 1.62
| date: 1999/02/06 14:57:51; author: niklas; state: Exp; lines: +3 -3
| Export exchange_lookup_by_name
| ----------------------------
| revision 1.61
| date: 1999/01/31 01:14:58; author: niklas; state: Exp; lines: +2 -2
| commentary
| ----------------------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by
Ericsson Radio Systems. It is not yet complete or usable in a real scenario
but the missing pieces will soon be there. The early commit is for people
who wants early access and who are not afraid of looking at source.
isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so
far, so it is not that incomplete. It is really mostly configuration that
is lacking.
|
