Age | Commit message (Collapse) | Author |
|
author: provos
prevent isakmpd crashing when client gives an unknown ID in aggressive mode.
bug report from James Winquist <winquist@mail.cybernet.com>
|
|
author: niklas
Indentation, bad greek
|
|
author: angelos
Don't add the callback at initialization time, we must set it before
each invokation.
author: angelos
Different policy/Keynote sessions per Phase 1 SA.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
|
|
author: niklas
Style and correct error reporting
author: provos
remove double free(buf), caused skeyid to point to skeyid_d when using USER_FQDN
author: niklas
More braindamage with USE_ macros
|
|
author: niklas
I must have been on drugs. X509 is not preshared key.
|
|
regress/dh/Makefile: Merge with EOM 1.7
regress/group/Makefile: Merge with EOM 1.9
regress/prf/Makefile: Merge with EOM 1.4
regress/rsakeygen/Makefile: Merge with EOM 1.8
regress/x509/Makefile: Merge with EOM 1.10
Makefile: Merge with EOM 1.62
attribute.c: Merge with EOM 1.10
sa.c: Merge with EOM 1.99
conf.c: Merge with EOM 1.20
crypto.c: Merge with EOM 1.28
isakmpd.c: Merge with EOM 1.45
connection.c: Merge with EOM 1.19
doi.h: Merge with EOM 1.28
field.c: Merge with EOM 1.11
exchange.c: Merge with EOM 1.116
ike_auth.c: Merge with EOM 1.44
pf_key_v2.c: Merge with EOM 1.37
ike_phase_1.c: Merge with EOM 1.22
ipsec.c: Merge with EOM 1.118
isakmp_doi.c: Merge with EOM 1.40
log.c: Merge with EOM 1.26
log.h: Merge with EOM 1.18
math_group.c: Merge with EOM 1.23
message.c: Merge with EOM 1.144
pf_encap.c: Merge with EOM 1.70
policy.c: Merge with EOM 1.18
timer.c: Merge with EOM 1.13
transport.c: Merge with EOM 1.41
udp.c: Merge with EOM 1.47
ui.c: Merge with EOM 1.37
x509.c: Merge with EOM 1.36
author: niklas
Made debug logging a compile time selectable feature
|
|
ike_auth.c: Merge with EOM 1.43
ike_phase_1.c: Merge with EOM 1.21
init.c: Merge with EOM 1.24
ipsec.c: Merge with EOM 1.117
isakmpd.c: Merge with EOM 1.44
math_group.c: Merge with EOM 1.22
author: niklas
Copyright 2000
author: niklas
Allow isakmpd builders to remove optional parts and save bytes.
|
|
apps/certpatch/certpatch.c: Merge with EOM 1.6
exchange.c: Merge with EOM 1.114
ike_quick_mode.c: Merge with EOM 1.110
ike_phase_1.c: Merge with EOM 1.16
ike_auth.c: Merge with EOM 1.41
ike_aggressive.c: Merge with EOM 1.4
libcrypto.c: Merge with EOM 1.10
libcrypto.h: Merge with EOM 1.10
isakmpd.8: Merge with EOM 1.19
isakmpd.c: Merge with EOM 1.42
ipsec.h: Merge with EOM 1.40
init.c: Merge with EOM 1.22
message.c: Merge with EOM 1.143
message.h: Merge with EOM 1.49
sa.c: Merge with EOM 1.98
sa.h: Merge with EOM 1.54
policy.c: Merge with EOM 1.14
pf_key_v2.c: Merge with EOM 1.36
x509.c: Merge with EOM 1.32
x509.h: Merge with EOM 1.9
udp.c: Merge with EOM 1.46
author: niklas
Angelos copyrights
|
|
author: angelos
Allow for new versions of SSLeay
author: angelos
Remove evil experimental code, fix off-by-1 buffer allocation.
|
|
|
|
author: angelos
When doing preshared key authentication, if the responder has the
initiator's ID (as is the case in aggressive mode) and a shared key
cannot be found for the initiator's address (as may be the case for a
roaming laptop user), try to find the password under using as a lookup
key the initiator's Phase 1 ID, if it's an IPv4 address, an FQDN
(host.domain), or a User-FQDN (user@host.domain). This allows us to
support roaming laptop users with preshared key authentication, using
aggressive mode (sick).
There is also a lot of experimental, insecure, and ifdef'd out code
for fetching credentials and secret passphrases from a remote server
if all else fails. Extremely experimental code. Don't use. You'll be
blinded and your hair will fall if you even think about using it. You
have been warned.
author: angelos
Complete policy work; tested for the shared-key case. Documentation needed.
author: ho
Compile without USE_LIBCRYPTO and HAVE_DLOPEN.
author: niklas
Missing dynamic link fixes
author: niklas
Add support for dynamic loading of optional facilities, libcrypto first.
|
|
samples/VPN-west.conf: Merge with EOM 1.7
samples/singlehost-west.conf: Merge with EOM 1.4
samples/singlehost-east.conf: Merge with EOM 1.4
README.PKI: Merge with EOM 1.3
ike_auth.c: Merge with EOM 1.33
isakmpd.conf.5: Merge with EOM 1.28
author: niklas
Moving the PRIVKEY tag into the X509-certificates section, renaming it to
Private-key. Also rename the keynote policy file.
|
|
regress/rsakeygen/rsakeygen.c: Merge with EOM 1.8
regress/x509/Makefile: Merge with EOM 1.6
regress/x509/x509test.c: Merge with EOM 1.6
regress/Makefile: Merge with EOM 1.8
samples/VPN-east.conf: Merge with EOM 1.6
samples/VPN-west.conf: Merge with EOM 1.6
samples/singlehost-east.conf: Merge with EOM 1.3
samples/singlehost-west.conf: Merge with EOM 1.3
sysdep/openbsd/Makefile.sysdep: Merge with EOM 1.5
x509.h: Merge with EOM 1.6
x509.c: Merge with EOM 1.17
DESIGN-NOTES: Merge with EOM 1.46
Makefile: Merge with EOM 1.55
cert.c: Merge with EOM 1.11
cert.h: Merge with EOM 1.6
exchange.c: Merge with EOM 1.109
exchange.h: Merge with EOM 1.26
ike_auth.c: Merge with EOM 1.32
ike_phase_1.c: Merge with EOM 1.7
init.c: Merge with EOM 1.16
isakmpd.conf.5: Merge with EOM 1.27
README.PKI: Merge with EOM 1.1
author: niklas
From Niels Provos, edited by me: certificate support using SSLeay
|
|
author: niklas
indent
|
|
doi.h: Merge with EOM 1.27
ike_auth.c: Merge with EOM 1.30
ike_quick_mode.c: Merge with EOM 1.85
ipsec.c: Merge with EOM 1.107
ipsec.h: Merge with EOM 1.36
isakmp_doi.c: Merge with EOM 1.39
author: niklas
Factor out keyed hashing of all payloads with SKEYID_a, and make DOI hooks
for informational exchanges to add such hashing. Use it from QM and the IKE
authentication module too. Remove some bogus XXX comments. Add error
reporting
|
|
Accept multiple CERT payloads. Some style nits.
Style. alloc error reporting. Math error propagation. Allocate right
sizes.
Memory alloc. error reporting
1999 copyrights
|
|
Only get the destination address when needed
RSA fixes and optimiations from Ilya Tsindlekht, via Niels Provos
|
|
| revision 1.23
| date: 1999/02/25 11:39:02; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by
Ericsson Radio Systems. It is not yet complete or usable in a real scenario
but the missing pieces will soon be there. The early commit is for people
who wants early access and who are not afraid of looking at source.
isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so
far, so it is not that incomplete. It is really mostly configuration that
is lacking.
|