summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/ipsec.c
AgeCommit message (Collapse)Author
2007-09-02use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsgTheo de Raadt
2007-07-31Use correct function name in log message. Noticed by Igor ZinovkHans-Joerg Hoexer
zinovik@cs.karelia.ru. Thanks!
2007-04-16There's no point in checking ptr for NULL before doing free(ptr)Moritz Jodeit
since free(NULL) is just fine. ok hshoexer@
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-06-10support sha2 for main mode hmacs and aesctr for quick mode encryption.Hans-Joerg Hoexer
ok markus@ ho@
2006-06-09Allow for AH the use of the authentication algorithms added a while ago.Christian Weisgerber
Fix the indentation while we're here. ok hshoexer@
2006-05-29Fix broken merge of patch. Pointed out by nathanael at polymorpheus dot com.Ryan Thomas McBride
2006-05-28Change the default replay window for SAs created by the isakmpd responderRyan Thomas McBride
to be DEFAULT_REPLAY_WINDOW instead of zero. The default replay window is then the same for both initiator and receiver. Fix from nathanael at polymorpheous dot com. ok hshoexer@
2005-09-23Provide UI commands to delete phase 1 SAs.Hans-Joerg Hoexer
Looks good mortiz@
2005-06-25/* Fallthrough. */ -> /* FALLTHROUGH */Hans-Joerg Hoexer
now that's useable with lint
2005-06-14add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947Hans-Joerg Hoexer
ok markus
2005-05-26Use TAILQ_FOREACH where possible, remove payload_last()Hans-Joerg Hoexer
ok markus
2005-05-04clean up KEY_API() wrapper.Hans-Joerg Hoexer
ok ho@
2005-04-08get rid of sysdep_sa_lenHans-Joerg Hoexer
ok cloder@
2005-04-08USE_DEBUG is bye byeTheo de Raadt
2005-04-08always enable aggressive, dpd, and isakmp_cfgTheo de Raadt
2005-04-08nat-traversal alwaysTheo de Raadt
2005-04-08kill USE_OLD_SOCKADDRTheo de Raadt
2005-04-06knf, ok cloderTheo de Raadt
2005-04-05Always compile X509 support. Almost everyone uses it. Makes the codeChad Loder
much easier to read and to maintain. OK and testing by hshoexer@, more testing by me
2005-04-04spacing; ok cloderTheo de Raadt
2005-04-04fix byteorder confusionHans-Joerg Hoexer
ok cloder ho
2005-03-29Always use network byte order when stuffing port numbers into IPSEC IDChad Loder
packets. This reinstates the correct part of r1.106 which did ntohs incorrectly on received port numbers already in host byte order. OK ho@
2005-03-18Back out a possible bogus minor diff until we investigate whatChad Loder
broke. OK deraadt@
2005-03-05Always use correct byte order when stuffing port numbers into packets.Chad Loder
OK hshoexer@, ho@
2004-12-14Allow the Address, Network, or Netmask values of the <IPsec-ID> to beRyan Thomas McBride
specified with an interface name (in which case the first address is used) or the keyword 'default' (in which case the address is selected based on the default route). eg: [roadwarrior-ip] ID-type= IPV4_ADDR Address= default ok ho@ hshoexer@
2004-09-17Missing #ifdefs.Hakan Olsson
2004-08-10Better implementation of the Dead Peer Detection protocol, RFC 3706.Hakan Olsson
hshoexer@ ok.
2004-08-08spacingTheo de Raadt
2004-06-23Add commandline switch -a / config tag "Acquire-Only" to tell isakmpd to notHans-Joerg Hoexer
touch flows. initial work by markus ok markus@ ho@ henning@
2004-06-21Implement NAT-T keepalive messages.Hakan Olsson
2004-06-21style nitHakan Olsson
2004-06-20Make the payload array in struct message dynamic, since we need to handleHakan Olsson
payloads in the private range, such as the pre-RFC NAT-D/NAT-OA. Replace TAILQ_FIRST(&msg->payload[i]) instances with function calls.
2004-06-20NAT-Traversal for isakmpd. Work in progress...Hakan Olsson
hshoexer@ ok.
2004-06-17Yet another bunch of memleask found and fixed by Patrick Latifi. Thanks!Hans-Joerg Hoexer
ok ho@
2004-06-16fix ipv6-address and ipv6-address-mask mixup.Hans-Joerg Hoexer
Found by Patrick Latifi. Thanks! ok ho@
2004-06-14KNF, style, 80c, etc. hshoexer@ okHakan Olsson
2004-06-10Mark authenticated messages explicitly. Better check for authentication beforeHans-Joerg Hoexer
deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks! ok ho@ niklas@, testing and spellcheck by todd@ msf@
2004-06-09Style nits. hshoexer@ okHakan Olsson
2004-05-23More KNF. Mainly spaces and line-wraps, no binary change.Hans-Joerg Hoexer
ok ho@
2004-05-19Permit symbolic protocol and service names, such as "Protocol= tcp", in theHakan Olsson
<IPsec-ID> sections. hshoexer@ ok
2004-04-15partial move to KNF. More to come. This has happened because thereTheo de Raadt
are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
2004-04-07-Wsign-compare nits. hshoexer@ ok.Hakan Olsson
2004-03-10Fix payload handling flaws found by cloder@. Based on initial patch byHans-Joerg Hoexer
cloder@. Testing by markus@ cloder@ hshoexer@. ok ho@
2004-02-27Remove dead code.Hans-Joerg Hoexer
ok ho@
2004-01-03Be more careful with INITIAL-CONTACT and do not delete SPIs when gettingHakan Olsson
an INVALID-SPI notification. Issues noted by Thomas Walpuski. markus@ ok.
2003-12-15Support for groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs 14Hans-Joerg Hoexer
to 18). ok ho@
2003-11-06Style nits.Hakan Olsson
2003-11-06spis[] type tweak. From Hans-Joerg Hoexer.Hakan Olsson
2003-10-14constant_lookup() to constant_name() cleanup. markus@ ok.Hakan Olsson
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-15 08:54:09 +0000