src - OpenBSD base system

Age	Commit message (Collapse)	Author
2012-06-30	enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP	Christian Weisgerber
	ok mikeb@
2011-10-20	For NAT-T with transport mode, use the ISAKMP's SA addresses for the	YASUOKA Masahiko
	flow instead of the ID payload. This will fix a part of problems of L2TP/IPsec from NAT'd clients. ok markus@ tested by markus@ and myself.
2010-09-22	Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC	Mike Belopuhov
	(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode). Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. ok naddy
2010-06-29	Replace the hand-crafted Diffie-Hellman implementation in isakmpd with	Reyk Floeter
	the smaller implementation from iked that is using libcrypto instead. This allows to remove a lot of code (which is always good), get rid of some custom crypto code by using libcrypto, theoretically adds support for many new MODP and EC2N/ECP modes (but it is not configurable yet), and allows to share the dh.c/dh.h code in different codebases (it is identical in isakmpd and iked, but could also be used elsewhere). ok deraadt@
2010-03-04	don't crash on invalid phase 2 IDs; from hshoexer; ok sthen@	Markus Friedl

2010-01-10	only substract ISAKMP_ID_DATA_OFF once. otherwise 'buf' might overflow	Markus Friedl
	and/or ASN1-DNs get not parsed correctly; with and ok krw@; ok reyk@
2009-01-29	Improve logging:	Hans-Joerg Hoexer
	- in ipsec_delete_spi_list() a log_verbose is added, when a remote peer sends us a delete message for an SA. However, to avoid spamming the log when SAs are deleted during re-keying, I only log_verbose, when the soft timeout of the SA is not expired yet. Thus only deletion of live SAs gets logged. - in ipsec_decode_ids() I remove the additonal printing of IP-Adresses in hex as the addresses are already printed in CIDR. - while there, apply some KNF ok todd@, mpf@, bluhm@
2009-01-20	Add support to isakmpd(8) and ipsecctl(8) to install SA's with a	Marco Pfatschbacher
	different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
2007-09-02	use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg	Theo de Raadt

2007-07-31	Use correct function name in log message. Noticed by Igor Zinovk	Hans-Joerg Hoexer
	zinovik@cs.karelia.ru. Thanks!
2007-04-16	There's no point in checking ptr for NULL before doing free(ptr)	Moritz Jodeit
	since free(NULL) is just fine. ok hshoexer@
2006-11-24	add support to tag ipsec traffic belonging to specific IKE-initiated	Reyk Floeter
	phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-06-10	support sha2 for main mode hmacs and aesctr for quick mode encryption.	Hans-Joerg Hoexer
	ok markus@ ho@
2006-06-09	Allow for AH the use of the authentication algorithms added a while ago.	Christian Weisgerber
	Fix the indentation while we're here. ok hshoexer@
2006-05-29	Fix broken merge of patch. Pointed out by nathanael at polymorpheus dot com.	Ryan Thomas McBride

2006-05-28	Change the default replay window for SAs created by the isakmpd responder	Ryan Thomas McBride
	to be DEFAULT_REPLAY_WINDOW instead of zero. The default replay window is then the same for both initiator and receiver. Fix from nathanael at polymorpheous dot com. ok hshoexer@
2005-09-23	Provide UI commands to delete phase 1 SAs.	Hans-Joerg Hoexer
	Looks good mortiz@
2005-06-25	/* Fallthrough. / -> / FALLTHROUGH */	Hans-Joerg Hoexer
	now that's useable with lint
2005-06-14	add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947	Hans-Joerg Hoexer
	ok markus
2005-05-26	Use TAILQ_FOREACH where possible, remove payload_last()	Hans-Joerg Hoexer
	ok markus
2005-05-04	clean up KEY_API() wrapper.	Hans-Joerg Hoexer
	ok ho@
2005-04-08	get rid of sysdep_sa_len	Hans-Joerg Hoexer
	ok cloder@
2005-04-08	USE_DEBUG is bye bye	Theo de Raadt

2005-04-08	always enable aggressive, dpd, and isakmp_cfg	Theo de Raadt

2005-04-08	nat-traversal always	Theo de Raadt

2005-04-08	kill USE_OLD_SOCKADDR	Theo de Raadt

2005-04-06	knf, ok cloder	Theo de Raadt

2005-04-05	Always compile X509 support. Almost everyone uses it. Makes the code	Chad Loder
	much easier to read and to maintain. OK and testing by hshoexer@, more testing by me
2005-04-04	spacing; ok cloder	Theo de Raadt

2005-04-04	fix byteorder confusion	Hans-Joerg Hoexer
	ok cloder ho
2005-03-29	Always use network byte order when stuffing port numbers into IPSEC ID	Chad Loder
	packets. This reinstates the correct part of r1.106 which did ntohs incorrectly on received port numbers already in host byte order. OK ho@
2005-03-18	Back out a possible bogus minor diff until we investigate what	Chad Loder
	broke. OK deraadt@
2005-03-05	Always use correct byte order when stuffing port numbers into packets.	Chad Loder
	OK hshoexer@, ho@
2004-12-14	Allow the Address, Network, or Netmask values of the <IPsec-ID> to be	Ryan Thomas McBride
	specified with an interface name (in which case the first address is used) or the keyword 'default' (in which case the address is selected based on the default route). eg: [roadwarrior-ip] ID-type= IPV4_ADDR Address= default ok ho@ hshoexer@
2004-09-17	Missing #ifdefs.	Hakan Olsson

2004-08-10	Better implementation of the Dead Peer Detection protocol, RFC 3706.	Hakan Olsson
	hshoexer@ ok.
2004-08-08	spacing	Theo de Raadt

2004-06-23	Add commandline switch -a / config tag "Acquire-Only" to tell isakmpd to not	Hans-Joerg Hoexer
	touch flows. initial work by markus ok markus@ ho@ henning@
2004-06-21	Implement NAT-T keepalive messages.	Hakan Olsson

2004-06-21	style nit	Hakan Olsson

2004-06-20	Make the payload array in struct message dynamic, since we need to handle	Hakan Olsson
	payloads in the private range, such as the pre-RFC NAT-D/NAT-OA. Replace TAILQ_FIRST(&msg->payload[i]) instances with function calls.
2004-06-20	NAT-Traversal for isakmpd. Work in progress...	Hakan Olsson
	hshoexer@ ok.
2004-06-17	Yet another bunch of memleask found and fixed by Patrick Latifi. Thanks!	Hans-Joerg Hoexer
	ok ho@
2004-06-16	fix ipv6-address and ipv6-address-mask mixup.	Hans-Joerg Hoexer
	Found by Patrick Latifi. Thanks! ok ho@
2004-06-14	KNF, style, 80c, etc. hshoexer@ ok	Hakan Olsson

2004-06-10	Mark authenticated messages explicitly. Better check for authentication before	Hans-Joerg Hoexer
	deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks! ok ho@ niklas@, testing and spellcheck by todd@ msf@
2004-06-09	Style nits. hshoexer@ ok	Hakan Olsson

2004-05-23	More KNF. Mainly spaces and line-wraps, no binary change.	Hans-Joerg Hoexer
	ok ho@
2004-05-19	Permit symbolic protocol and service names, such as "Protocol= tcp", in the	Hakan Olsson
	<IPsec-ID> sections. hshoexer@ ok
2004-04-15	partial move to KNF. More to come. This has happened because there	Theo de Raadt
	are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer