Age | Commit message (Collapse) | Author | |
---|---|---|---|
2012-06-30 | enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP | Christian Weisgerber | |
ok mikeb@ | |||
2012-01-16 | import (and fix) net_addrcmp() from libc as a static function. | Eric Faurot | |
It is going to get removed from libc and this file is the only one using it. discussed with deraadt@ guenther@ ok deraadt@ | |||
2010-12-09 | When looking up an SA based on peer address, also check the port | Martin Hedenfal | |
number. Without this, isakmpd deletes SAs from the same IP on an INITIAL-CONTACT message, possibly deleting unrelated NATed tunnels. Fixes PR 5562. Verified by Mikolaj Kucharski. ok mikeb@ | |||
2010-09-22 | Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC | Mike Belopuhov | |
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode). Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. ok naddy | |||
2007-09-02 | use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg | Theo de Raadt | |
2007-06-02 | safer snprintf construct with more paranoid length calculation | Peter Valchev | |
ok millert | |||
2007-04-16 | There's no point in checking ptr for NULL before doing free(ptr) | Moritz Jodeit | |
since free(NULL) is just fine. ok hshoexer@ | |||
2006-11-24 | add support to tag ipsec traffic belonging to specific IKE-initiated | Reyk Floeter | |
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@ | |||
2006-08-30 | Back out r1.103, which caused SA's to leak until memory was exhausted. | Chad Loder | |
OK hshoexer, nathanael, mpf, "get that in" deraadt | |||
2006-06-02 | Big spelling cleanup, no binary change. From david@ | Hans-Joerg Hoexer | |
2006-05-31 | Make sure, that phase 1 SAs of active connections stay alive. Fixes a DPD | Hans-Joerg Hoexer | |
breakage noticed and reported by Mitja Muzenic. ok markus@ ho@, testing by Mitja and cloder@, discussed with Nathanael. | |||
2006-05-29 | Do not use C++ comments. Noticed by markus. | Hans-Joerg Hoexer | |
2006-05-29 | Oops, return after calling sa_release() | Ryan Thomas McBride | |
2006-05-28 | Assign a finalization event to the exchange initiated on soft expiry. | Ryan Thomas McBride | |
If the exchange fails, the existing phase 1 SA is invalidated and the exchange is retried at the Exchange-Max-Time interval until the SA hard timeout expires. Another sasyncd-related fix from nathanael at polymorpheous dot com ok ho@ hshoexer@ | |||
2006-05-28 | also report SA flags. | Hans-Joerg Hoexer | |
2005-09-23 | Provide UI commands to delete phase 1 SAs. | Hans-Joerg Hoexer | |
Looks good mortiz@ | |||
2005-08-09 | Normalize attribute values before comparison. Unbreaks interop with netscreen. | Hans-Joerg Hoexer | |
Noticed by Sean Knox. Testing by msf@, Sean Knox and others. Thanks! ok cloder@ msf@ | |||
2005-07-25 | output some more information on UI command "S" | Hans-Joerg Hoexer | |
ok ho@ | |||
2005-07-22 | spacing and tiny knf | Hans-Joerg Hoexer | |
2005-04-08 | get rid of sysdep_sa_len | Hans-Joerg Hoexer | |
ok cloder@ | |||
2005-04-08 | Make deterministic randomness (only ever used for testing) a compile-time | Chad Loder | |
option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer | |||
2005-04-08 | keynote and policy always compiled in | Theo de Raadt | |
2005-04-08 | always enable aggressive, dpd, and isakmp_cfg | Theo de Raadt | |
2005-04-08 | nat-traversal always | Theo de Raadt | |
2005-04-06 | knf, ok cloder | Theo de Raadt | |
2005-04-06 | Always print transport information correctly. | Chad Loder | |
OK deraadt@ | |||
2005-04-04 | spacing; ok cloder | Theo de Raadt | |
2005-02-27 | where possible, use bzero instead of memset | Hans-Joerg Hoexer | |
ok cloder henning | |||
2005-02-24 | disable the SA dpd timer on sa_free(). this avoid a race | Markus Friedl | |
between DPD and initial contact (double free); ok hshoexer | |||
2005-02-16 | On shutdown also send delete messages for isakmp SAs. | Hans-Joerg Hoexer | |
ok ho | |||
2005-01-30 | Avoid null pointer dereference when deleting not fully established SAs. | Hans-Joerg Hoexer | |
ok ho@ | |||
2004-08-10 | Better implementation of the Dead Peer Detection protocol, RFC 3706. | Hakan Olsson | |
hshoexer@ ok. | |||
2004-08-08 | spacing | Theo de Raadt | |
2004-08-02 | Do not expire unestablished phase 2 SAs on SIGHUP. | Hans-Joerg Hoexer | |
ok ho@ | |||
2004-06-21 | Implement NAT-T keepalive messages. | Hakan Olsson | |
2004-05-23 | More KNF. Mainly spaces and line-wraps, no binary change. | Hans-Joerg Hoexer | |
ok ho@ | |||
2004-05-13 | Extensions to the FIFO interface: | Hakan Olsson | |
"C get [section]:tag" fetches a configuration value. "C add [section]:tag=value" adds 'value' to a list, typically for the [Phase 2]:Connections tag. FIFO "S" command destination file changed. Various KNF cleanups. hshoexer@ ok. | |||
2004-04-15 | partial move to KNF. More to come. This has happened because there | Theo de Raadt | |
are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer | |||
2004-04-07 | -Wsign-compare nits. hshoexer@ ok. | Hakan Olsson | |
2004-04-07 | More careful when walking LIST queues. hshoexer@, david@ ok. | Hakan Olsson | |
2004-03-19 | Add missing bits to make already present privsep code work. Enable privsep. | Hans-Joerg Hoexer | |
ok ho@ deraadt@ markus@ | |||
2004-02-27 | (C)-2004 | Hakan Olsson | |
2004-02-27 | Follow RFC 2408 more closely regarding how to better check the proposal | Hakan Olsson | |
returned by the other peer (the responder). Some implementations (notably the Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. With certain proposal combinations this caused us to setup the wrong SA resulting in us being unable to process incoming IPsec traffic (over this tunnel). Tested against a number of different IKE implementations. hshoexer@ ok. | |||
2004-01-06 | small typos fixed. | Hans-Joerg Hoexer | |
ok markus@ | |||
2003-07-25 | add sha2 support; ok ho@ | Markus Friedl | |
2003-06-04 | Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos | Hakan Olsson | |
D. Keromytis and Niels Provos. | |||
2003-06-03 | Cleanup. Use 'sizeof variable' instead of magic constants. | Hakan Olsson | |
2003-05-18 | Add a debug message to sa_reinit() to indicate when we renegotiate | Hakan Olsson | |
active connections. | |||
2003-05-16 | If the "Renegotiate-on-HUP" tag is defined in the [General] section, a | Hakan Olsson | |
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs, i.e all connections. ok niklas@, tested and ok kjell@. | |||
2003-05-15 | Cleanup. Do not store the private key in either the exchange or sa structs. | Hakan Olsson | |