summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/sa.c
AgeCommit message (Collapse)Author
2012-06-30enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESPChristian Weisgerber
ok mikeb@
2012-01-16import (and fix) net_addrcmp() from libc as a static function.Eric Faurot
It is going to get removed from libc and this file is the only one using it. discussed with deraadt@ guenther@ ok deraadt@
2010-12-09When looking up an SA based on peer address, also check the portMartin Hedenfal
number. Without this, isakmpd deletes SAs from the same IP on an INITIAL-CONTACT message, possibly deleting unrelated NATed tunnels. Fixes PR 5562. Verified by Mikolaj Kucharski. ok mikeb@
2010-09-22Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMACMike Belopuhov
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode). Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. ok naddy
2007-09-02use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsgTheo de Raadt
2007-06-02safer snprintf construct with more paranoid length calculationPeter Valchev
ok millert
2007-04-16There's no point in checking ptr for NULL before doing free(ptr)Moritz Jodeit
since free(NULL) is just fine. ok hshoexer@
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-08-30Back out r1.103, which caused SA's to leak until memory was exhausted.Chad Loder
OK hshoexer, nathanael, mpf, "get that in" deraadt
2006-06-02Big spelling cleanup, no binary change. From david@Hans-Joerg Hoexer
2006-05-31Make sure, that phase 1 SAs of active connections stay alive. Fixes a DPDHans-Joerg Hoexer
breakage noticed and reported by Mitja Muzenic. ok markus@ ho@, testing by Mitja and cloder@, discussed with Nathanael.
2006-05-29Do not use C++ comments. Noticed by markus.Hans-Joerg Hoexer
2006-05-29Oops, return after calling sa_release()Ryan Thomas McBride
2006-05-28Assign a finalization event to the exchange initiated on soft expiry.Ryan Thomas McBride
If the exchange fails, the existing phase 1 SA is invalidated and the exchange is retried at the Exchange-Max-Time interval until the SA hard timeout expires. Another sasyncd-related fix from nathanael at polymorpheous dot com ok ho@ hshoexer@
2006-05-28also report SA flags.Hans-Joerg Hoexer
2005-09-23Provide UI commands to delete phase 1 SAs.Hans-Joerg Hoexer
Looks good mortiz@
2005-08-09Normalize attribute values before comparison. Unbreaks interop with netscreen.Hans-Joerg Hoexer
Noticed by Sean Knox. Testing by msf@, Sean Knox and others. Thanks! ok cloder@ msf@
2005-07-25output some more information on UI command "S"Hans-Joerg Hoexer
ok ho@
2005-07-22spacing and tiny knfHans-Joerg Hoexer
2005-04-08get rid of sysdep_sa_lenHans-Joerg Hoexer
ok cloder@
2005-04-08Make deterministic randomness (only ever used for testing) a compile-timeChad Loder
option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer
2005-04-08keynote and policy always compiled inTheo de Raadt
2005-04-08always enable aggressive, dpd, and isakmp_cfgTheo de Raadt
2005-04-08nat-traversal alwaysTheo de Raadt
2005-04-06knf, ok cloderTheo de Raadt
2005-04-06Always print transport information correctly.Chad Loder
OK deraadt@
2005-04-04spacing; ok cloderTheo de Raadt
2005-02-27where possible, use bzero instead of memsetHans-Joerg Hoexer
ok cloder henning
2005-02-24disable the SA dpd timer on sa_free(). this avoid a raceMarkus Friedl
between DPD and initial contact (double free); ok hshoexer
2005-02-16On shutdown also send delete messages for isakmp SAs.Hans-Joerg Hoexer
ok ho
2005-01-30Avoid null pointer dereference when deleting not fully established SAs.Hans-Joerg Hoexer
ok ho@
2004-08-10Better implementation of the Dead Peer Detection protocol, RFC 3706.Hakan Olsson
hshoexer@ ok.
2004-08-08spacingTheo de Raadt
2004-08-02Do not expire unestablished phase 2 SAs on SIGHUP.Hans-Joerg Hoexer
ok ho@
2004-06-21Implement NAT-T keepalive messages.Hakan Olsson
2004-05-23More KNF. Mainly spaces and line-wraps, no binary change.Hans-Joerg Hoexer
ok ho@
2004-05-13Extensions to the FIFO interface:Hakan Olsson
"C get [section]:tag" fetches a configuration value. "C add [section]:tag=value" adds 'value' to a list, typically for the [Phase 2]:Connections tag. FIFO "S" command destination file changed. Various KNF cleanups. hshoexer@ ok.
2004-04-15partial move to KNF. More to come. This has happened because thereTheo de Raadt
are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
2004-04-07-Wsign-compare nits. hshoexer@ ok.Hakan Olsson
2004-04-07More careful when walking LIST queues. hshoexer@, david@ ok.Hakan Olsson
2004-03-19Add missing bits to make already present privsep code work. Enable privsep.Hans-Joerg Hoexer
ok ho@ deraadt@ markus@
2004-02-27(C)-2004Hakan Olsson
2004-02-27Follow RFC 2408 more closely regarding how to better check the proposalHakan Olsson
returned by the other peer (the responder). Some implementations (notably the Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. With certain proposal combinations this caused us to setup the wrong SA resulting in us being unable to process incoming IPsec traffic (over this tunnel). Tested against a number of different IKE implementations. hshoexer@ ok.
2004-01-06small typos fixed.Hans-Joerg Hoexer
ok markus@
2003-07-25add sha2 support; ok ho@Markus Friedl
2003-06-04Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, AngelosHakan Olsson
D. Keromytis and Niels Provos.
2003-06-03Cleanup. Use 'sizeof variable' instead of magic constants.Hakan Olsson
2003-05-18Add a debug message to sa_reinit() to indicate when we renegotiateHakan Olsson
active connections.
2003-05-16If the "Renegotiate-on-HUP" tag is defined in the [General] section, aHakan Olsson
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs, i.e all connections. ok niklas@, tested and ok kjell@.
2003-05-15Cleanup. Do not store the private key in either the exchange or sa structs.Hakan Olsson