summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/sa.c
AgeCommit message (Collapse)Author
2001-01-14Handling of Phase 1 DELETE and Phase 2 INVALID_SPI messagesAngelos D. Keromytis
(newsham@lava.net)
2000-12-12Merge with EOM 1.112Niklas Hallqvist
author: niklas style author: angelos Don't limit Phase 1 SA establishment -- while this does limit resource consumption, it's neither foolproof nor entirely correct (it introduces some synchronization problems).
2000-10-16Merge with EOM 1.110Niklas Hallqvist
author: provos better referencing. okay niklas@ author: niklas Allow new and old style configuration simultaneously
2000-08-03Merge with EOM 1.108Niklas Hallqvist
author: niklas remove unnecessary include
2000-08-03Merge with EOM 1.107Niklas Hallqvist
author: provos provide transport dependent ID decoding; hope indentation is right now ;) author: provos make a DOI specific decode_ids, but have isakmp doi decode point to ipsec. author: provos introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now. new ipsec_clone_id to copy IDs to phase 2 SAs for better status reports. okay angelos@
2000-06-08Merge with EOM 1.104Niklas Hallqvist
author: angelos Allow exchange of KeyNote credentials over IKE. Multiple credentials may be passed in a single CERT payload. KeyNote is used if a directory named as the local ID we use in an exchange exists in the KeyNote directory (default: /etc/isakmpd/keynote/). Note that asymmetric credentials are possible (use KeyNote in one direction and X509 in the other); such authentication is envisioned to be the most common: the clients will use KeyNote credentials to authenticate and authorize with a server, whilst the server will just provide an X509 certificate proving its binding to the IP address or ID. Totally asymmetric authentication (e.g., shared key in one direction, RSA in the other) is not supported by the IKE protocol. author: angelos Cleanup.
2000-05-02Merge with EOM 1.102Niklas Hallqvist
author: provos fix arguments in debug message for sa_setup_expirations
2000-04-07conf.c: Merge with EOM 1.22Niklas Hallqvist
gmp_util.c: Merge with EOM 1.5 gmp_util.h: Merge with EOM 1.3 math_mp.h: Merge with EOM 1.2 sa.c: Merge with EOM 1.101 ui.c: Merge with EOM 1.40 author: niklas (c) 2000
2000-04-07conf.c: Merge with EOM 1.21Niklas Hallqvist
isakmpd.c: Merge with EOM 1.46 sa.c: Merge with EOM 1.100 ui.c: Merge with EOM 1.39 author: niklas error message style
2000-02-25regress/crypto/Makefile: Merge with EOM 1.5Niklas Hallqvist
regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36 author: niklas Made debug logging a compile time selectable feature
2000-02-01apps/certpatch/certpatch.8: Merge with EOM 1.4Niklas Hallqvist
apps/certpatch/certpatch.c: Merge with EOM 1.6 exchange.c: Merge with EOM 1.114 ike_quick_mode.c: Merge with EOM 1.110 ike_phase_1.c: Merge with EOM 1.16 ike_auth.c: Merge with EOM 1.41 ike_aggressive.c: Merge with EOM 1.4 libcrypto.c: Merge with EOM 1.10 libcrypto.h: Merge with EOM 1.10 isakmpd.8: Merge with EOM 1.19 isakmpd.c: Merge with EOM 1.42 ipsec.h: Merge with EOM 1.40 init.c: Merge with EOM 1.22 message.c: Merge with EOM 1.143 message.h: Merge with EOM 1.49 sa.c: Merge with EOM 1.98 sa.h: Merge with EOM 1.54 policy.c: Merge with EOM 1.14 pf_key_v2.c: Merge with EOM 1.36 x509.c: Merge with EOM 1.32 x509.h: Merge with EOM 1.9 udp.c: Merge with EOM 1.46 author: niklas Angelos copyrights
1999-08-26ike_phase_1.c: Merge with EOM 1.8Niklas Hallqvist
message.c: Merge with EOM 1.135 message.h: Merge with EOM 1.48 sa.c: Merge with EOM 1.97 sa.h: Merge with EOM 1.53 author: angelos Complete policy work; tested for the shared-key case. Documentation needed.
1999-07-07Merge with EOM 1.96Niklas Hallqvist
author: ho We no longer use flag "Stayalive"
1999-06-02Merge with EOM 1.95Niklas Hallqvist
author: niklas Some extra error checking, documentation and style wrt connections author: ho New flag author: niklas SA expiration randomization is really only good on the soft timeout, early hard expires may break more if we have a situation where our peer only wants to act as initiator, and trusts the negotiated lifetime.
1999-05-14Merge with EOM 1.92Niklas Hallqvist
author: ho seconds should have initial value
1999-05-06Merge with EOM 1.91Niklas Hallqvist
author: niklas Do not decrease SA lifetime if we cannot act as initiator
1999-05-01TO-DO: Merge with EOM 1.36Niklas Hallqvist
sa.c: Merge with EOM 1.90 message.c: Merge with EOM 1.131 message.h: Merge with EOM 1.47 author: niklas Send DELETE payloads in informational exchanges
1999-04-30Merge with EOM 1.89Niklas Hallqvist
author: niklas Do not put multiple expirations on a single SA
1999-04-27sa.c: Merge with EOM 1.88Niklas Hallqvist
sa.h: Merge with EOM 1.51 author: niklas Handle leftover payloads, esp INITIAL CONTACT notifications. Factor out SA expiration setting. Add commentary. author: ho Keep track of trailing retransmissions by keeping exchanges around longer. Removed references to sa->last_sent_in_setup, use last_sent and last_received in exchange instead. Free setup exchanges by expiration only. author: ho Backout last change. (Go with exchange directly instead of sa->msg) author: ho Handle phase 2 late retransmissions.
1999-04-20Merge with EOM 1.84Niklas Hallqvist
author: ho Style
1999-04-19./sa.c: Merge with EOM 1.83Niklas Hallqvist
Off by one (< -> <=) Added classes LOG_SA and LOG_EXCHANGE, converted many LOG_MISC to new classes, adjusted levels slightly. More SA logging. Simplify the checks of existing exchanges by moving it into exchange_establish. This means we need to change the finalize API. Try to make PF_ENCAP support handle multiple connections to a single security gateway. Dump the SA refcount when doing sa_dump Add LOG_REPORT to always go to logchannel regardless of level; misc small fixes Remove SA_FLAG_REPLACED settings from various parts in preparation of a grand unified setting in exchange_finalize. Fix sa_mark_replaced to not release a referance to the sa, and adjust the API as it won't get called as a finalize func anymore. Garbage collect transports via refcounting. Fix commentary.
1999-04-05Merge with EOM 1.76Niklas Hallqvist
Allocation failure reporting. Debug printouts. Typecast correctly. New finalize API. Free keystate.
1999-04-02Merge with EOM 1.74Niklas Hallqvist
refcounting on exchanges Do not malloc zero bytes, some implementations dislike Only find non-replaced SAs when searching by name resource track exchange->name and sa->name
1999-03-31Merge with EOM 1.70Niklas Hallqvist
Add refcounting to SA's. Make phase 1 expirations be able to cause renegotiations if configured to.
1999-03-31Merge with EOM 1.69Niklas Hallqvist
Add debugging. Provide a way to say an SA has been replaced wrt the flows. Do not free the flow information before calling the sysdep delete_spi routine, as it may use it.
1999-03-24Merge with EOM 1.68Niklas Hallqvist
Stash SPIs in the right slots
1999-03-02sa.c: Merge with EOM 1.67Niklas Hallqvist
Add SA attributes, specifically stayalive sa.h: Merge with EOM 1.42 Add SA attributes, specifically stayalive pf_encap.c: Merge with EOM 1.46 Add SA attributes, specifically stayalive exchange.c: Merge with EOM 1.65 Add SA attributes, specifically stayalive
1999-02-26Merge from the Ericsson repositoryNiklas Hallqvist
| revision 1.66 | date: 1999/02/25 11:39:20; author: niklas; state: Exp; lines: +3 -1 | include sysdep.h everywhere | ---------------------------- | revision 1.65 | date: 1999/02/25 10:21:33; author: niklas; state: Exp; lines: +2 -2 | Replay window changes was done at the wrong level | ---------------------------- | revision 1.64 | date: 1999/02/25 09:30:30; author: niklas; state: Exp; lines: +6 -1 | Replay protection window configurable | ---------------------------- | revision 1.63 | date: 1999/02/14 00:11:38; author: niklas; state: Exp; lines: +52 -27 | Generalize how to find SAs with given attributes. Do SA expiration both hard | and soft, and do not rekey automatically anymore. We will revisit this by | adding some kind of policy what to do at these times. Improve commentary | ---------------------------- | revision 1.62 | date: 1999/02/06 15:07:23; author: niklas; state: Exp; lines: +3 -1 | remove referense to rekey event when it has happened | ----------------------------
1998-12-21Last months worth of work on isakmpd, lots doneNiklas Hallqvist
1998-11-20typoNiklas Hallqvist
1998-11-17From the EOM repos: Only find ready ISAKMP SAs inNiklas Hallqvist
sa_isakmp_lookup_by_peer
1998-11-17Add RCS Ids from the EOM repositoryNiklas Hallqvist
1998-11-15openBSD RCS IDsNiklas Hallqvist
1998-11-15Initial import of isakmpd, an IKE (ISAKMP/Oakley) implementation for theNiklas Hallqvist
OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by Ericsson Radio Systems. It is not yet complete or usable in a real scenario but the missing pieces will soon be there. The early commit is for people who wants early access and who are not afraid of looking at source. isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so far, so it is not that incomplete. It is really mostly configuration that is lacking.