| Age | Commit message (Collapse) | Author |
|---|
|
failed SAs don't cause the default policy context to be free'ed (and
thus cause no end of trouble in establishing further Phase 1 SAs)
|
|
|
|
discovered to have rebooted, and old now invalid SAs had to be garbage-
collected.
|
|
|
|
|
|
by newsham@lava.net)
|
|
|
|
|
|
|
|
(newsham@lava.net)
|
|
author: niklas
style
author: angelos
Don't limit Phase 1 SA establishment -- while this does limit resource
consumption, it's neither foolproof nor entirely correct (it
introduces some synchronization problems).
|
|
author: provos
better referencing. okay niklas@
author: niklas
Allow new and old style configuration simultaneously
|
|
author: niklas
remove unnecessary include
|
|
author: provos
provide transport dependent ID decoding; hope indentation is right now ;)
author: provos
make a DOI specific decode_ids, but have isakmp doi decode point to
ipsec.
author: provos
introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now.
new ipsec_clone_id to copy IDs to phase 2 SAs for better status
reports. okay angelos@
|
|
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
Cleanup.
|
|
author: provos
fix arguments in debug message for sa_setup_expirations
|
|
gmp_util.c: Merge with EOM 1.5
gmp_util.h: Merge with EOM 1.3
math_mp.h: Merge with EOM 1.2
sa.c: Merge with EOM 1.101
ui.c: Merge with EOM 1.40
author: niklas
(c) 2000
|
|
isakmpd.c: Merge with EOM 1.46
sa.c: Merge with EOM 1.100
ui.c: Merge with EOM 1.39
author: niklas
error message style
|
|
regress/dh/Makefile: Merge with EOM 1.7
regress/group/Makefile: Merge with EOM 1.9
regress/prf/Makefile: Merge with EOM 1.4
regress/rsakeygen/Makefile: Merge with EOM 1.8
regress/x509/Makefile: Merge with EOM 1.10
Makefile: Merge with EOM 1.62
attribute.c: Merge with EOM 1.10
sa.c: Merge with EOM 1.99
conf.c: Merge with EOM 1.20
crypto.c: Merge with EOM 1.28
isakmpd.c: Merge with EOM 1.45
connection.c: Merge with EOM 1.19
doi.h: Merge with EOM 1.28
field.c: Merge with EOM 1.11
exchange.c: Merge with EOM 1.116
ike_auth.c: Merge with EOM 1.44
pf_key_v2.c: Merge with EOM 1.37
ike_phase_1.c: Merge with EOM 1.22
ipsec.c: Merge with EOM 1.118
isakmp_doi.c: Merge with EOM 1.40
log.c: Merge with EOM 1.26
log.h: Merge with EOM 1.18
math_group.c: Merge with EOM 1.23
message.c: Merge with EOM 1.144
pf_encap.c: Merge with EOM 1.70
policy.c: Merge with EOM 1.18
timer.c: Merge with EOM 1.13
transport.c: Merge with EOM 1.41
udp.c: Merge with EOM 1.47
ui.c: Merge with EOM 1.37
x509.c: Merge with EOM 1.36
author: niklas
Made debug logging a compile time selectable feature
|
|
apps/certpatch/certpatch.c: Merge with EOM 1.6
exchange.c: Merge with EOM 1.114
ike_quick_mode.c: Merge with EOM 1.110
ike_phase_1.c: Merge with EOM 1.16
ike_auth.c: Merge with EOM 1.41
ike_aggressive.c: Merge with EOM 1.4
libcrypto.c: Merge with EOM 1.10
libcrypto.h: Merge with EOM 1.10
isakmpd.8: Merge with EOM 1.19
isakmpd.c: Merge with EOM 1.42
ipsec.h: Merge with EOM 1.40
init.c: Merge with EOM 1.22
message.c: Merge with EOM 1.143
message.h: Merge with EOM 1.49
sa.c: Merge with EOM 1.98
sa.h: Merge with EOM 1.54
policy.c: Merge with EOM 1.14
pf_key_v2.c: Merge with EOM 1.36
x509.c: Merge with EOM 1.32
x509.h: Merge with EOM 1.9
udp.c: Merge with EOM 1.46
author: niklas
Angelos copyrights
|
|
message.c: Merge with EOM 1.135
message.h: Merge with EOM 1.48
sa.c: Merge with EOM 1.97
sa.h: Merge with EOM 1.53
author: angelos
Complete policy work; tested for the shared-key case. Documentation needed.
|
|
author: ho
We no longer use flag "Stayalive"
|
|
author: niklas
Some extra error checking, documentation and style wrt connections
author: ho
New flag
author: niklas
SA expiration randomization is really only good on the soft timeout, early
hard expires may break more if we have a situation where our peer only
wants to act as initiator, and trusts the negotiated lifetime.
|
|
author: ho
seconds should have initial value
|
|
author: niklas
Do not decrease SA lifetime if we cannot act as initiator
|
|
sa.c: Merge with EOM 1.90
message.c: Merge with EOM 1.131
message.h: Merge with EOM 1.47
author: niklas
Send DELETE payloads in informational exchanges
|
|
author: niklas
Do not put multiple expirations on a single SA
|
|
sa.h: Merge with EOM 1.51
author: niklas
Handle leftover payloads, esp INITIAL CONTACT notifications.
Factor out SA expiration setting. Add commentary.
author: ho
Keep track of trailing retransmissions by keeping exchanges around longer.
Removed references to sa->last_sent_in_setup, use last_sent and
last_received in exchange instead. Free setup exchanges by expiration only.
author: ho
Backout last change. (Go with exchange directly instead of sa->msg)
author: ho
Handle phase 2 late retransmissions.
|
|
author: ho
Style
|
|
Off by one (< -> <=)
Added classes LOG_SA and LOG_EXCHANGE, converted
many LOG_MISC to new classes, adjusted levels slightly.
More SA logging.
Simplify the checks of existing exchanges by moving it into
exchange_establish. This means we need to change the finalize API.
Try to make PF_ENCAP support handle multiple connections to a single
security gateway.
Dump the SA refcount when doing sa_dump
Add LOG_REPORT to always go to logchannel regardless of level; misc small fixes
Remove SA_FLAG_REPLACED settings from various parts in preparation of a
grand unified setting in exchange_finalize. Fix sa_mark_replaced to not
release a referance to the sa, and adjust the API as it won't get called
as a finalize func anymore.
Garbage collect transports via refcounting. Fix commentary.
|
|
Allocation failure reporting. Debug printouts. Typecast correctly.
New finalize API. Free keystate.
|
|
refcounting on exchanges
Do not malloc zero bytes, some implementations dislike
Only find non-replaced SAs when searching by name
resource track exchange->name and sa->name
|
|
Add refcounting to SA's. Make phase 1 expirations be able to cause
renegotiations if configured to.
|
|
Add debugging. Provide a way to say an SA has been replaced wrt the flows.
Do not free the flow information before calling the sysdep delete_spi
routine, as it may use it.
|
|
Stash SPIs in the right slots
|
|
Add SA attributes, specifically stayalive
sa.h: Merge with EOM 1.42
Add SA attributes, specifically stayalive
pf_encap.c: Merge with EOM 1.46
Add SA attributes, specifically stayalive
exchange.c: Merge with EOM 1.65
Add SA attributes, specifically stayalive
|
|
| revision 1.66
| date: 1999/02/25 11:39:20; author: niklas; state: Exp; lines: +3 -1
| include sysdep.h everywhere
| ----------------------------
| revision 1.65
| date: 1999/02/25 10:21:33; author: niklas; state: Exp; lines: +2 -2
| Replay window changes was done at the wrong level
| ----------------------------
| revision 1.64
| date: 1999/02/25 09:30:30; author: niklas; state: Exp; lines: +6 -1
| Replay protection window configurable
| ----------------------------
| revision 1.63
| date: 1999/02/14 00:11:38; author: niklas; state: Exp; lines: +52 -27
| Generalize how to find SAs with given attributes. Do SA expiration both hard
| and soft, and do not rekey automatically anymore. We will revisit this by
| adding some kind of policy what to do at these times. Improve commentary
| ----------------------------
| revision 1.62
| date: 1999/02/06 15:07:23; author: niklas; state: Exp; lines: +3 -1
| remove referense to rekey event when it has happened
| ----------------------------
|
|
|
|
|
|
sa_isakmp_lookup_by_peer
|
|
|
|
|
|
OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by
Ericsson Radio Systems. It is not yet complete or usable in a real scenario
but the missing pieces will soon be there. The early commit is for people
who wants early access and who are not afraid of looking at source.
isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so
far, so it is not that incomplete. It is really mostly configuration that
is lacking.
|
