summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
AgeCommit message (Collapse)Author
2007-03-26typo in initial RCS tag ($OpenBSD: -> $OpenBSD$)Pedro Martelletto
2007-03-18Fix usage of predefined lifetimes. "Default-phase-[12]-lifetime"Hans-Joerg Hoexer
just specifies the values to be used. However, the specifications are called "LIFE_MAIN_MODE" and "LIFE_QUICK_MODE". ok ho@ jmc@
2007-03-05Set pointer to NULL after freeing it, so callers ofMoritz Jodeit
key_from_printable() are not fooled into using it afterwards. OK hshoexer@
2007-03-03There may be more than one item in the subjectAltName (cropping upTom Cosgrove
with CACert certificates) so don't require the reported length to be exactly equal to the length of the data, but accept it if it's <= the length of the data (i.e. we just use the first alt name). The purpose of the check is to make sure we don't try to read beyond the data we actually have. ok cloder@ hshoexer@
2007-03-03keynote_cert_obtain should not leak in case of error. OK moritz@Chad Loder
2007-03-03Make sure we can't accidentally free() a pointer that's been acceptedTom Cosgrove
by message_add_payload(), since we are no longer responsible for it. ok cloder@ hshoexer@ moritz@
2007-03-01improve the description of -a. specifically, make it clear thatJason McIntyre
ipsec.conf users do not want to run isakmpd -a unless they are messing with manual flows; closes documentation/5399, from sthen original diff and feedback from sthen ok hshoexer
2007-02-22Add a comment that explains, why the VID of draft 2 NAT-T includesHans-Joerg Hoexer
a traling '\n'. suggested by and ok deraadt@, jmc@
2007-02-19tweak;Jason McIntyre
2007-02-19Document NULL encryption.Hans-Joerg Hoexer
2007-02-19isakmpd bits for ESP+NULL encryption. This is useful, when AH canHans-Joerg Hoexer
not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
2006-12-05plug memleak, noticed by jesus@mxtelecom.comHans-Joerg Hoexer
ok moritz@, tested by jesus@mxtelecom.com (thanks!)
2006-12-05some carp/sasyncd bits from msf and myself;Jason McIntyre
ok mpf
2006-12-05Don't leak message structures, when we see unsupported payloadsMoritz Jodeit
or if the payload node allocation fails. Also adjust a comment to make it more clear, who's responsible for freeing the message structs. Input from cloder@. OK hshoexer@
2006-11-30new ui command 'rmv': removes an entry from a list, thus reversing anMarkus Friedl
'add' operation; ok ho, hshoexer, jmc eVS: ----------------------------------------------------------------------
2006-11-29no need to document generation of local.key 3 times;Jason McIntyre
spotted by mcbride, ok hshoexer;
2006-11-29zap trailing spaces;Jason McIntyre
2006-11-29Document the new location of local.pub, and clarify the fact that local.keyRyan Thomas McBride
contains the entire keypair. ok deraadt jmc
2006-11-28do not re-add existing entries; ok hshoexerMarkus Friedl
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-09support public keys w/o SubjectPublicKeyInfo (format: BEGIN RSA PUBLIC KEY)Markus Friedl
ok ho, hshoexer
2006-10-29Fix TAILQ usage, preventing crashesPedro Martelletto
Okay henning@ krw@ millert@ hshoexer@
2006-10-18do not name FILE * variables "fd" since it is confusingTheo de Raadt
2006-10-05Reword sentence to fix grammar nit.Tom Cosgrove
ok jmc@
2006-09-19Use S_IS* macros insted of masking with S_IF* flags. The latter mayOtto Moerbeek
have multiple bits set, which leads to surprising results. Spotted by/partly from Paul Stoeber, more to come. ok ho@ miod@ hshoexer@
2006-09-15Remove "Delete-SAs" config option. This was needed for interactionHans-Joerg Hoexer
with sasyncd(8). Now sasyncd(8) controls isakmpd(8) regarding SA deletion so this option is obsolete. ok mpf jmc
2006-09-09point people towards ipsec.conf.5; after some discussion w/ reykJason McIntyre
ok hshoexer reyk
2006-09-01use shell-independent examples;Jason McIntyre
2006-09-01Add a new UI command to force isakmpd into passive only mode.Marco Pfatschbacher
Will be used by sasyncd to prevent two talking isakmpd's in an HA setup. Based on a diff by ho@. OK ho@, hshoexer@, deraadt@
2006-08-31document an issue with subjectAltName found by reyk;Jason McIntyre
ok hshoexer ho reyk
2006-08-31remove a confusing sentence; ok hshoexer hoJason McIntyre
2006-08-30fix isakmpd -Ka, as used by bgpd, or acquire flows set up via ipsecctl.Henning Brauer
acquire flows need to be recorded on the fly via connection_record_passive(), otherwise later lookups fail and the policy check fails. ok hshoexer ho markus msf deraadt
2006-08-30rewording; from reyk cloder hshoexerJason McIntyre
ok ho
2006-08-30need to retry writing to pfkey socket on EAGAIN, ok theo hshoexerHenning Brauer
2006-08-30Make SA deletion on shutdown the default again. Use -S for failoverHans-Joerg Hoexer
situations where you do not want this. Discussed and agreed on with ho, mcbride, markus, cloder,... We will have to teach sasyncd to deal with this. Testing by msf and hshoexer with help from mtu ok markus cloder
2006-08-30Back out r1.103, which caused SA's to leak until memory was exhausted.Chad Loder
OK hshoexer, nathanael, mpf, "get that in" deraadt
2006-08-30do not call pf_key_v2_disable_sa twice; ok hshoexer, hoMarkus Friedl
2006-08-29Properly define quick mode suites for AH. With naddy.Hans-Joerg Hoexer
ok ho
2006-08-22correct function name in log message.Hans-Joerg Hoexer
2006-07-24Style; return is not a function. hshoexer@ ok.Hakan Olsson
2006-07-02Let isakmpd send out a vendor ID announcing isamkpds release version.Hans-Joerg Hoexer
Will be handy for release specific bug fixes, etc. Suggested by markus@ quite some time ago. ok markus@
2006-06-29Document that pcap files can only be writen to the /var/run directory.Hans-Joerg Hoexer
2006-06-18clean up some gotos. Originally from Andrey Matveev <evol at onlineHans-Joerg Hoexer
dot ptt dot ru>. Ok and help moritz@
2006-06-17Do not leak file descriptor in error path. From Andrey MatveevHans-Joerg Hoexer
<evol at online dot ptt dot ru>, thanks!
2006-06-14indentation.Hans-Joerg Hoexer
2006-06-11Document AESCTR for quick mode and SHA2-* for main mode. Help by jmc.Hans-Joerg Hoexer
ok jmc@
2006-06-11tweaks;Jason McIntyre
2006-06-10Document -S and the "Delete-SAs" tag. Those will enable SA deletionHans-Joerg Hoexer
on shutdown.
2006-06-10Make deletion of SAs on shutdown optional. The default behaviourHans-Joerg Hoexer
now is to not delete SAs. Needed for reliable ipsec failover. Suggested by mtu@. Moreover, this ensures that packets do not leak when isakmpd is shutdown. ok mcbride@, testing mtu@
2006-06-10Allow isakmpd to use a different private rsa key per isakmp ID. Hans wrote ↵Mathieu Sauve-Frankel
this a long time ago, I synced it to -current and tested. ok hshoexer@