| Age | Commit message (Collapse) | Author |
|---|
|
author: niklas
missing arg
author: ho
(c)-2000
|
|
author: niklas
Add back an example of empty FEATURES
author: niklas
Well, show how to add -g in different OSes
author: itojun
make -g really work
author: ho
Revert. Features should not depend on other stuff,
it should be the other way around.
author: ho
Ok, make it work this time.
author: ho
Only add 'policy' feature if USE_KEYNOTE is active.
|
|
cert.h: Merge with EOM 1.8
libcrypto.c: Merge with EOM 1.14
policy.h: Merge with EOM 1.12
x509.h: Merge with EOM 1.11
author: niklas
Multiple subject name matching, makes certificate interop with PGPnet at least
partly working. Added some error checking.
|
|
author: niklas
alphabeticize
|
|
|
|
|
|
author: niklas
style
|
|
author: niklas
From OpenBSD: be paranoid about the syslog format parameter
|
|
author: niklas
remove unnecessary include
|
|
author: provos
make a DOI specific decode_ids, but have isakmp doi decode point to
ipsec.
author: provos
introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now.
new ipsec_clone_id to copy IDs to phase 2 SAs for better status
reports. okay angelos@
author: provos
dont segfault on connection report when id is not set
|
|
author: provos
dont strdup exchange->recv_cert, it is not always a 0 terminated string
for CERTENC_NONE. we need to malloc and memcpy instead. found by
electric fence.
author: provos
provide transport dependent ID decoding; hope indentation is right now ;)
author: ho
ISAKMP peer transport defaults to UDP.
author: provos
make a DOI specific decode_ids, but have isakmp doi decode point to
ipsec.
author: provos
indent
author: provos
introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now.
new ipsec_clone_id to copy IDs to phase 2 SAs for better status
reports. okay angelos@
|
|
author: angelos
Get the right value.
author: angelos
Add "phase1_group_desc" attribute, and explain the various values.
|
|
author: angelos
Be more careful.
author: angelos
Oops, typo.
author: angelos
Avoid endless loop in INITIAL-CONTACT handling.
author: angelos
Don't delete the ISAKMP SA over which we received an INITIAL-CONTACT
payload.
author: provos
make a DOI specific decode_ids, but have isakmp doi decode point to
ipsec.
author: provos
indent
author: provos
introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now.
new ipsec_clone_id to copy IDs to phase 2 SAs for better status
reports. okay angelos@
|
|
author: provos
introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now.
new ipsec_clone_id to copy IDs to phase 2 SAs for better status
reports. okay angelos@
|
|
author: angelos
Add "phase1_group_desc" attribute, and explain the various values.
|
|
author: provos
provide transport dependent ID decoding; hope indentation is right now ;)
author: provos
make a DOI specific decode_ids, but have isakmp doi decode point to
ipsec.
author: provos
introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now.
new ipsec_clone_id to copy IDs to phase 2 SAs for better status
reports. okay angelos@
|
|
author: ho
Mention 'Default' tag in Phase 1 section, modify peer tag descriptions
to match. Phase 1 peer transport 'udp' is now a default value. The
'Stayalive' flag died long ago, remove it from the example. Also
remove reference to the likewise dead 'Next-hop' tag. Some minor cleanup.
|
|
author: ho
ISAKMP peer transport defaults to UDP.
|
|
transport.h: Merge with EOM 1.16
author: provos
provide transport dependent ID decoding; hope indentation is right now ;)
|
|
author: angelos
Be careful when there's no assertions.
|
|
author: provos
prevent isakmpd crashing when client gives an unknown ID in aggressive mode.
bug report from James Winquist <winquist@mail.cybernet.com>
|
|
author: angelos
Add sa_enter() prototype.
|
|
author: provos
prevent crashing when we receive an encrypted message as response to
our first packet as initiator. James Winquist <winquist@mail.cybernet.com>
|
|
doi.h: Merge with EOM 1.29
author: provos
make a DOI specific decode_ids, but have isakmp doi decode point to
ipsec.
|
|
|
|
author: itojun
synchronize with latest KAME PF_KEY interface. need more testing.
old: changes sadb_msg, which is bad
new: added sadb_x_sa2 for extra meat
|
|
author: niklas
Indentation, bad greek
|
|
author: ho
Recognize and handle reserved and private payloads differently.
A private payload in a message is ignored.
A message containing a reserved payload is dropped.
|
|
author: niklas
&& not &
|
|
author: angelos
Default value for [KeyNote]:Credential-directory.
|
|
author: angelos
Point back to isakmpd.conf(5)
author: angelos
Remove fixed item from BUGs section.
author: angelos
Talk about re-loading of policies on SIGHUP.
|
|
author: angelos
Some more support for KeyNote credential exchange (not yet done).
|
|
author: angelos
No need for NODEBUG actually...
author: angelos
Use LOG_DBG() instead of log_debug()
author: angelos
NODEBUG compile option, so regress doesn't barf.
author: angelos
No point adding a handling attribute for the generic session.
author: angelos
log_debug() for the action attributes.
author: angelos
Different policy/Keynote sessions per Phase 1 SA.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
Correct pointer handling.
author: angelos
A few more certificate handling routines for KeyNote.
author: angelos
Some more support for KeyNote credential exchange (not yet done).
author: angelos
Add a couple more KeyNote functions in the sym entries.
author: ho
Some systems do not define IPPROTO_ETHERIP (yet).
|
|
author: angelos
Add the -R option in getopt!!!
|
|
author: angelos
Different policy/Keynote sessions per Phase 1 SA.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
|
|
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
Cleanup.
|
|
author: angelos
Some more text.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: ho
Update re DOI:IPSEC and default p1/p2 lifetimes.
|
|
author: angelos
Different policy/Keynote sessions per Phase 1 SA.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
A few more definitions.
author: angelos
Some more support for KeyNote credential exchange (not yet done).
|
|
author: provos
typo
|
|
author: angelos
Initialize [Keynote]:Credential-directory.
author: ho
Autogenerated p1/p2 default lifetimes can be defined in config.
author: niklas
style
|
|
author: angelos
Be a bit more verbose when printing policy results.
author: angelos
Correct environment cleanup.
author: angelos
Different policy/Keynote sessions per Phase 1 SA.
author: angelos
&&, not ||
author: angelos
Begin support for KeyNote credentials exchanged.
|
|
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
Begin support for KeyNote credentials exchanged.
|
|
author: angelos
Reset policy_id and recv_key after we've moved them over from the
exchange to the isakmp_sa, so they don't get free'ed.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
Add CERTENC_KEYNOTE.
author: ho
DOI IPSEC is default if not specified.
|
|
exchange.h: Merge with EOM 1.27
x509.h: Merge with EOM 1.10
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
|
|
author: angelos
Add CERTENC_KEYNOTE.
|
|
author: ho
Correct definition.
|
|
author: ho
DOI IPSEC is default if not specified.
|
|
author: ho
Use math_mp_t in prototype.
|
|
author: ho
Attempt to get GMP usable here.
|
|
author: angelos
Don't add the callback at initialization time, we must set it before
each invokation.
author: angelos
Different policy/Keynote sessions per Phase 1 SA.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
|
