Up to [local] / src / sbin / isakmpd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.154 / (download) - annotate - [select for diffs], Wed Dec 20 00:34:13 2023 UTC (5 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.153: +1 -3 lines
Diff to previous 1.153 (colored)
Don't unset the SA tag set by ipsec_sa_tag in ipsec_sa_iface. Fixes SA tagging and a possible leak. from markus@
Revision 1.153 / (download) - annotate - [select for diffs], Mon Aug 7 04:01:29 2023 UTC (9 months, 3 weeks ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.152: +39 -2 lines
Diff to previous 1.152 (colored)
support configuring interface SAs for route-based ipsec vpns. add "Interface NUMBER" to the config parser to specify that once SAs have been negotiated with a peer, install the SAs with the sadb_x_iface extension set up, but skip installing the flows/SPD entries. this allows for the negotiation of multiple esp tunnels covering all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to do something useful with them using the routing table and sec(4) interfaces instead of having SPD entries fight over those packets in the kernel. this in turn allows interoperation with other ipsec/vpn solutions that require the negotiation of such tunnels. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Revision 1.152 / (download) - annotate - [select for diffs], Sun Jan 16 14:30:11 2022 UTC (2 years, 4 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.151: +1 -3 lines
Diff to previous 1.151 (colored)
isakmpd: fix -Wunused-but-set-variable warnings ok guenther@
Revision 1.151 / (download) - annotate - [select for diffs], Fri Oct 22 12:30:53 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.150: +2 -2 lines
Diff to previous 1.150 (colored)
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
Revision 1.150 / (download) - annotate - [select for diffs], Mon Jan 15 09:54:48 2018 UTC (6 years, 4 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.149: +7 -7 lines
Diff to previous 1.149 (colored)
Spacing, no object change.
Revision 1.149 / (download) - annotate - [select for diffs], Thu Jan 4 14:21:00 2018 UTC (6 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.148: +7 -7 lines
Diff to previous 1.148 (colored)
space -> tab No object change.
Revision 1.148 / (download) - annotate - [select for diffs], Fri Oct 27 08:29:32 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.147: +7 -3 lines
Diff to previous 1.147 (colored)
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does. ok visa@, markus@
Revision 1.147 / (download) - annotate - [select for diffs], Tue Jul 18 06:19:07 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.146: +10 -1 lines
Diff to previous 1.146 (colored)
Prevent a NULL dereference when comparing incomplete SAs. This deference can occur because sa_find() is called from a timer and iterates over all existing `sa'. At that time the corresponding `finalize_exchange' might not have been called, in which case it is unsafe to dereference `src_net', `dst_net' & co. Issue reported by MichaĆ Koc. ok hshoexer@, markus@
Revision 1.146 / (download) - annotate - [select for diffs], Thu Dec 10 17:27:00 2015 UTC (8 years, 5 months ago) by mmcc
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.145: +2 -3 lines
Diff to previous 1.145 (colored)
Remove NULL-checks before free(). ok tb@
Revision 1.145 / (download) - annotate - [select for diffs], Wed Dec 9 21:41:50 2015 UTC (8 years, 5 months ago) by naddy
Branch: MAIN
Changes since 1.144: +1 -5 lines
Diff to previous 1.144 (colored)
Remove plain DES encryption from IPsec. DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
Revision 1.144 / (download) - annotate - [select for diffs], Thu Aug 20 22:02:21 2015 UTC (8 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.143: +10 -18 lines
Diff to previous 1.143 (colored)
<stdlib.h> is included, so do not need to cast result from malloc, calloc, realloc* ok krw millert
Revision 1.143 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.142: +7 -4 lines
Diff to previous 1.142 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.142 / (download) - annotate - [select for diffs], Tue Jan 13 04:19:00 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.141: +1 -6 lines
Diff to previous 1.141 (colored)
-/* Backwards compatibility. */ -#ifndef NI_MAXHOST -#define NI_MAXHOST 1025 -#endif Disappointing.
Revision 1.141 / (download) - annotate - [select for diffs], Thu Oct 9 02:38:56 2014 UTC (9 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored)
obvious reallocarray() conversions
Revision 1.140 / (download) - annotate - [select for diffs], Wed Jan 22 03:09:31 2014 UTC (10 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.139: +1 -3 lines
Diff to previous 1.139 (colored)
improve randomization. remove some junk debugging features that are fundamentally broken. ok jsing mikeb
Revision 1.139 / (download) - annotate - [select for diffs], Thu Nov 21 22:25:01 2013 UTC (10 years, 6 months ago) by yasuoka
Branch: MAIN
Changes since 1.138: +28 -2 lines
Diff to previous 1.138 (colored)
Keep the flow until last IPsec SA is deleted, if the flow is shared by multiple IPsec SAs in NAT-T case. This fixes a problem that L2TP/IPsec connections are disconnected improper in case multiple Windows clients are connected from behind one NAT. ok markus
Revision 1.138 / (download) - annotate - [select for diffs], Sat Jun 30 14:51:31 2012 UTC (11 years, 11 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3,
OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.137: +2 -3 lines
Diff to previous 1.137 (colored)
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
Revision 1.137 / (download) - annotate - [select for diffs], Thu Oct 20 00:28:06 2011 UTC (12 years, 7 months ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.136: +97 -65 lines
Diff to previous 1.136 (colored)
For NAT-T with transport mode, use the ISAKMP's SA addresses for the flow instead of the ID payload. This will fix a part of problems of L2TP/IPsec from NAT'd clients. ok markus@ tested by markus@ and myself.
Revision 1.136 / (download) - annotate - [select for diffs], Wed Sep 22 13:45:15 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.135: +7 -2 lines
Diff to previous 1.135 (colored)
Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC (as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode). Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. ok naddy
Revision 1.135 / (download) - annotate - [select for diffs], Tue Jun 29 19:50:16 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.134: +0 -1 lines
Diff to previous 1.134 (colored)
Replace the hand-crafted Diffie-Hellman implementation in isakmpd with the smaller implementation from iked that is using libcrypto instead. This allows to remove a lot of code (which is always good), get rid of some custom crypto code by using libcrypto, theoretically adds support for many new MODP and EC2N/ECP modes (but it is not configurable yet), and allows to share the dh.c/dh.h code in different codebases (it is identical in isakmpd and iked, but could also be used elsewhere). ok deraadt@
Revision 1.134 / (download) - annotate - [select for diffs], Thu Mar 4 13:55:28 2010 UTC (14 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.133: +13 -1 lines
Diff to previous 1.133 (colored)
don't crash on invalid phase 2 IDs; from hshoexer; ok sthen@
Revision 1.133 / (download) - annotate - [select for diffs], Sun Jan 10 12:39:43 2010 UTC (14 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.132: +3 -4 lines
Diff to previous 1.132 (colored)
only substract ISAKMP_ID_DATA_OFF once. otherwise 'buf' might overflow and/or ASN1-DNs get not parsed correctly; with and ok krw@; ok reyk@
Revision 1.132 / (download) - annotate - [select for diffs], Thu Jan 29 10:05:50 2009 UTC (15 years, 4 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.131: +29 -20 lines
Diff to previous 1.131 (colored)
Improve logging: - in ipsec_delete_spi_list() a log_verbose is added, when a remote peer sends us a delete message for an SA. However, to avoid spamming the log when SAs are deleted during re-keying, I only log_verbose, when the soft timeout of the SA is not expired yet. Thus only deletion of live SAs gets logged. - in ipsec_decode_ids() I remove the additonal printing of IP-Adresses in hex as the addresses are already printed in CIDR. - while there, apply some KNF ok todd@, mpf@, bluhm@
Revision 1.131 / (download) - annotate - [select for diffs], Tue Jan 20 14:36:19 2009 UTC (15 years, 4 months ago) by mpf
Branch: MAIN
Changes since 1.130: +21 -1 lines
Diff to previous 1.130 (colored)
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
Revision 1.130 / (download) - annotate - [select for diffs], Sun Sep 2 15:19:24 2007 UTC (16 years, 9 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4,
OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.129: +2 -2 lines
Diff to previous 1.129 (colored)
use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg
Revision 1.129 / (download) - annotate - [select for diffs], Tue Jul 31 20:59:33 2007 UTC (16 years, 10 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.128: +2 -2 lines
Diff to previous 1.128 (colored)
Use correct function name in log message. Noticed by Igor Zinovk zinovik@cs.karelia.ru. Thanks!
Revision 1.128 / (download) - annotate - [select for diffs], Mon Apr 16 13:01:39 2007 UTC (17 years, 1 month ago) by moritz
Branch: MAIN
Changes since 1.127: +32 -62 lines
Diff to previous 1.127 (colored)
There's no point in checking ptr for NULL before doing free(ptr) since free(NULL) is just fine. ok hshoexer@
Revision 1.127 / (download) - annotate - [select for diffs], Fri Nov 24 13:52:14 2006 UTC (17 years, 6 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.126: +92 -1 lines
Diff to previous 1.126 (colored)
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Revision 1.121.2.1 / (download) - annotate - [select for diffs], Sat Aug 19 20:30:22 2006 UTC (17 years, 9 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.121: +5 -4 lines
Diff to previous 1.121 (colored) next main 1.122 (colored)
MFC: Fix by mcbride@ Change the default replay window for SAs created by the isakmpd responder to be DEFAULT_REPLAY_WINDOW instead of zero. The default replay window is then the same for both initiator and receiver. Fix from nathanael at polymorpheous dot com. ok mpf@ hshoexer@ deraadt@
Revision 1.122.2.1 / (download) - annotate - [select for diffs], Sat Aug 19 20:23:28 2006 UTC (17 years, 9 months ago) by brad
Branch: OPENBSD_3_9
Changes since 1.122: +5 -4 lines
Diff to previous 1.122 (colored) next main 1.123 (colored)
MFC: Fix by mcbride@ Change the default replay window for SAs created by the isakmpd responder to be DEFAULT_REPLAY_WINDOW instead of zero. The default replay window is then the same for both initiator and receiver. Fix from nathanael at polymorpheous dot com. ok mpf@ hshoexer@ deraadt@
Revision 1.126 / (download) - annotate - [select for diffs], Sat Jun 10 20:10:02 2006 UTC (17 years, 11 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.125: +9 -2 lines
Diff to previous 1.125 (colored)
support sha2 for main mode hmacs and aesctr for quick mode encryption. ok markus@ ho@
Revision 1.125 / (download) - annotate - [select for diffs], Fri Jun 9 21:37:17 2006 UTC (17 years, 11 months ago) by naddy
Branch: MAIN
Changes since 1.124: +12 -12 lines
Diff to previous 1.124 (colored)
Allow for AH the use of the authentication algorithms added a while ago. Fix the indentation while we're here. ok hshoexer@
Revision 1.124 / (download) - annotate - [select for diffs], Mon May 29 06:56:36 2006 UTC (18 years ago) by mcbride
Branch: MAIN
Changes since 1.123: +13 -2 lines
Diff to previous 1.123 (colored)
Fix broken merge of patch. Pointed out by nathanael at polymorpheus dot com.
Revision 1.123 / (download) - annotate - [select for diffs], Sun May 28 02:22:34 2006 UTC (18 years ago) by mcbride
Branch: MAIN
Changes since 1.122: +4 -3 lines
Diff to previous 1.122 (colored)
Change the default replay window for SAs created by the isakmpd responder to be DEFAULT_REPLAY_WINDOW instead of zero. The default replay window is then the same for both initiator and receiver. Fix from nathanael at polymorpheous dot com. ok hshoexer@
Revision 1.122 / (download) - annotate - [select for diffs], Fri Sep 23 14:44:03 2005 UTC (18 years, 8 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE
Branch point for: OPENBSD_3_9
Changes since 1.121: +2 -2 lines
Diff to previous 1.121 (colored)
Provide UI commands to delete phase 1 SAs. Looks good mortiz@
Revision 1.121 / (download) - annotate - [select for diffs], Sat Jun 25 23:20:43 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE
Branch point for: OPENBSD_3_8
Changes since 1.120: +2 -2 lines
Diff to previous 1.120 (colored)
/* Fallthrough. */ -> /* FALLTHROUGH */ now that's useable with lint
Revision 1.120 / (download) - annotate - [select for diffs], Tue Jun 14 10:50:47 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.119: +4 -2 lines
Diff to previous 1.119 (colored)
add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947 ok markus
Revision 1.119 / (download) - annotate - [select for diffs], Thu May 26 06:11:09 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.118: +2 -3 lines
Diff to previous 1.118 (colored)
Use TAILQ_FOREACH where possible, remove payload_last() ok markus
Revision 1.118 / (download) - annotate - [select for diffs], Wed May 4 10:05:01 2005 UTC (19 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.117: +9 -8 lines
Diff to previous 1.117 (colored)
clean up KEY_API() wrapper. ok ho@
Revision 1.117 / (download) - annotate - [select for diffs], Fri Apr 8 23:15:26 2005 UTC (19 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.116: +8 -9 lines
Diff to previous 1.116 (colored)
get rid of sysdep_sa_len ok cloder@
Revision 1.116 / (download) - annotate - [select for diffs], Fri Apr 8 19:40:03 2005 UTC (19 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.115: +1 -12 lines
Diff to previous 1.115 (colored)
USE_DEBUG is bye bye
Revision 1.115 / (download) - annotate - [select for diffs], Fri Apr 8 16:52:41 2005 UTC (19 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.114: +2 -20 lines
Diff to previous 1.114 (colored)
always enable aggressive, dpd, and isakmp_cfg
Revision 1.114 / (download) - annotate - [select for diffs], Fri Apr 8 16:37:14 2005 UTC (19 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.113: +1 -10 lines
Diff to previous 1.113 (colored)
nat-traversal always
Revision 1.113 / (download) - annotate - [select for diffs], Fri Apr 8 16:09:25 2005 UTC (19 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.112: +1 -17 lines
Diff to previous 1.112 (colored)
kill USE_OLD_SOCKADDR
Revision 1.112 / (download) - annotate - [select for diffs], Wed Apr 6 16:00:20 2005 UTC (19 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.111: +45 -51 lines
Diff to previous 1.111 (colored)
knf, ok cloder
Revision 1.111 / (download) - annotate - [select for diffs], Tue Apr 5 20:46:20 2005 UTC (19 years, 2 months ago) by cloder
Branch: MAIN
Changes since 1.110: +1 -7 lines
Diff to previous 1.110 (colored)
Always compile X509 support. Almost everyone uses it. Makes the code much easier to read and to maintain. OK and testing by hshoexer@, more testing by me
Revision 1.110 / (download) - annotate - [select for diffs], Mon Apr 4 19:31:11 2005 UTC (19 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.109: +28 -28 lines
Diff to previous 1.109 (colored)
spacing; ok cloder
Revision 1.109 / (download) - annotate - [select for diffs], Mon Apr 4 18:40:45 2005 UTC (19 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.108: +3 -3 lines
Diff to previous 1.108 (colored)
fix byteorder confusion ok cloder ho
Revision 1.108 / (download) - annotate - [select for diffs], Tue Mar 29 04:51:21 2005 UTC (19 years, 2 months ago) by cloder
Branch: MAIN
Changes since 1.107: +2 -2 lines
Diff to previous 1.107 (colored)
Always use network byte order when stuffing port numbers into IPSEC ID packets. This reinstates the correct part of r1.106 which did ntohs incorrectly on received port numbers already in host byte order. OK ho@
Revision 1.107 / (download) - annotate - [select for diffs], Fri Mar 18 17:27:39 2005 UTC (19 years, 2 months ago) by cloder
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.106: +3 -3 lines
Diff to previous 1.106 (colored)
Back out a possible bogus minor diff until we investigate what broke. OK deraadt@
Revision 1.106 / (download) - annotate - [select for diffs], Sat Mar 5 23:39:34 2005 UTC (19 years, 3 months ago) by cloder
Branch: MAIN
Changes since 1.105: +4 -4 lines
Diff to previous 1.105 (colored)
Always use correct byte order when stuffing port numbers into packets. OK hshoexer@, ho@
Revision 1.105 / (download) - annotate - [select for diffs], Tue Dec 14 10:17:28 2004 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.104: +15 -4 lines
Diff to previous 1.104 (colored)
Allow the Address, Network, or Netmask values of the <IPsec-ID> to be specified with an interface name (in which case the first address is used) or the keyword 'default' (in which case the address is selected based on the default route). eg: [roadwarrior-ip] ID-type= IPV4_ADDR Address= default ok ho@ hshoexer@
Revision 1.104 / (download) - annotate - [select for diffs], Fri Sep 17 13:53:08 2004 UTC (19 years, 8 months ago) by ho
Branch: MAIN
Changes since 1.103: +3 -1 lines
Diff to previous 1.103 (colored)
Missing #ifdefs.
Revision 1.103 / (download) - annotate - [select for diffs], Tue Aug 10 15:59:10 2004 UTC (19 years, 9 months ago) by ho
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.102: +25 -15 lines
Diff to previous 1.102 (colored)
Better implementation of the Dead Peer Detection protocol, RFC 3706. hshoexer@ ok.
Revision 1.102 / (download) - annotate - [select for diffs], Sun Aug 8 19:11:06 2004 UTC (19 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.101: +6 -6 lines
Diff to previous 1.101 (colored)
spacing
Revision 1.101 / (download) - annotate - [select for diffs], Wed Jun 23 00:55:59 2004 UTC (19 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.100: +7 -3 lines
Diff to previous 1.100 (colored)
Add commandline switch -a / config tag "Acquire-Only" to tell isakmpd to not touch flows. initial work by markus ok markus@ ho@ henning@
Revision 1.100 / (download) - annotate - [select for diffs], Mon Jun 21 23:27:10 2004 UTC (19 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.99: +9 -1 lines
Diff to previous 1.99 (colored)
Implement NAT-T keepalive messages.
Revision 1.99 / (download) - annotate - [select for diffs], Mon Jun 21 18:29:06 2004 UTC (19 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.98: +2 -2 lines
Diff to previous 1.98 (colored)
style nit
Revision 1.98 / (download) - annotate - [select for diffs], Sun Jun 20 17:17:35 2004 UTC (19 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.97: +5 -5 lines
Diff to previous 1.97 (colored)
Make the payload array in struct message dynamic, since we need to handle payloads in the private range, such as the pre-RFC NAT-D/NAT-OA. Replace TAILQ_FIRST(&msg->payload[i]) instances with function calls.
Revision 1.97 / (download) - annotate - [select for diffs], Sun Jun 20 15:24:05 2004 UTC (19 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.96: +29 -21 lines
Diff to previous 1.96 (colored)
NAT-Traversal for isakmpd. Work in progress... hshoexer@ ok.
Revision 1.96 / (download) - annotate - [select for diffs], Thu Jun 17 19:39:38 2004 UTC (19 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.95: +28 -5 lines
Diff to previous 1.95 (colored)
Yet another bunch of memleask found and fixed by Patrick Latifi. Thanks! ok ho@
Revision 1.95 / (download) - annotate - [select for diffs], Wed Jun 16 15:05:37 2004 UTC (19 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.94: +2 -2 lines
Diff to previous 1.94 (colored)
fix ipv6-address and ipv6-address-mask mixup. Found by Patrick Latifi. Thanks! ok ho@
Revision 1.94 / (download) - annotate - [select for diffs], Mon Jun 14 09:55:41 2004 UTC (19 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.93: +25 -17 lines
Diff to previous 1.93 (colored)
KNF, style, 80c, etc. hshoexer@ ok
Revision 1.80.2.3 / (download) - annotate - [select for diffs], Fri Jun 11 03:08:02 2004 UTC (19 years, 11 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.80.2.2: +18 -2 lines
Diff to previous 1.80.2.2 (colored) to branchpoint 1.80 (colored) next main 1.81 (colored)
MFC: Fix by hshoexer@ Mark authenticated messages explicitly. Better check for authentication before deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks!
Revision 1.87.2.1 / (download) - annotate - [select for diffs], Fri Jun 11 02:34:56 2004 UTC (19 years, 11 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.87: +18 -2 lines
Diff to previous 1.87 (colored) next main 1.88 (colored)
MFC: Fix by hshoexer@ Mark authenticated messages explicitly. Better check for authentication before deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks!
Revision 1.93 / (download) - annotate - [select for diffs], Thu Jun 10 12:54:53 2004 UTC (19 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.92: +16 -2 lines
Diff to previous 1.92 (colored)
Mark authenticated messages explicitly. Better check for authentication before deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks! ok ho@ niklas@, testing and spellcheck by todd@ msf@
Revision 1.92 / (download) - annotate - [select for diffs], Wed Jun 9 14:02:44 2004 UTC (19 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.91: +6 -6 lines
Diff to previous 1.91 (colored)
Style nits. hshoexer@ ok
Revision 1.91 / (download) - annotate - [select for diffs], Sun May 23 18:17:56 2004 UTC (20 years ago) by hshoexer
Branch: MAIN
Changes since 1.90: +322 -282 lines
Diff to previous 1.90 (colored)
More KNF. Mainly spaces and line-wraps, no binary change. ok ho@
Revision 1.90 / (download) - annotate - [select for diffs], Wed May 19 14:30:26 2004 UTC (20 years ago) by ho
Branch: MAIN
Changes since 1.89: +65 -27 lines
Diff to previous 1.89 (colored)
Permit symbolic protocol and service names, such as "Protocol= tcp", in the <IPsec-ID> sections. hshoexer@ ok
Revision 1.89 / (download) - annotate - [select for diffs], Thu Apr 15 18:39:25 2004 UTC (20 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.88: +1778 -1878 lines
Diff to previous 1.88 (colored)
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
Revision 1.88 / (download) - annotate - [select for diffs], Wed Apr 7 22:45:49 2004 UTC (20 years, 1 month ago) by ho
Branch: MAIN
Changes since 1.87: +4 -4 lines
Diff to previous 1.87 (colored)
-Wsign-compare nits. hshoexer@ ok.
Revision 1.72.2.3 / (download) - annotate - [select for diffs], Wed Mar 17 15:05:03 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.72.2.2: +12 -26 lines
Diff to previous 1.72.2.2 (colored) to branchpoint 1.72 (colored) next main 1.73 (colored)
MFC: Fix by hshoexer@ Fix payload handling flaws found by cloder@. Based on initial patch by cloder@. ok deraadt@ hshoexer@
Revision 1.80.2.2 / (download) - annotate - [select for diffs], Wed Mar 17 14:59:17 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.80.2.1: +12 -26 lines
Diff to previous 1.80.2.1 (colored) to branchpoint 1.80 (colored)
MFC: Fix by hshoexer@ Fix payload handling flaws found by cloder@. Based on initial patch by cloder@. ok deraadt@ hshoexer@
Revision 1.87 / (download) - annotate - [select for diffs], Wed Mar 10 23:08:48 2004 UTC (20 years, 2 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE
Branch point for: OPENBSD_3_5
Changes since 1.86: +13 -25 lines
Diff to previous 1.86 (colored)
Fix payload handling flaws found by cloder@. Based on initial patch by cloder@. Testing by markus@ cloder@ hshoexer@. ok ho@
Revision 1.86 / (download) - annotate - [select for diffs], Fri Feb 27 19:14:57 2004 UTC (20 years, 3 months ago) by hshoexer
Branch: MAIN
Changes since 1.85: +2 -4 lines
Diff to previous 1.85 (colored)
Remove dead code. ok ho@
Revision 1.72.2.2 / (download) - annotate - [select for diffs], Fri Jan 16 00:00:21 2004 UTC (20 years, 4 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.72.2.1: +26 -41 lines
Diff to previous 1.72.2.1 (colored) to branchpoint 1.72 (colored)
Fixes a few message handling flaws in isakmpd as reported by Thomas Walpuski. ok deraadt@ hshoexer@
Revision 1.80.2.1 / (download) - annotate - [select for diffs], Tue Jan 13 22:50:07 2004 UTC (20 years, 4 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.80: +26 -41 lines
Diff to previous 1.80 (colored)
Fixes a few message handling flaws in isakmpd as reported by Thomas Walpuski. ok deraadt@ hshoexer@
Revision 1.85 / (download) - annotate - [select for diffs], Sat Jan 3 16:38:13 2004 UTC (20 years, 5 months ago) by ho
Branch: MAIN
Changes since 1.84: +26 -41 lines
Diff to previous 1.84 (colored)
Be more careful with INITIAL-CONTACT and do not delete SPIs when getting an INVALID-SPI notification. Issues noted by Thomas Walpuski. markus@ ok.
Revision 1.84 / (download) - annotate - [select for diffs], Mon Dec 15 10:06:42 2003 UTC (20 years, 5 months ago) by hshoexer
Branch: MAIN
Changes since 1.83: +9 -5 lines
Diff to previous 1.83 (colored)
Support for groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs 14 to 18). ok ho@
Revision 1.83 / (download) - annotate - [select for diffs], Thu Nov 6 16:12:07 2003 UTC (20 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.82: +5 -5 lines
Diff to previous 1.82 (colored)
Style nits.
Revision 1.82 / (download) - annotate - [select for diffs], Thu Nov 6 15:50:53 2003 UTC (20 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.81: +2 -2 lines
Diff to previous 1.81 (colored)
spis[] type tweak. From Hans-Joerg Hoexer.
Revision 1.81 / (download) - annotate - [select for diffs], Tue Oct 14 14:29:15 2003 UTC (20 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.80: +3 -7 lines
Diff to previous 1.80 (colored)
constant_lookup() to constant_name() cleanup. markus@ ok.
Revision 1.80 / (download) - annotate - [select for diffs], Tue Sep 2 18:15:55 2003 UTC (20 years, 9 months ago) by ho
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE
Branch point for: OPENBSD_3_4
Changes since 1.79: +2 -2 lines
Diff to previous 1.79 (colored)
A couple of nits. deraadt@ ok.
Revision 1.79 / (download) - annotate - [select for diffs], Fri Aug 8 08:46:59 2003 UTC (20 years, 9 months ago) by ho
Branch: MAIN
Changes since 1.78: +7 -5 lines
Diff to previous 1.78 (colored)
Be more careful when using constant_lookup() in messages. Pointed out by Jean-Francois Dive, although I opted for a slightly different patch.
Revision 1.78 / (download) - annotate - [select for diffs], Fri Jul 25 08:31:16 2003 UTC (20 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.77: +14 -2 lines
Diff to previous 1.77 (colored)
add sha2 support; ok ho@
Revision 1.72.2.1 / (download) - annotate - [select for diffs], Fri Jun 13 03:50:53 2003 UTC (20 years, 11 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.72: +27 -11 lines
Diff to previous 1.72 (colored)
MFC: Fix from ho@ Do not crash on unsupported IPSec ID types, as noted by Eric Boudrand. deraadt@ millert@ ok
Revision 1.71.2.1 / (download) - annotate - [select for diffs], Fri Jun 13 03:34:13 2003 UTC (20 years, 11 months ago) by brad
Branch: OPENBSD_3_2
Changes since 1.71: +27 -11 lines
Diff to previous 1.71 (colored) next main 1.72 (colored)
MFC: Fix from ho@ Do not crash on unsupported IPSec ID types, as noted by Eric Boudrand. deraadt@ millert@ ok
Revision 1.77 / (download) - annotate - [select for diffs], Tue Jun 10 12:21:29 2003 UTC (20 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.76: +27 -11 lines
Diff to previous 1.76 (colored)
Do not crash on unsupported IPSec ID types, as noted by Eric Boudrand.
Revision 1.76 / (download) - annotate - [select for diffs], Wed Jun 4 07:31:16 2003 UTC (21 years ago) by ho
Branch: MAIN
Changes since 1.75: +1 -6 lines
Diff to previous 1.75 (colored)
Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos.
Revision 1.75 / (download) - annotate - [select for diffs], Tue Jun 3 12:51:39 2003 UTC (21 years ago) by ho
Branch: MAIN
Changes since 1.74: +7 -7 lines
Diff to previous 1.74 (colored)
Cleanup. Use 'sizeof variable' instead of magic constants.
Revision 1.74 / (download) - annotate - [select for diffs], Wed May 14 17:37:22 2003 UTC (21 years ago) by ho
Branch: MAIN
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)
I did not test this enough. Unbreak.
Revision 1.73 / (download) - annotate - [select for diffs], Mon May 12 21:43:21 2003 UTC (21 years ago) by ho
Branch: MAIN
Changes since 1.72: +5 -3 lines
Diff to previous 1.72 (colored)
AES -> AES_128_CBC
Revision 1.72 / (download) - annotate - [select for diffs], Thu Nov 21 12:09:20 2002 UTC (21 years, 6 months ago) by ho
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE
Branch point for: OPENBSD_3_3
Changes since 1.71: +3 -3 lines
Diff to previous 1.71 (colored)
-Wshadow nits.
Revision 1.71 / (download) - annotate - [select for diffs], Wed Sep 11 09:50:43 2002 UTC (21 years, 8 months ago) by ho
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_2
Changes since 1.70: +5 -5 lines
Diff to previous 1.70 (colored)
signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.
Revision 1.70 / (download) - annotate - [select for diffs], Sun Sep 8 12:38:04 2002 UTC (21 years, 8 months ago) by ho
Branch: MAIN
Changes since 1.69: +6 -2 lines
Diff to previous 1.69 (colored)
Fix -pedantic errors.
Revision 1.69 / (download) - annotate - [select for diffs], Fri Jul 5 11:08:13 2002 UTC (21 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.68: +3 -3 lines
Diff to previous 1.68 (colored)
gcc 3.1 nits. Pointed out by David Krause.
Revision 1.68 / (download) - annotate - [select for diffs], Fri Jun 14 12:43:11 2002 UTC (21 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.67: +7 -3 lines
Diff to previous 1.67 (colored)
Recognize the ECN_TUNNEL attribute.
Revision 1.67 / (download) - annotate - [select for diffs], Sun Jun 9 08:13:06 2002 UTC (21 years, 11 months ago) by todd
Branch: MAIN
Changes since 1.66: +23 -23 lines
Diff to previous 1.66 (colored)
rm trailing whitespace
Revision 1.66 / (download) - annotate - [select for diffs], Fri Jun 7 04:56:13 2002 UTC (22 years ago) by ho
Branch: MAIN
Changes since 1.65: +17 -17 lines
Diff to previous 1.65 (colored)
This should solve PR#2729.
Revision 1.65 / (download) - annotate - [select for diffs], Sat Jun 1 07:44:21 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.64: +12 -11 lines
Diff to previous 1.64 (colored)
size_t must be cast to (unsigned long) and printed using %lu
Revision 1.64 / (download) - annotate - [select for diffs], Thu Feb 21 20:09:18 2002 UTC (22 years, 3 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.63: +3 -5 lines
Diff to previous 1.63 (colored)
Set the source port correctly, shifflett@nps.navy.mil
Revision 1.58.2.1 / (download) - annotate - [select for diffs], Thu Feb 21 04:18:57 2002 UTC (22 years, 3 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.58: +3 -2 lines
Diff to previous 1.58 (colored) next main 1.59 (colored)
Pull in patch from current: Fix (ho): Add the (former) AES candidate ESP ciphers for IKE, as of http://csrc.nist.gov/ipsec/papers/aes-draft.00.txt In particular, recognize a Twofish proposal with cipher number 253, as used by the SSH Sentinel.
Revision 1.63 / (download) - annotate - [select for diffs], Sun Jan 27 01:56:31 2002 UTC (22 years, 4 months ago) by ho
Branch: MAIN
Changes since 1.62: +3 -2 lines
Diff to previous 1.62 (colored)
Add the (former) AES candidate ESP ciphers for IKE, as of http://csrc.nist.gov/ipsec/papers/aes-draft.00.txt In particular, recognize a Twofish proposal with cipher number 253, as used by the SSH Sentinel.
Revision 1.62 / (download) - annotate - [select for diffs], Wed Jan 23 17:12:36 2002 UTC (22 years, 4 months ago) by ho
Branch: MAIN
Changes since 1.61: +12 -12 lines
Diff to previous 1.61 (colored)
less sprintf/str[n]cpy/strcat
Revision 1.61 / (download) - annotate - [select for diffs], Sun Dec 16 22:39:09 2001 UTC (22 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.60: +3 -3 lines
Diff to previous 1.60 (colored)
diagnostic incorrect; vlada@openbsd.cz
Revision 1.60 / (download) - annotate - [select for diffs], Fri Oct 26 13:29:26 2001 UTC (22 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.59: +23 -7 lines
Diff to previous 1.59 (colored)
Change to use sysdep_sa_len() function.
Revision 1.59 / (download) - annotate - [select for diffs], Fri Oct 26 12:03:07 2001 UTC (22 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.58: +37 -30 lines
Diff to previous 1.58 (colored)
Just rename sockaddr_data/len functions to sockaddr_addrdata/addrlen.
Revision 1.58 / (download) - annotate - [select for diffs], Sat Aug 25 22:22:11 2001 UTC (22 years, 9 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE
Branch point for: OPENBSD_3_0
Changes since 1.57: +50 -8 lines
Diff to previous 1.57 (colored)
Use x509_DN_string API. Style fixes.
Revision 1.57 / (download) - annotate - [select for diffs], Fri Aug 24 09:29:14 2001 UTC (22 years, 9 months ago) by ho
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)
typo in debug msg
Revision 1.56 / (download) - annotate - [select for diffs], Thu Aug 23 19:32:46 2001 UTC (22 years, 9 months ago) by niklas
Branch: MAIN
Changes since 1.55: +22 -17 lines
Diff to previous 1.55 (colored)
Correct ipsec_id_string buffer and length handling.
Revision 1.55 / (download) - annotate - [select for diffs], Wed Aug 22 08:49:00 2001 UTC (22 years, 9 months ago) by niklas
Branch: MAIN
Changes since 1.54: +72 -1 lines
Diff to previous 1.54 (colored)
Add ipsec_id_string, a function for converting IDs to on epossible string form, to be used for IKE mode config and raw key selection by ID. Not yet used though.
Revision 1.54 / (download) - annotate - [select for diffs], Fri Jul 6 14:37:11 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)
Style.
Revision 1.53 / (download) - annotate - [select for diffs], Wed Jul 4 22:23:24 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.52: +5 -10 lines
Diff to previous 1.52 (colored)
Merge entries.
Revision 1.52 / (download) - annotate - [select for diffs], Sun Jul 1 20:43:39 2001 UTC (22 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.51: +49 -11 lines
Diff to previous 1.51 (colored)
ISAKMP configuration, a.k.a IKECFG or "mode-config", protocol implementation. Disabled, has no configuration mechanism yet. This will be used for roaming users, who are going to get parameters like IP-address and nameserver from its peer, very much like DHCP, but securily inside an ISAKMP connection and still in time before negotiation of IPsec connections. You may see stylistic fixes in this commit too. Add some not yet used Makefile magic to deal with DNSSEC- enabled OpenSSL too. The IKECFG code work was sponsered by Gatespace Inc. Thank you! Configuration will come very soon, btw.
Revision 1.51 / (download) - annotate - [select for diffs], Sun Jul 1 14:17:06 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.50: +65 -26 lines
Diff to previous 1.50 (colored)
Teach ipsec_decode_ids about IPv6. More error checking, some better log msgs.
Revision 1.50 / (download) - annotate - [select for diffs], Fri Jun 29 19:08:11 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.49: +2 -3 lines
Diff to previous 1.49 (colored)
Get rid of redundant lengths in get_spi API.
Revision 1.49 / (download) - annotate - [select for diffs], Fri Jun 29 18:52:17 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.48: +17 -20 lines
Diff to previous 1.48 (colored)
Change get_src/get_dst API as we get the length with sa_len.
Revision 1.48 / (download) - annotate - [select for diffs], Fri Jun 29 18:05:24 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.47: +3 -3 lines
Diff to previous 1.47 (colored)
Since we have a sockaddr struct, use sa_len directly.
Revision 1.47 / (download) - annotate - [select for diffs], Fri Jun 29 04:12:00 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.46: +205 -121 lines
Diff to previous 1.46 (colored)
Initial IPv6 support. (niklas@ ok)
Revision 1.46 / (download) - annotate - [select for diffs], Wed Jun 27 03:31:40 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.45: +5 -5 lines
Diff to previous 1.45 (colored)
Consistently use "IPsec" capitalization (jsyn@nthought.com)
Revision 1.30.2.2 / (download) - annotate - [select for diffs], Tue May 8 12:45:23 2001 UTC (23 years ago) by ho
Branch: OPENBSD_2_8
Changes since 1.30.2.1: +210 -34 lines
Diff to previous 1.30.2.1 (colored) to branchpoint 1.30 (colored) next main 1.31 (colored)
Pull in isakmpd from 2.9 to 2.8 branch.
Revision 1.45 / (download) - annotate - [select for diffs], Sat May 5 00:52:50 2001 UTC (23 years, 1 month ago) by angelos
Branch: MAIN
Changes since 1.44: +3 -3 lines
Diff to previous 1.44 (colored)
Pass the Phase 1 SA to the set_spi routine, so the IDs (and eventually any credentials) can be associated with the Phase 2 SA.
Revision 1.44 / (download) - annotate - [select for diffs], Tue Apr 24 07:27:37 2001 UTC (23 years, 1 month ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE,
OPENBSD_2_9
Changes since 1.43: +22 -20 lines
Diff to previous 1.43 (colored)
Correct SA refcounting. Fixes a bug where isakmpd could die when a peer was discovered to have rebooted, and old now invalid SAs had to be garbage- collected.
Revision 1.43 / (download) - annotate - [select for diffs], Sun Apr 15 16:09:16 2001 UTC (23 years, 1 month ago) by ho
Branch: MAIN
Changes since 1.42: +3 -3 lines
Diff to previous 1.42 (colored)
Style.
Revision 1.42 / (download) - annotate - [select for diffs], Mon Apr 9 22:09:52 2001 UTC (23 years, 1 month ago) by ho
Branch: MAIN
Changes since 1.41: +3 -3 lines
Diff to previous 1.41 (colored)
More style fixes...
Revision 1.41 / (download) - annotate - [select for diffs], Thu Mar 29 06:51:25 2001 UTC (23 years, 2 months ago) by ho
Branch: MAIN
Changes since 1.40: +1 -5 lines
Diff to previous 1.40 (colored)
We need ipsec_decode_ids regardless of DEBUG feature now.
Revision 1.40 / (download) - annotate - [select for diffs], Wed Mar 7 07:33:53 2001 UTC (23 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.39: +2 -1 lines
Diff to previous 1.39 (colored)
Add KEY_ID support (mostly from roland@digitalvampire.org)
Revision 1.39 / (download) - annotate - [select for diffs], Sat Feb 24 03:59:55 2001 UTC (23 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.38: +3 -2 lines
Diff to previous 1.38 (colored)
For the GETSPI PFKEY message, use the sequence number from the ACQUIRE message.
Revision 1.38 / (download) - annotate - [select for diffs], Sat Jan 27 12:03:33 2001 UTC (23 years, 4 months ago) by niklas
Branch: MAIN
Changes since 1.37: +2 -1 lines
Diff to previous 1.37 (colored)
(c) 2001
Revision 1.37 / (download) - annotate - [select for diffs], Fri Jan 26 12:12:52 2001 UTC (23 years, 4 months ago) by niklas
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
Pedantic style police
Revision 1.36 / (download) - annotate - [select for diffs], Sun Jan 14 23:40:01 2001 UTC (23 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.35: +116 -43 lines
Diff to previous 1.35 (colored)
Handling of Phase 1 DELETE and Phase 2 INVALID_SPI messages (newsham@lava.net)
Revision 1.35 / (download) - annotate - [select for diffs], Thu Jan 11 00:46:28 2001 UTC (23 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.34: +8 -1 lines
Diff to previous 1.34 (colored)
Reference the sa, so sa_release() does the right thing (talk about convoluted logic).
Revision 1.34 / (download) - annotate - [select for diffs], Wed Jan 10 21:29:04 2001 UTC (23 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.33: +5 -5 lines
Diff to previous 1.33 (colored)
Get logging priorities right.
Revision 1.33 / (download) - annotate - [select for diffs], Wed Jan 10 19:48:29 2001 UTC (23 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.32: +60 -4 lines
Diff to previous 1.32 (colored)
Handle DELETE payloads (delete the relevant IPsec SAs) -- problem reported, patches tested, and feedback provided by newsham@lava.net
Revision 1.32 / (download) - annotate - [select for diffs], Tue Dec 12 01:45:31 2000 UTC (23 years, 5 months ago) by niklas
Branch: MAIN
Changes since 1.31: +51 -12 lines
Diff to previous 1.31 (colored)
Merge with EOM 1.143 author: niklas Style nits author: angelos Pass the local/remote Phase 1 ID to the flow, so it can be reused when an SA is re-negotiated. author: angelos isakmpd can now negotiate transport protocol/ports (either through the configuration file or through kernel ACQUIREs). author: angelos CAST-128 has a maximum of 128bit keys, not 256.
Revision 1.30.2.1 / (download) - annotate - [select for diffs], Sat Nov 25 03:26:14 2000 UTC (23 years, 6 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
Pull in patch from current: Fix (angelos): CAST-128 has a maximum of 128bit keys, not 256.
Revision 1.31 / (download) - annotate - [select for diffs], Tue Nov 21 06:44:04 2000 UTC (23 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
CAST-128 has a maximum of 128bit keys, not 256.
Revision 1.30 / (download) - annotate - [select for diffs], Mon Oct 16 23:26:33 2000 UTC (23 years, 7 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE
Branch point for: OPENBSD_2_8
Changes since 1.29: +34 -17 lines
Diff to previous 1.29 (colored)
Merge with EOM 1.139 author: niklas Allow new and old style configuration simultaneously author: niklas use snprintf instead of strlcpy since it is more backwards compatible author: niklas Provide NI_MAXHOSTS for systems who do not have it author: niklas conditionalize getnaminfo and be a style pedant author: angelos Fix bounds checking for transforms to include AES (noticed by mickey@) author: angelos Add RIPEMD negotiation/configuration.
Revision 1.29 / (download) - annotate - [select for diffs], Mon Oct 9 23:27:30 2000 UTC (23 years, 7 months ago) by niklas
Branch: MAIN
Changes since 1.28: +6 -2 lines
Diff to previous 1.28 (colored)
samples/VPN-3way-template.conf: Merge with EOM 1.8 samples/VPN-east.conf: Merge with EOM 1.12 samples/VPN-west.conf: Merge with EOM 1.13 samples/policy: Merge with EOM 1.6 samples/singlehost-west.conf: Merge with EOM 1.9 samples/singlehost-east.conf: Merge with EOM 1.9 conf.c: Merge with EOM 1.37 ipsec.c: Merge with EOM 1.133 ipsec_num.cst: Merge with EOM 1.4 isakmpd.conf.5: Merge with EOM 1.48 isakmpd.policy.5: Merge with EOM 1.21 policy.c: Merge with EOM 1.46 author: angelos AES support.
Revision 1.28 / (download) - annotate - [select for diffs], Sat Oct 7 06:58:47 2000 UTC (23 years, 8 months ago) by niklas
Branch: MAIN
Changes since 1.27: +24 -15 lines
Diff to previous 1.27 (colored)
Merge with EOM 1.132 author: niklas style author: angelos Make sure the LIFE_DURATION length is 2 or 4 bytes (we don't handle anything else, although we could extend it to handle anything up to 8 bytes). author: provos dont crash when isakmp sa keystate = 0; happens when encountering high packet loss. author: ho ipsec_decode_ids is only used with USE_DEBUG author: provos style as pointed out by the code style pedant. author: provos proper reference counting for isakmp_sa in struct message, remove bogus calls to sa_reference; fix some more memory leaks in conf.c
Revision 1.27 / (download) - annotate - [select for diffs], Thu Aug 3 07:24:58 2000 UTC (23 years, 10 months ago) by niklas
Branch: MAIN
Changes since 1.26: +137 -3 lines
Diff to previous 1.26 (colored)
Merge with EOM 1.126 author: angelos Be more careful. author: angelos Oops, typo. author: angelos Avoid endless loop in INITIAL-CONTACT handling. author: angelos Don't delete the ISAKMP SA over which we received an INITIAL-CONTACT payload. author: provos make a DOI specific decode_ids, but have isakmp doi decode point to ipsec. author: provos indent author: provos introduce ipsec_decode_ids, also decodes FQDN and USER_FQDN now. new ipsec_clone_id to copy IDs to phase 2 SAs for better status reports. okay angelos@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Jun 8 20:50:41 2000 UTC (23 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
Merge with EOM 1.119 author: provos typo
Revision 1.25 / (download) - annotate - [select for diffs], Fri Feb 25 17:23:40 2000 UTC (24 years, 3 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE,
OPENBSD_2_7
Changes since 1.24: +54 -49 lines
Diff to previous 1.24 (colored)
regress/crypto/Makefile: Merge with EOM 1.5 regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36 author: niklas Made debug logging a compile time selectable feature
Revision 1.24 / (download) - annotate - [select for diffs], Sat Feb 19 19:32:53 2000 UTC (24 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.23: +14 -19 lines
Diff to previous 1.23 (colored)
cert.c: Merge with EOM 1.14 ike_auth.c: Merge with EOM 1.43 ike_phase_1.c: Merge with EOM 1.21 init.c: Merge with EOM 1.24 ipsec.c: Merge with EOM 1.117 isakmpd.c: Merge with EOM 1.44 math_group.c: Merge with EOM 1.22 author: niklas Copyright 2000 author: niklas Allow isakmpd builders to remove optional parts and save bytes.
Revision 1.23 / (download) - annotate - [select for diffs], Wed Jan 26 15:23:32 2000 UTC (24 years, 4 months ago) by niklas
Branch: MAIN
Changes since 1.22: +4 -3 lines
Diff to previous 1.22 (colored)
Merge with EOM 1.115 author: ho Blowfish needs the KEY_LENGTH attribute accepted.
Revision 1.22 / (download) - annotate - [select for diffs], Tue Jul 13 15:46:43 1999 UTC (24 years, 10 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_6_BASE,
OPENBSD_2_6
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored)
ipsec.c: Merge with EOM 1.114 math_group.c: Merge with EOM 1.20 author: niklas Really make group 5 work
Revision 1.21 / (download) - annotate - [select for diffs], Wed Jul 7 22:13:08 1999 UTC (24 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.20: +35 -2 lines
Diff to previous 1.20 (colored)
ipsec.c: Merge with EOM 1.113 ipsec.h: Merge with EOM 1.37 author: niklas Add a function giving the size of a certain ID-payload
Revision 1.20 / (download) - annotate - [select for diffs], Wed Jun 2 06:33:36 1999 UTC (25 years ago) by niklas
Branch: MAIN
Changes since 1.19: +3 -28 lines
Diff to previous 1.19 (colored)
Merge with EOM 1.112 author: niklas Some restructuring of ID checks, but still no coupling to names.
Revision 1.19 / (download) - annotate - [select for diffs], Thu May 6 22:44:16 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.18: +23 -5 lines
Diff to previous 1.18 (colored)
Merge with EOM 1.111 author: niklas Reversed a condition by mistake author: niklas Another part of the former commit. author: niklas Do not add HASH to informational exchanges if we have no ISAKMP SA.
Revision 1.18 / (download) - annotate - [select for diffs], Sun May 2 22:05:35 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.17: +8 -7 lines
Diff to previous 1.17 (colored)
Merge with EOM 1.108 author: niklas Correct allocation of contacts
Revision 1.17 / (download) - annotate - [select for diffs], Sun May 2 19:20:33 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.16: +96 -3 lines
Diff to previous 1.16 (colored)
BUGS: Merge with EOM 1.31 doi.h: Merge with EOM 1.27 ike_auth.c: Merge with EOM 1.30 ike_quick_mode.c: Merge with EOM 1.85 ipsec.c: Merge with EOM 1.107 ipsec.h: Merge with EOM 1.36 isakmp_doi.c: Merge with EOM 1.39 author: niklas Factor out keyed hashing of all payloads with SKEYID_a, and make DOI hooks for informational exchanges to add such hashing. Use it from QM and the IKE authentication module too. Remove some bogus XXX comments. Add error reporting
Revision 1.16 / (download) - annotate - [select for diffs], Fri Apr 30 23:32:08 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.15: +8 -9 lines
Diff to previous 1.15 (colored)
Merge with EOM 1.106 author: niklas Informational exchanges do not have SAs
Revision 1.15 / (download) - annotate - [select for diffs], Fri Apr 30 11:47:41 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.14: +26 -13 lines
Diff to previous 1.14 (colored)
ipsec.c: Merge with EOM 1.105 isakmp_doi.c: Merge with EOM 1.38 author: niklas Recognize but ignore incoming informationmal exchanges author: niklas New message_drop API. Generate real INVALID_COOKIE notification. Generate informational exchanges in phase 1 too. Really get these messages to the wire
Revision 1.14 / (download) - annotate - [select for diffs], Tue Apr 27 21:05:18 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.13: +190 -46 lines
Diff to previous 1.13 (colored)
Merge with EOM 1.103 author: niklas Handle leftover payloads, esp INITIAL CONTACT notifications. Factor out SA expiration setting. Add commentary. author: niklas Send out INITIAL-CONTACT notifications
Revision 1.13 / (download) - annotate - [select for diffs], Mon Apr 19 21:04:41 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.12: +35 -15 lines
Diff to previous 1.12 (colored)
./ipsec.c: Merge with EOM 1.101 Style. alloc error reporting. Math error propagation. Allocate right sizes. Let's get aggressive\! Added classes LOG_SA and LOG_EXCHANGE, converted many LOG_MISC to new classes, adjusted levels slightly. More SA logging. seconds are quad style Fix timer log message to show new lifetime Remove SA_FLAG_REPLACED settings from various parts in preparation of a grand unified setting in exchange_finalize. Fix sa_mark_replaced to not release a referance to the sa, and adjust the API as it won't get called as a finalize func anymore. Keep the original lifetime (before randomization) in the sa, if we sometime will create new proposals out of existing SAs. Add randomized decrease of ISAKMP SA lifetime
Revision 1.12 / (download) - annotate - [select for diffs], Mon Apr 5 20:57:50 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_5_BASE,
OPENBSD_2_5
Changes since 1.11: +26 -7 lines
Diff to previous 1.11 (colored)
Merge with EOM 1.92 More error reporting. Plug memleak (all memleak I have fixed recently have been discovered by the leak-finding mode of Boehm's conservative garbage collector. Error handling of group allocation. Memory alloc. error reporting. Be consistent on allocating keystate.
Revision 1.11 / (download) - annotate - [select for diffs], Fri Apr 2 01:09:07 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.10: +8 -11 lines
Diff to previous 1.10 (colored)
Merge with EOM 1.89 Assign locals where the are needed, otherwise we might deref deallocated stuff. resource track exchange->name and sa->name
Revision 1.10 / (download) - annotate - [select for diffs], Wed Mar 31 20:29:37 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.9: +6 -3 lines
Diff to previous 1.9 (colored)
Merge with EOM 1.87 Use SA refcounting where needed
Revision 1.9 / (download) - annotate - [select for diffs], Wed Mar 31 14:27:37 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.8: +79 -41 lines
Diff to previous 1.8 (colored)
ipsec.c: Merge with EOM 1.86 ipsec.h: Merge with EOM 1.33 pf_encap.c: Merge with EOM 1.52 pf_key_v2.c: Merge with EOM 1.3 Fix case of missing client ID payloads, a case the standards allow. Thanks to Michael Paddon (mwp@aba.net.au) for the diffs I based my fix upon. His diff also made me realize I stored the address information in host order in internal structures where I had planned to use network order. Fix this, and remove the XXXes I had due to this elsewhere. Add commentary.
Revision 1.8 / (download) - annotate - [select for diffs], Wed Mar 31 00:51:07 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.7: +80 -52 lines
Diff to previous 1.7 (colored)
Merge with EOM 1.85 Mark replaced SAs as such. Move SA naming earlier. Reorder & comment funcs.
Revision 1.7 / (download) - annotate - [select for diffs], Wed Mar 24 14:43:12 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.6: +22 -16 lines
Diff to previous 1.6 (colored)
Merge with EOM 1.84 Use new sysdep API
Revision 1.6 / (download) - annotate - [select for diffs], Sat Feb 27 09:59:36 1999 UTC (25 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.5: +5 -2 lines
Diff to previous 1.5 (colored)
ipsec.c: Merge with EOM 1.83 Only accept IPsec SAs when searching for such sa.h: Merge with EOM 1.41 Stayalive connections as a default for now, init pf_encap_socket pf_encap.c: Merge with EOM 1.45 Stayalive connections as a default for now, init pf_encap_socket
Revision 1.5 / (download) - annotate - [select for diffs], Fri Feb 26 03:43:41 1999 UTC (25 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.4: +151 -51 lines
Diff to previous 1.4 (colored)
Merge from the Ericsson repository | revision 1.82 | date: 1999/02/25 13:35:41; author: niklas; state: Exp; lines: +6 -2 | doh wrong replay window default | ---------------------------- | revision 1.81 | date: 1999/02/25 11:39:07; author: niklas; state: Exp; lines: +3 -2 | include sysdep.h everywhere | ---------------------------- | revision 1.80 | date: 1999/02/25 11:09:38; author: niklas; state: Exp; lines: +2 -2 | Make conf_get_num take a default value to give back when tag does not exist | ---------------------------- | revision 1.79 | date: 1999/02/25 10:21:32; author: niklas; state: Exp; lines: +10 -5 | Replay window changes was done at the wrong level | ---------------------------- | revision 1.78 | date: 1999/02/25 09:30:25; author: niklas; state: Exp; lines: +12 -1 | Replay protection window configurable | ---------------------------- | revision 1.77 | date: 1999/02/14 00:21:10; author: niklas; state: Exp; lines: +62 -5 | Find relevant SAs out of IPsec expiration info. Do not automatically rekey. | ---------------------------- | revision 1.76 | date: 1999/01/31 01:16:59; author: niklas; state: Exp; lines: +67 -45 | splitup ipsec_build_id into more useful API | ----------------------------
Revision 1.4 / (download) - annotate - [select for diffs], Mon Dec 21 01:02:24 1998 UTC (25 years, 5 months ago) by niklas
Branch: MAIN
Changes since 1.3: +226 -5 lines
Diff to previous 1.3 (colored)
Last months worth of work on isakmpd, lots done
Revision 1.3 / (download) - annotate - [select for diffs], Tue Nov 17 11:10:13 1998 UTC (25 years, 6 months ago) by niklas
Branch: MAIN
Changes since 1.2: +2 -1 lines
Diff to previous 1.2 (colored)
Add RCS Ids from the EOM repository
Revision 1.2 / (download) - annotate - [select for diffs], Sun Nov 15 00:43:55 1998 UTC (25 years, 6 months ago) by niklas
Branch: MAIN
Changes since 1.1: +1 -1 lines
Diff to previous 1.1 (colored)
openBSD RCS IDs
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Sun Nov 15 00:03:48 1998 UTC (25 years, 6 months ago) by niklas
Branch: NIKLAS
CVS Tags: NIKLAS_981114
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)
Initial import of isakmpd, an IKE (ISAKMP/Oakley) implementation for the OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by Ericsson Radio Systems. It is not yet complete or usable in a real scenario but the missing pieces will soon be there. The early commit is for people who wants early access and who are not afraid of looking at source. isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so far, so it is not that incomplete. It is really mostly configuration that is lacking.
Revision 1.1 / (download) - annotate - [select for diffs], Sun Nov 15 00:03:48 1998 UTC (25 years, 6 months ago) by niklas
Branch: MAIN
Initial revision