#
1.107 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.106 |
|
16-Mar-2016 |
krw |
More "(<blah> *)0" -> NULL, avoiding any stdarg functions.
Feedback millert@ kettenis@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.105 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.104 |
|
20-Aug-2015 |
deraadt |
<stdlib.h> is included, so do not need to cast result from malloc, calloc, realloc* ok krw millert
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.103 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.102 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.101 |
|
13-Jul-2012 |
mikeb |
Support additional MODP DH groups in the Phase 1 and Phase 2. lteo@ noticed that ipsecctl allowed them within the ike rules while isakmpd failed to load the generated configuration. The fix was verified by hshoexer, ok naddy
|
#
1.100 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.99 |
|
22-Sep-2010 |
mikeb |
Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC (as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.98 |
|
04-Aug-2010 |
deraadt |
fixup keylength for aes-128-cbc in quickmode from mikeb
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.97 |
|
17-Feb-2008 |
hshoexer |
Define default configurations for AES-192 and AES-256. From Mitja Muzenic <mitja at muzenic dot net>, diff provided already quite some time ago, many many thanks. This should have gone in months ago but I was slacking, sorry for that.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.96 |
|
01-Jun-2007 |
moritz |
Let conf_trans_node() set all parts of the node, so that we don't have to expose the node to the outside.
Without this, conf_trans_node() created a node, linked it into the conf_trans queue and returned it to the caller. If something failed in one of the callers, the half-initialized node would still be linked in the queue and could get accessed later on.
ok hshoexer@
|
#
1.95 |
|
22-Apr-2007 |
moritz |
Free allocated node in conf_set_now() before failing, so we do not leak memory.
ok hshoexer@
|
#
1.94 |
|
16-Apr-2007 |
moritz |
There's no point in checking ptr for NULL before doing free(ptr) since free(NULL) is just fine.
ok hshoexer@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.93 |
|
19-Feb-2007 |
hshoexer |
isakmpd bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.92 |
|
29-Aug-2006 |
hshoexer |
Properly define quick mode suites for AH. With naddy. ok ho
|
#
1.91 |
|
10-Jun-2006 |
hshoexer |
Make deletion of SAs on shutdown optional. The default behaviour now is to not delete SAs. Needed for reliable ipsec failover. Suggested by mtu@. Moreover, this ensures that packets do not leak when isakmpd is shutdown.
ok mcbride@, testing mtu@
|
#
1.90 |
|
10-Jun-2006 |
msf |
Allow isakmpd to use a different private rsa key per isakmp ID. Hans wrote this a long time ago, I synced it to -current and tested.
ok hshoexer@
|
#
1.89 |
|
10-Jun-2006 |
hshoexer |
This shouldn't have been commited yet.
|
#
1.88 |
|
10-Jun-2006 |
hshoexer |
support sha2 for main mode hmacs and aesctr for quick mode encryption. ok markus@ ho@
|
#
1.87 |
|
27-May-2006 |
hshoexer |
add group15/modp3072 to default configurations.
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.86 |
|
28-Dec-2005 |
hshoexer |
remove some unused functions and an unused variable found by lint.
ok markus@
|
#
1.85 |
|
14-Nov-2005 |
deraadt |
use snprintf; ok cloder. also looked at by a few other people
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.84 |
|
02-Aug-2005 |
hshoexer |
Make sure to always load at least the default configuration values. Fixes a problem noticed by Yaron Wahl, who also pointed out that problem. Thanks!
ok mpf@
|
#
1.83 |
|
26-May-2005 |
cloder |
Handle strdup returning NULL. OK hshoexer
|
#
1.82 |
|
08-Apr-2005 |
cloder |
Make deterministic randomness (only ever used for testing) a compile-time option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer
|
#
1.81 |
|
08-Apr-2005 |
deraadt |
keynote and policy always compiled in
|
#
1.80 |
|
08-Apr-2005 |
deraadt |
un-ifdef USE_BLOWFISH
|
#
1.79 |
|
06-Apr-2005 |
deraadt |
knf, ok cloder
|
#
1.78 |
|
05-Apr-2005 |
cloder |
Always compile X509 support. Almost everyone uses it. Makes the code much easier to read and to maintain. OK and testing by hshoexer@, more testing by me
|
#
1.77 |
|
04-Apr-2005 |
deraadt |
spacing; ok cloder
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.76 |
|
15-Mar-2005 |
moritz |
reset config line numbers, when daemon gets reinitialized. prevents wrong line numbers in error cases. help from jaredy@ and ok hshoexer@.
|
#
1.75 |
|
10-Mar-2005 |
cloder |
Avoid memory leak if strdup should fail. OK hshoexer@
|
#
1.74 |
|
14-Dec-2004 |
mcbride |
Allow the Address, Network, or Netmask values of the <IPsec-ID> to be specified with an interface name (in which case the first address is used) or the keyword 'default' (in which case the address is selected based on the default route). eg:
[roadwarrior-ip] ID-type= IPV4_ADDR Address= default
ok ho@ hshoexer@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.73 |
|
08-Aug-2004 |
deraadt |
spacing
|
#
1.72 |
|
29-Jul-2004 |
ho |
Less noise while debugging.
|
#
1.71 |
|
25-Jun-2004 |
hshoexer |
Keynote policy checking can now be disabled by "-K" switch and config tag "Use-Keynote". Default is to use keynote.
ok henning@ ho@
|
#
1.70 |
|
14-Jun-2004 |
hshoexer |
avoid stat before open
ok ho@
|
#
1.69 |
|
14-Jun-2004 |
ho |
KNF, style, 80c, etc. hshoexer@ ok
|
#
1.68 |
|
09-Jun-2004 |
ho |
Style nits. hshoexer@ ok
|
#
1.67 |
|
14-May-2004 |
hshoexer |
Some more KNF, no binary change.
ok ho@
|
#
1.66 |
|
23-Apr-2004 |
ho |
Make sure KEY_LENGTH attribute is present when checking AES proposals, required when acting as responder to SafeNet peers. Also make conf_load_defaults() readable again (KNF). hshoexer@ ok.
|
#
1.65 |
|
15-Apr-2004 |
deraadt |
more knf; ok hshoexer
|
#
1.64 |
|
15-Apr-2004 |
deraadt |
knf
|
#
1.63 |
|
15-Apr-2004 |
deraadt |
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.62 |
|
19-Mar-2004 |
hshoexer |
Add missing bits to make already present privsep code work. Enable privsep.
ok ho@ deraadt@ markus@
|
#
1.61 |
|
27-Feb-2004 |
hshoexer |
Add group 14 (modp2048) to predefined suites. Manpage also updated. ok ho@
|
#
1.60 |
|
06-Jan-2004 |
hshoexer |
small typos fixed.
ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.59 |
|
02-Sep-2003 |
ho |
A couple of nits. deraadt@ ok.
|
#
1.58 |
|
28-Aug-2003 |
markus |
support AES in phase 1, too. switch to OpenSSL EVP interface; with Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@
|
#
1.57 |
|
25-Jul-2003 |
markus |
add sha2 support; ok ho@
|
#
1.56 |
|
10-Jun-2003 |
deraadt |
boring cleanups
|
#
1.55 |
|
03-Jun-2003 |
ho |
Remove clauses 3 and 4. With approval from Niklas Hallqvist and Niels Provos.
|
#
1.54 |
|
03-Jun-2003 |
ho |
Cleanup. Use 'sizeof variable' instead of magic constants.
|
#
1.53 |
|
18-May-2003 |
ho |
More isakmpd privsep work. X509 private keys are now kept in the privileged process only. Various cleanup and bugfixes. markus@ ok
|
#
1.52 |
|
15-May-2003 |
ho |
Start of privilege separation for isakmpd. There are some kinks left, so keep it default disabled for now. markus@ says ok to commit.
|
#
1.51 |
|
14-May-2003 |
ho |
Default public key directory definition sanity.
|
#
1.50 |
|
30-Apr-2003 |
jason |
cast size_t to unsigned long and use %lu;ok ho
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.49 |
|
04-Feb-2003 |
markus |
don't set the Transform for Default-phase-1-configuration twice, ok ho@
|
#
1.48 |
|
06-Dec-2002 |
ho |
Section and tag comparisions should be case-insensitive. PR#3010, Mike Neuman.
|
#
1.47 |
|
15-Nov-2002 |
ho |
Missing "Configuration" tag in a Phase-1 peer was not handled correctly, pointed out by Aref Taidi. Replace this with a "Default-Phase-1-Configuration" that will be used if this tag is missing from the peer. Update manpage accordingly. niklas@ ok.
|
#
1.46 |
|
14-Nov-2002 |
ho |
Better whitespace/newline handling, this should make broken lines and multiple values parse correctly again, as well as fix PR#2974. Also fix some int/u_int mismatches, and remove conf_get_line() (obsolete).
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
11-Sep-2002 |
ho |
signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.
|
#
1.44 |
|
07-Aug-2002 |
ho |
A rewrite of the CRL support code, also from <Thomas.Walpuski@gmx.net>. Some style mods, and checks added for OpenSSL version 0.9.7 or later. Currently CRLs are not supported for earlier versions. Manual pages updated.
|
#
1.43 |
|
02-Aug-2002 |
ho |
CRL support for isakmpd. From <Thomas.Walpuski@gmx.net> with some minor modifications by me. ok niklas@.
|
#
1.42 |
|
09-Jun-2002 |
todd |
rm trailing whitespace
|
#
1.41 |
|
01-Jun-2002 |
deraadt |
size_t must be cast to (unsigned long) and printed using %lu
|
#
1.40 |
|
28-May-2002 |
ho |
off_t to size_t change for printf format and malloc. Pointed out by <greg@nest.cx>
|
#
1.39 |
|
29-Apr-2002 |
pvalchev |
wierd -> weird
|
#
1.38 |
|
22-Apr-2002 |
ho |
Handle configuration lines that end in whitespace or ^M. Also avoid a potential memory leak.
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
01-Mar-2002 |
ho |
Change DH group handling in the pre-generated parts of the configuration. Add a -GRP{1,2,5} component to transform and suite names to directly specify which group to use. If no group is specified, use DH group 2 (MODP_1024). Earlier transforms and suites using the MD5 hash defaulted to DH group 1, this is no longer true. niklas@ ok.
|
#
1.36 |
|
23-Jan-2002 |
ho |
the last few sprintf -> snprintf
|
#
1.35 |
|
03-Jan-2002 |
ho |
str[n]{cpy,cat} -> strl{cpy,cat}, sprintf -> snprintf
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.34 |
|
05-Oct-2001 |
ho |
Missed this file; some more debug level fixes.
|
#
1.33 |
|
05-Jul-2001 |
ho |
Add prototypes and some other various cleanup.
|
#
1.32 |
|
01-Jul-2001 |
niklas |
Style
|
#
1.31 |
|
29-Jun-2001 |
niklas |
Provide an API to get sockaddrs out of the config db
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.30 |
|
27-Mar-2001 |
ho |
(c)-2001
|
#
1.29 |
|
13-Mar-2001 |
ho |
Somewhere along the line we stopped using the configuration file defaults properly. Make them work again. (niklas@ ok)
|
#
1.28 |
|
28-Feb-2001 |
angelos |
Make sure the default lifetimes in the General section are taken into consideration.
|
#
1.27 |
|
27-Jan-2001 |
niklas |
(c) 2001
|
#
1.26 |
|
26-Jan-2001 |
niklas |
Pedantic style police
|
#
1.25 |
|
12-Dec-2000 |
niklas |
Merge with EOM 1.48
author: angelos Add Default-phase-1-ID tag in [General], and document its use.
author: angelos Default Phase 1 entry.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.24 |
|
27-Oct-2000 |
niklas |
branches: 1.24.2; conf.c: Merge with EOM 1.46 util.c: Merge EOM diff 1.20 - 1.21, i.e. 1.19 is still left to be merged
author: ho Use stat(), not lstat().
|
#
1.23 |
|
26-Oct-2000 |
niklas |
Merge with EOM 1.45
author: niklas fgetc returns int not char; Boris Prochazka <boris@stargate.ipunplugged.com>
|
#
1.22 |
|
16-Oct-2000 |
niklas |
Merge with EOM 1.44
author: angelos Just to be on the safe side, use a struct stat.
author: angelos Only do the secrecy check and parse the configuration file if it actually exists.
author: angelos Actually create all the pre-configured Transforms and Suites, even if the user doesn't actually define them in the configuration file; ugly kludge, but it allows use of isakmpd without a configuration file.
author: angelos Add RIPEMD negotiation/configuration.
|
#
1.21 |
|
13-Oct-2000 |
niklas |
regress/b2n/Makefile: Merge with EOM 1.12 regress/ec2n/Makefile: Merge with EOM 1.9 conf.c: Merge with EOM 1.40 util.c: Merge with EOM 1.17
author: ho Add file permission check to private key file. Split out check function to util.c.
|
#
1.20 |
|
13-Oct-2000 |
niklas |
Merge with EOM 1.39
author: ho Revert. Be strict about file mode.
|
#
1.19 |
|
13-Oct-2000 |
niklas |
Merge with EOM 1.38
author: ho Warn but continue on isakmpd.conf permissions.
|
#
1.18 |
|
09-Oct-2000 |
niklas |
samples/VPN-3way-template.conf: Merge with EOM 1.8 samples/VPN-east.conf: Merge with EOM 1.12 samples/VPN-west.conf: Merge with EOM 1.13 samples/policy: Merge with EOM 1.6 samples/singlehost-west.conf: Merge with EOM 1.9 samples/singlehost-east.conf: Merge with EOM 1.9 conf.c: Merge with EOM 1.37 ipsec.c: Merge with EOM 1.133 ipsec_num.cst: Merge with EOM 1.4 isakmpd.conf.5: Merge with EOM 1.48 isakmpd.policy.5: Merge with EOM 1.21 policy.c: Merge with EOM 1.46
author: angelos AES support.
|
#
1.17 |
|
07-Oct-2000 |
niklas |
Merge with EOM 1.36
author: niklas Remove some spaces
author: niklas do not crash on empty config files
author: ho (c)-2000
author: provos style as pointed out by the code style pedant.
author: provos proper reference counting for isakmp_sa in struct message, remove bogus calls to sa_reference; fix some more memory leaks in conf.c
|
#
1.16 |
|
08-Jun-2000 |
niklas |
Merge with EOM 1.31
author: angelos Initialize [Keynote]:Credential-directory.
author: ho Autogenerated p1/p2 default lifetimes can be defined in config.
author: niklas style
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.15 |
|
03-May-2000 |
niklas |
Merge with EOM 1.28
author: niklas style fascism
author: ho style fix
author: ho Typo in comment.
author: ho Typo; Cers-directory -> Cert-directory
author: ho Do not load configuration if isakmpd.conf is not owned by the user running isakmpd. Also, do not load config if file modes are too open. Do not warn about ignored duplicate tags when they are autogenerated.
author: niklas From ho: provide defaults for requested transforms, shortens config files vastly.
|
#
1.14 |
|
02-May-2000 |
niklas |
Merge with EOM 1.26
author: ho Typo in comment.
author: ho Typo; Cers-directory -> Cert-directory
author: ho Do not load configuration if isakmpd.conf is not owned by the user running isakmpd. Also, do not load config if file modes are too open. Do not warn about ignored duplicate tags when they are autogenerated.
author: niklas From ho: provide defaults for requested transforms, shortens config files vastly.
|
#
1.13 |
|
07-Apr-2000 |
niklas |
conf.c: Merge with EOM 1.22 gmp_util.c: Merge with EOM 1.5 gmp_util.h: Merge with EOM 1.3 math_mp.h: Merge with EOM 1.2 sa.c: Merge with EOM 1.101 ui.c: Merge with EOM 1.40
author: niklas (c) 2000
|
#
1.12 |
|
07-Apr-2000 |
niklas |
conf.c: Merge with EOM 1.21 isakmpd.c: Merge with EOM 1.46 sa.c: Merge with EOM 1.100 ui.c: Merge with EOM 1.39
author: niklas error message style
|
#
1.11 |
|
25-Feb-2000 |
niklas |
regress/crypto/Makefile: Merge with EOM 1.5 regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36
author: niklas Made debug logging a compile time selectable feature
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.10 |
|
05-Aug-1999 |
niklas |
DESIGN-NOTES: Merge with EOM 1.47 conf.c: Merge with EOM 1.19 conf.h: Merge with EOM 1.10 ui.c: Merge with EOM 1.34
author: niklas Dynamic updates of the configuration database is now possible, either through ui, or through the new conf_* API described in DESIGN-NOTES
|
#
1.9 |
|
01-May-1999 |
niklas |
sysdep/openbsd/sysdep.c: Merge with EOM 1.7 DESIGN-NOTES: Merge with EOM 1.42 Makefile: Merge with EOM 1.51 app.c: Merge with EOM 1.6 conf.c: Merge with EOM 1.18 init.c: Merge with EOM 1.14 isakmpd.conf.5: Merge with EOM 1.19 pf_encap.c: Merge with EOM 1.64 pf_encap.h: Merge with EOM 1.12 pf_key_v2.h: Merge with EOM 1.3 sysdep.h: Merge with EOM 1.16 transport.c: Merge with EOM 1.40 ui.c: Merge with EOM 1.32
author: niklas A new connection abstraction
|
Revision tags: OPENBSD_2_5_BASE
|
#
1.8 |
|
05-Apr-1999 |
niklas |
Merge with EOM 1.17 memory leak fixes
1999 copyrights
|
#
1.7 |
|
02-Mar-1999 |
niklas |
conf.c: Merge with EOM 1.15 One include too much
conf.h: Merge with EOM 1.7 Forgotten include file
|
#
1.6 |
|
26-Feb-1999 |
niklas |
Merge from the Ericsson repository | revision 1.14 | date: 1999/02/25 11:38:47; author: niklas; state: Exp; lines: +3 -1 | include sysdep.h everywhere | ---------------------------- | revision 1.13 | date: 1999/02/25 11:09:31; author: niklas; state: Exp; lines: +7 -4 | Make conf_get_num take a default value to give back when tag does not exist | ---------------------------- | revision 1.12 | date: 1999/01/31 01:20:42; author: niklas; state: Exp; lines: +7 -1 | on-demand keying | ----------------------------
|
#
1.5 |
|
21-Dec-1998 |
niklas |
Remove bogus check of printableness of the config file
|
#
1.4 |
|
20-Nov-1998 |
niklas |
Add iterator for tags in a section. Add range checking for numbers.
|
#
1.3 |
|
17-Nov-1998 |
niklas |
Add RCS Ids from the EOM repository
|
#
1.2 |
|
15-Nov-1998 |
niklas |
openBSD RCS IDs
|
#
1.1 |
|
15-Nov-1998 |
niklas |
branches: 1.1.1; Initial revision
|