#
1.103 |
|
28-Apr-2024 |
florian |
gmtime(3) / locatime(3) can fail when timestamps are way off.
Add missing error checks to all calls under sbin/
Input & OK millert
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE OPENBSD_7_4_BASE OPENBSD_7_5_BASE
|
#
1.102 |
|
22-Oct-2021 |
bluhm |
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.101 |
|
03-Jul-2019 |
deraadt |
snprintf/vsnprintf return < 0 on error, rather than -1.
|
#
1.100 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.99 |
|
15-Jan-2018 |
mpi |
Spacing, no object change.
|
#
1.98 |
|
04-Jan-2018 |
mpi |
space -> tab
No object change.
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.97 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.96 |
|
16-Apr-2013 |
deraadt |
remove casts to time_t * which are not needed
|
#
1.95 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.94 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.93 |
|
06-Apr-2011 |
miod |
Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0' for chars.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.92 |
|
22-Sep-2010 |
mikeb |
Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC (as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.91 |
|
05-Aug-2007 |
tom |
Allow key exchange with RSA signature authentication to work with Cisco IOS and other initiators that only send their certs in response to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several others who did lots of testing - thanks to all.
ok hshoexer@
|
#
1.90 |
|
16-Apr-2007 |
moritz |
There's no point in checking ptr for NULL before doing free(ptr) since free(NULL) is just fine.
ok hshoexer@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.89 |
|
03-Mar-2007 |
cloder |
keynote_cert_obtain should not leak in case of error. OK moritz@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
17-Jun-2006 |
hshoexer |
Do not leak file descriptor in error path. From Andrey Matveev <evol at online dot ptt dot ru>, thanks!
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.87 |
|
14-Nov-2005 |
deraadt |
use snprintf; ok cloder. also looked at by a few other people
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.86 |
|
14-Jun-2005 |
hshoexer |
add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947
ok markus
|
#
1.85 |
|
08-Apr-2005 |
cloder |
Make deterministic randomness (only ever used for testing) a compile-time option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer
|
#
1.84 |
|
08-Apr-2005 |
deraadt |
we have IPPROTO_ETHERIP
|
#
1.83 |
|
08-Apr-2005 |
deraadt |
nat-traversal always
|
#
1.82 |
|
06-Apr-2005 |
deraadt |
knf, ok cloder
|
#
1.81 |
|
04-Apr-2005 |
deraadt |
spacing; ok cloder
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.80 |
|
03-Mar-2005 |
hshoexer |
handle return value of snprintf more carefully
ok cloder ho
|
#
1.79 |
|
27-Feb-2005 |
hshoexer |
where possible, use bzero instead of memset
ok cloder henning
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.78 |
|
08-Aug-2004 |
deraadt |
spacing
|
#
1.77 |
|
25-Jun-2004 |
hshoexer |
Keynote policy checking can now be disabled by "-K" switch and config tag "Use-Keynote". Default is to use keynote.
ok henning@ ho@
|
#
1.76 |
|
24-Jun-2004 |
hshoexer |
Also handle keys from x509-certificates embedded in keynote credentials.
with msf@ ok ho@
|
#
1.75 |
|
20-Jun-2004 |
ho |
NAT-Traversal for isakmpd. Work in progress... hshoexer@ ok.
|
#
1.74 |
|
14-Jun-2004 |
ho |
KNF, style, 80c, etc. hshoexer@ ok
|
#
1.73 |
|
23-May-2004 |
hshoexer |
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
|
#
1.72 |
|
23-May-2004 |
deraadt |
stat before open is flawed
|
#
1.71 |
|
28-Apr-2004 |
hshoexer |
remove unused variable and shorten names of two other. Removed some spaces while around.
ok ho@ markus@
|
#
1.70 |
|
15-Apr-2004 |
deraadt |
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
|
#
1.69 |
|
07-Apr-2004 |
ho |
-Wsign-compare nits. hshoexer@ ok.
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.68 |
|
19-Mar-2004 |
hshoexer |
Add missing bits to make already present privsep code work. Enable privsep.
ok ho@ deraadt@ markus@
|
#
1.67 |
|
06-Nov-2003 |
ho |
Style nits.
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.66 |
|
25-Jul-2003 |
markus |
add sha2 support; ok ho@
|
#
1.65 |
|
10-Jun-2003 |
deraadt |
boring cleanups
|
#
1.64 |
|
04-Jun-2003 |
ho |
Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos.
|
#
1.63 |
|
03-Jun-2003 |
ho |
Cleanup. Use 'sizeof variable' instead of magic constants.
|
#
1.62 |
|
18-May-2003 |
ho |
More isakmpd privsep work. X509 private keys are now kept in the privileged process only. Various cleanup and bugfixes. markus@ ok
|
#
1.61 |
|
15-May-2003 |
ho |
Start of privilege separation for isakmpd. There are some kinks left, so keep it default disabled for now. markus@ says ok to commit.
|
#
1.60 |
|
14-May-2003 |
ho |
Policy file default defined twice, kill the local copy.
|
#
1.59 |
|
14-May-2003 |
ho |
I did not test this enough. Unbreak.
|
#
1.58 |
|
12-May-2003 |
ho |
AES -> AES_128_CBC
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.57 |
|
14-Nov-2002 |
ho |
Use %d instead of %2d for better matching. From Mike Neuman. Fixes PR#2848.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.56 |
|
11-Sep-2002 |
ho |
signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.
|
#
1.55 |
|
15-Jun-2002 |
angelos |
ecn_* policy attributes --- ok ho@
|
#
1.54 |
|
10-Jun-2002 |
ho |
The dlopen() stuff goes away.
|
#
1.53 |
|
09-Jun-2002 |
todd |
rm trailing whitespace
|
#
1.52 |
|
01-Jun-2002 |
deraadt |
size_t must be cast to (unsigned long) and printed using %lu
|
#
1.51 |
|
28-May-2002 |
ho |
off_t to size_t change for printf format and malloc. Pointed out by <greg@nest.cx>
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.50 |
|
23-Jan-2002 |
angelos |
Actually return the ESP/AH/COMP ground descriptions for policy comparisons -- from cjkim2000@yahoo.com
|
#
1.49 |
|
23-Jan-2002 |
ho |
no more strcpy/sprintf
|
#
1.48 |
|
23-Jan-2002 |
ho |
strcpy->strlcpy, sprintf->snprintf
|
#
1.47 |
|
03-Jan-2002 |
ho |
strftime format fixes. From Christo Butcher <christo@fox-it.com>.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.46 |
|
26-Aug-2001 |
niklas |
more style
|
#
1.45 |
|
25-Aug-2001 |
niklas |
Use x509_DN_string API. Style fixes.
|
#
1.44 |
|
24-Aug-2001 |
ho |
I was only going to remove #include "init.h", but found 8 more #include's we don't need here.
|
#
1.43 |
|
11-Aug-2001 |
angelos |
Allocate slightly larger buffer for cert.
|
#
1.42 |
|
05-Jul-2001 |
angelos |
DER_ASN1_DN ID handling --- untested
|
#
1.41 |
|
04-Jul-2001 |
angelos |
Better handling of Key IDs.
|
#
1.40 |
|
03-Jul-2001 |
angelos |
Fix policy information for IPv6 subnet/range cases. This is ugly, I'll have to find another way of dealing with IPv6 addresses.
|
#
1.39 |
|
03-Jul-2001 |
ho |
Wait with strlcpy a while, change to strncpy.
|
#
1.38 |
|
03-Jul-2001 |
ho |
use strlcpy instead of memcpy to copy strings
|
#
1.37 |
|
01-Jul-2001 |
niklas |
Style
|
#
1.36 |
|
01-Jul-2001 |
angelos |
Start support for IPv6 addresses in policy.
|
#
1.35 |
|
01-Jul-2001 |
angelos |
Fix remote_negotiation_address attribute; fix sockaddr2text() return value when zero-filling; log_error()->log_print() consistently.
|
#
1.34 |
|
29-Jun-2001 |
ho |
Change get_src/get_dst API as we get the length with sa_len.
|
#
1.33 |
|
29-Jun-2001 |
ho |
Initial IPv6 support. (niklas@ ok)
|
#
1.32 |
|
07-Jun-2001 |
angelos |
No need to allocate/free X509 policy information -- the certs are converted as needed, and the CA certs are irrelevant.
|
#
1.31 |
|
07-Jun-2001 |
angelos |
Get rid of the main policy session (unnecessary).
|
#
1.30 |
|
07-Jun-2001 |
angelos |
Add some log_print()
|
#
1.29 |
|
31-May-2001 |
angelos |
Routines for handling KeyNote cert representation.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.28 |
|
09-Apr-2001 |
ho |
Style police a'la niklas@.
|
#
1.27 |
|
05-Apr-2001 |
ho |
As the isakmpd.policy file can contain sensitive information, we want the same mode checks we use for isakmpd.conf. Style.
|
#
1.26 |
|
14-Mar-2001 |
tholo |
Make these compile again...
|
#
1.25 |
|
14-Mar-2001 |
niklas |
Indentation and style fascism
|
#
1.24 |
|
13-Mar-2001 |
ho |
Add logging classes for Negotiation and Policy, and change a number of debug messages to use these instead. Change a number of 'log_print' to debug messages to keep the noise down. Use 'log_error' instead of 'log_print' in some cases when we have errno. Some indentation fixes. (niklas@ ok)
|
#
1.23 |
|
07-Mar-2001 |
angelos |
Oops, use the right legnth for the key id.
|
#
1.22 |
|
07-Mar-2001 |
angelos |
Add KEY_ID support (mostly from roland@digitalvampire.org)
|
#
1.21 |
|
27-Jan-2001 |
niklas |
(c) 2001
|
#
1.20 |
|
26-Jan-2001 |
niklas |
Pedantic style police
|
#
1.19 |
|
10-Jan-2001 |
angelos |
Handle null remote_id/local_filter/remote_filter nicer.
|
#
1.18 |
|
23-Nov-2000 |
niklas |
policy.c: Merge with EOM 1.49 util.h: Merge with EOM 1.10
author: niklas style and removal of unused, unneeded code
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.17 |
|
16-Oct-2000 |
niklas |
branches: 1.17.2; Merge with EOM 1.48
author: angelos Fix comment.
author: angelos Add RIPEMD negotiation/configuration.
|
#
1.16 |
|
09-Oct-2000 |
niklas |
samples/VPN-3way-template.conf: Merge with EOM 1.8 samples/VPN-east.conf: Merge with EOM 1.12 samples/VPN-west.conf: Merge with EOM 1.13 samples/policy: Merge with EOM 1.6 samples/singlehost-west.conf: Merge with EOM 1.9 samples/singlehost-east.conf: Merge with EOM 1.9 conf.c: Merge with EOM 1.37 ipsec.c: Merge with EOM 1.133 ipsec_num.cst: Merge with EOM 1.4 isakmpd.conf.5: Merge with EOM 1.48 isakmpd.policy.5: Merge with EOM 1.21 policy.c: Merge with EOM 1.46
author: angelos AES support.
|
#
1.15 |
|
07-Oct-2000 |
niklas |
Merge with EOM 1.45
author: angelos Unsigned integers for most attributes.
author: niklas Multiple subject name matching, makes certificate interop with PGPnet at least partly working. Added some error checking.
author: ho Nowadays we can use #include <openssl/...> instead of <ssl/...>
author: angelos Typo on checking esp lifetimes.
author: angelos Use the correct protocol from the IDi/IDr.
|
#
1.14 |
|
03-Aug-2000 |
niklas |
Merge with EOM 1.40
author: angelos Get the right value.
author: angelos Add "phase1_group_desc" attribute, and explain the various values.
|
#
1.13 |
|
08-Jun-2000 |
niklas |
Merge with EOM 1.38
author: angelos No need for NODEBUG actually...
author: angelos Use LOG_DBG() instead of log_debug()
author: angelos NODEBUG compile option, so regress doesn't barf.
author: angelos No point adding a handling attribute for the generic session.
author: angelos log_debug() for the action attributes.
author: angelos Different policy/Keynote sessions per Phase 1 SA.
author: angelos Allow exchange of KeyNote credentials over IKE. Multiple credentials may be passed in a single CERT payload. KeyNote is used if a directory named as the local ID we use in an exchange exists in the KeyNote directory (default: /etc/isakmpd/keynote/). Note that asymmetric credentials are possible (use KeyNote in one direction and X509 in the other); such authentication is envisioned to be the most common: the clients will use KeyNote credentials to authenticate and authorize with a server, whilst the server will just provide an X509 certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction, RSA in the other) is not supported by the IKE protocol.
author: angelos Correct pointer handling.
author: angelos A few more certificate handling routines for KeyNote.
author: angelos Some more support for KeyNote credential exchange (not yet done).
author: angelos Add a couple more KeyNote functions in the sym entries.
author: ho Some systems do not define IPPROTO_ETHERIP (yet).
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.12 |
|
02-May-2000 |
niklas |
branches: 1.12.2; Merge with EOM 1.26
author: niklas style
author: angelos Move POLICY_FILE_DEFAULT definition to the .h file.
author: angelos Add etherip and protocol numbers in the transport protocol entries, document.
|
#
1.11 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.23
author: angelos Typo...
author: angelos *_ike_address -> *_negotiation_address (so it's not IKE specific)
author: angelos No need to use log_fatal...
|
#
1.10 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.20
author: niklas Hmm keynote does not exist in a dynamically linked version
author: angelos Add phase_1 attribute.
|
#
1.9 |
|
25-Feb-2000 |
niklas |
regress/crypto/Makefile: Merge with EOM 1.5 regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36
author: niklas Made debug logging a compile time selectable feature
|
#
1.8 |
|
19-Feb-2000 |
niklas |
Merge with EOM 1.17
author: niklas Copyright 2000
|
#
1.7 |
|
11-Feb-2000 |
niklas |
Merge with EOM 1.16
author: angelos Do a policy check on the Initiator, when notified by the Responder on the SA selection. For efficiency, we should replicate this check on the first message sent by the Initiator (so we only send proposals we know we'll eventually accept).
author: angelos Add an initiator attribute, and make the code amenable to be invoked by the initiator as well (for policy compliance checking).
|
#
1.6 |
|
01-Feb-2000 |
niklas |
apps/certpatch/certpatch.8: Merge with EOM 1.4 apps/certpatch/certpatch.c: Merge with EOM 1.6 exchange.c: Merge with EOM 1.114 ike_quick_mode.c: Merge with EOM 1.110 ike_phase_1.c: Merge with EOM 1.16 ike_auth.c: Merge with EOM 1.41 ike_aggressive.c: Merge with EOM 1.4 libcrypto.c: Merge with EOM 1.10 libcrypto.h: Merge with EOM 1.10 isakmpd.8: Merge with EOM 1.19 isakmpd.c: Merge with EOM 1.42 ipsec.h: Merge with EOM 1.40 init.c: Merge with EOM 1.22 message.c: Merge with EOM 1.143 message.h: Merge with EOM 1.49 sa.c: Merge with EOM 1.98 sa.h: Merge with EOM 1.54 policy.c: Merge with EOM 1.14 pf_key_v2.c: Merge with EOM 1.36 x509.c: Merge with EOM 1.32 x509.h: Merge with EOM 1.9 udp.c: Merge with EOM 1.46
author: niklas Angelos copyrights
|
#
1.5 |
|
27-Jan-2000 |
niklas |
Merge with EOM 1.13
author: ho Bugfix for IPSEC_ID_USER_FQDN from <<Jorgen.Granstam@abc.se>. Apply similar to the IPSEC_ID_FQDN case plus fix the log messages.
|
#
1.4 |
|
26-Jan-2000 |
niklas |
Merge with EOM 1.12
date: 2000/01/25 02:21:10; author: angelos; state: Exp; lines: +2 -2 Move the policy file location
author: angelos GMTTimeOfDay and LocalTimeOfDay attributes, comment in x509.c.
author: angelos Oops on previous PFS-policy patch. Small fixes in the manpages.
author: angelos Add pfs keynote attribute.
author: angelos Include files, in anticipation of the keynote.h changes.
|
#
1.3 |
|
26-Oct-1999 |
angelos |
sync with latest libkeynote (include file changes only)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.2 |
|
26-Aug-1999 |
niklas |
Merge with EOM 1.7
author: niklas Support dynamic loading of libkeynote too. Build isakmpd static by default. Stylistic cleanup of keynote policy code. Correct some libcrypto calls.
author: niklas more style
author: niklas isakmpd style
author: angelos Hopefully better wording of variables.
author: angelos Complete policy work; tested for the shared-key case. Documentation needed.
|
#
1.1 |
|
07-Jul-1999 |
niklas |
policy.h: Merge with EOM 1.2 policy.c: Merge with EOM 1.2
author: niklas Remove $EOM$ from Eom repository version
author: niklas New file, for keynote policy handling. By angelos@openbsd.org
|
#
1.102 |
|
22-Oct-2021 |
bluhm |
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.101 |
|
03-Jul-2019 |
deraadt |
snprintf/vsnprintf return < 0 on error, rather than -1.
|
#
1.100 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.99 |
|
15-Jan-2018 |
mpi |
Spacing, no object change.
|
#
1.98 |
|
04-Jan-2018 |
mpi |
space -> tab
No object change.
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.97 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.96 |
|
16-Apr-2013 |
deraadt |
remove casts to time_t * which are not needed
|
#
1.95 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.94 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.93 |
|
06-Apr-2011 |
miod |
Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0' for chars.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.92 |
|
22-Sep-2010 |
mikeb |
Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC (as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.91 |
|
05-Aug-2007 |
tom |
Allow key exchange with RSA signature authentication to work with Cisco IOS and other initiators that only send their certs in response to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several others who did lots of testing - thanks to all.
ok hshoexer@
|
#
1.90 |
|
16-Apr-2007 |
moritz |
There's no point in checking ptr for NULL before doing free(ptr) since free(NULL) is just fine.
ok hshoexer@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.89 |
|
03-Mar-2007 |
cloder |
keynote_cert_obtain should not leak in case of error. OK moritz@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
17-Jun-2006 |
hshoexer |
Do not leak file descriptor in error path. From Andrey Matveev <evol at online dot ptt dot ru>, thanks!
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.87 |
|
14-Nov-2005 |
deraadt |
use snprintf; ok cloder. also looked at by a few other people
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.86 |
|
14-Jun-2005 |
hshoexer |
add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947
ok markus
|
#
1.85 |
|
08-Apr-2005 |
cloder |
Make deterministic randomness (only ever used for testing) a compile-time option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer
|
#
1.84 |
|
08-Apr-2005 |
deraadt |
we have IPPROTO_ETHERIP
|
#
1.83 |
|
08-Apr-2005 |
deraadt |
nat-traversal always
|
#
1.82 |
|
06-Apr-2005 |
deraadt |
knf, ok cloder
|
#
1.81 |
|
04-Apr-2005 |
deraadt |
spacing; ok cloder
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.80 |
|
03-Mar-2005 |
hshoexer |
handle return value of snprintf more carefully
ok cloder ho
|
#
1.79 |
|
27-Feb-2005 |
hshoexer |
where possible, use bzero instead of memset
ok cloder henning
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.78 |
|
08-Aug-2004 |
deraadt |
spacing
|
#
1.77 |
|
25-Jun-2004 |
hshoexer |
Keynote policy checking can now be disabled by "-K" switch and config tag "Use-Keynote". Default is to use keynote.
ok henning@ ho@
|
#
1.76 |
|
24-Jun-2004 |
hshoexer |
Also handle keys from x509-certificates embedded in keynote credentials.
with msf@ ok ho@
|
#
1.75 |
|
20-Jun-2004 |
ho |
NAT-Traversal for isakmpd. Work in progress... hshoexer@ ok.
|
#
1.74 |
|
14-Jun-2004 |
ho |
KNF, style, 80c, etc. hshoexer@ ok
|
#
1.73 |
|
23-May-2004 |
hshoexer |
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
|
#
1.72 |
|
23-May-2004 |
deraadt |
stat before open is flawed
|
#
1.71 |
|
28-Apr-2004 |
hshoexer |
remove unused variable and shorten names of two other. Removed some spaces while around.
ok ho@ markus@
|
#
1.70 |
|
15-Apr-2004 |
deraadt |
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
|
#
1.69 |
|
07-Apr-2004 |
ho |
-Wsign-compare nits. hshoexer@ ok.
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.68 |
|
19-Mar-2004 |
hshoexer |
Add missing bits to make already present privsep code work. Enable privsep.
ok ho@ deraadt@ markus@
|
#
1.67 |
|
06-Nov-2003 |
ho |
Style nits.
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.66 |
|
25-Jul-2003 |
markus |
add sha2 support; ok ho@
|
#
1.65 |
|
10-Jun-2003 |
deraadt |
boring cleanups
|
#
1.64 |
|
04-Jun-2003 |
ho |
Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos.
|
#
1.63 |
|
03-Jun-2003 |
ho |
Cleanup. Use 'sizeof variable' instead of magic constants.
|
#
1.62 |
|
18-May-2003 |
ho |
More isakmpd privsep work. X509 private keys are now kept in the privileged process only. Various cleanup and bugfixes. markus@ ok
|
#
1.61 |
|
15-May-2003 |
ho |
Start of privilege separation for isakmpd. There are some kinks left, so keep it default disabled for now. markus@ says ok to commit.
|
#
1.60 |
|
14-May-2003 |
ho |
Policy file default defined twice, kill the local copy.
|
#
1.59 |
|
14-May-2003 |
ho |
I did not test this enough. Unbreak.
|
#
1.58 |
|
12-May-2003 |
ho |
AES -> AES_128_CBC
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.57 |
|
14-Nov-2002 |
ho |
Use %d instead of %2d for better matching. From Mike Neuman. Fixes PR#2848.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.56 |
|
11-Sep-2002 |
ho |
signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.
|
#
1.55 |
|
15-Jun-2002 |
angelos |
ecn_* policy attributes --- ok ho@
|
#
1.54 |
|
10-Jun-2002 |
ho |
The dlopen() stuff goes away.
|
#
1.53 |
|
09-Jun-2002 |
todd |
rm trailing whitespace
|
#
1.52 |
|
01-Jun-2002 |
deraadt |
size_t must be cast to (unsigned long) and printed using %lu
|
#
1.51 |
|
28-May-2002 |
ho |
off_t to size_t change for printf format and malloc. Pointed out by <greg@nest.cx>
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.50 |
|
23-Jan-2002 |
angelos |
Actually return the ESP/AH/COMP ground descriptions for policy comparisons -- from cjkim2000@yahoo.com
|
#
1.49 |
|
23-Jan-2002 |
ho |
no more strcpy/sprintf
|
#
1.48 |
|
23-Jan-2002 |
ho |
strcpy->strlcpy, sprintf->snprintf
|
#
1.47 |
|
03-Jan-2002 |
ho |
strftime format fixes. From Christo Butcher <christo@fox-it.com>.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.46 |
|
26-Aug-2001 |
niklas |
more style
|
#
1.45 |
|
25-Aug-2001 |
niklas |
Use x509_DN_string API. Style fixes.
|
#
1.44 |
|
24-Aug-2001 |
ho |
I was only going to remove #include "init.h", but found 8 more #include's we don't need here.
|
#
1.43 |
|
11-Aug-2001 |
angelos |
Allocate slightly larger buffer for cert.
|
#
1.42 |
|
05-Jul-2001 |
angelos |
DER_ASN1_DN ID handling --- untested
|
#
1.41 |
|
04-Jul-2001 |
angelos |
Better handling of Key IDs.
|
#
1.40 |
|
03-Jul-2001 |
angelos |
Fix policy information for IPv6 subnet/range cases. This is ugly, I'll have to find another way of dealing with IPv6 addresses.
|
#
1.39 |
|
03-Jul-2001 |
ho |
Wait with strlcpy a while, change to strncpy.
|
#
1.38 |
|
03-Jul-2001 |
ho |
use strlcpy instead of memcpy to copy strings
|
#
1.37 |
|
01-Jul-2001 |
niklas |
Style
|
#
1.36 |
|
01-Jul-2001 |
angelos |
Start support for IPv6 addresses in policy.
|
#
1.35 |
|
01-Jul-2001 |
angelos |
Fix remote_negotiation_address attribute; fix sockaddr2text() return value when zero-filling; log_error()->log_print() consistently.
|
#
1.34 |
|
29-Jun-2001 |
ho |
Change get_src/get_dst API as we get the length with sa_len.
|
#
1.33 |
|
29-Jun-2001 |
ho |
Initial IPv6 support. (niklas@ ok)
|
#
1.32 |
|
07-Jun-2001 |
angelos |
No need to allocate/free X509 policy information -- the certs are converted as needed, and the CA certs are irrelevant.
|
#
1.31 |
|
07-Jun-2001 |
angelos |
Get rid of the main policy session (unnecessary).
|
#
1.30 |
|
07-Jun-2001 |
angelos |
Add some log_print()
|
#
1.29 |
|
31-May-2001 |
angelos |
Routines for handling KeyNote cert representation.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.28 |
|
09-Apr-2001 |
ho |
Style police a'la niklas@.
|
#
1.27 |
|
05-Apr-2001 |
ho |
As the isakmpd.policy file can contain sensitive information, we want the same mode checks we use for isakmpd.conf. Style.
|
#
1.26 |
|
14-Mar-2001 |
tholo |
Make these compile again...
|
#
1.25 |
|
14-Mar-2001 |
niklas |
Indentation and style fascism
|
#
1.24 |
|
13-Mar-2001 |
ho |
Add logging classes for Negotiation and Policy, and change a number of debug messages to use these instead. Change a number of 'log_print' to debug messages to keep the noise down. Use 'log_error' instead of 'log_print' in some cases when we have errno. Some indentation fixes. (niklas@ ok)
|
#
1.23 |
|
07-Mar-2001 |
angelos |
Oops, use the right legnth for the key id.
|
#
1.22 |
|
07-Mar-2001 |
angelos |
Add KEY_ID support (mostly from roland@digitalvampire.org)
|
#
1.21 |
|
27-Jan-2001 |
niklas |
(c) 2001
|
#
1.20 |
|
26-Jan-2001 |
niklas |
Pedantic style police
|
#
1.19 |
|
10-Jan-2001 |
angelos |
Handle null remote_id/local_filter/remote_filter nicer.
|
#
1.18 |
|
23-Nov-2000 |
niklas |
policy.c: Merge with EOM 1.49 util.h: Merge with EOM 1.10
author: niklas style and removal of unused, unneeded code
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.17 |
|
16-Oct-2000 |
niklas |
branches: 1.17.2; Merge with EOM 1.48
author: angelos Fix comment.
author: angelos Add RIPEMD negotiation/configuration.
|
#
1.16 |
|
09-Oct-2000 |
niklas |
samples/VPN-3way-template.conf: Merge with EOM 1.8 samples/VPN-east.conf: Merge with EOM 1.12 samples/VPN-west.conf: Merge with EOM 1.13 samples/policy: Merge with EOM 1.6 samples/singlehost-west.conf: Merge with EOM 1.9 samples/singlehost-east.conf: Merge with EOM 1.9 conf.c: Merge with EOM 1.37 ipsec.c: Merge with EOM 1.133 ipsec_num.cst: Merge with EOM 1.4 isakmpd.conf.5: Merge with EOM 1.48 isakmpd.policy.5: Merge with EOM 1.21 policy.c: Merge with EOM 1.46
author: angelos AES support.
|
#
1.15 |
|
07-Oct-2000 |
niklas |
Merge with EOM 1.45
author: angelos Unsigned integers for most attributes.
author: niklas Multiple subject name matching, makes certificate interop with PGPnet at least partly working. Added some error checking.
author: ho Nowadays we can use #include <openssl/...> instead of <ssl/...>
author: angelos Typo on checking esp lifetimes.
author: angelos Use the correct protocol from the IDi/IDr.
|
#
1.14 |
|
03-Aug-2000 |
niklas |
Merge with EOM 1.40
author: angelos Get the right value.
author: angelos Add "phase1_group_desc" attribute, and explain the various values.
|
#
1.13 |
|
08-Jun-2000 |
niklas |
Merge with EOM 1.38
author: angelos No need for NODEBUG actually...
author: angelos Use LOG_DBG() instead of log_debug()
author: angelos NODEBUG compile option, so regress doesn't barf.
author: angelos No point adding a handling attribute for the generic session.
author: angelos log_debug() for the action attributes.
author: angelos Different policy/Keynote sessions per Phase 1 SA.
author: angelos Allow exchange of KeyNote credentials over IKE. Multiple credentials may be passed in a single CERT payload. KeyNote is used if a directory named as the local ID we use in an exchange exists in the KeyNote directory (default: /etc/isakmpd/keynote/). Note that asymmetric credentials are possible (use KeyNote in one direction and X509 in the other); such authentication is envisioned to be the most common: the clients will use KeyNote credentials to authenticate and authorize with a server, whilst the server will just provide an X509 certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction, RSA in the other) is not supported by the IKE protocol.
author: angelos Correct pointer handling.
author: angelos A few more certificate handling routines for KeyNote.
author: angelos Some more support for KeyNote credential exchange (not yet done).
author: angelos Add a couple more KeyNote functions in the sym entries.
author: ho Some systems do not define IPPROTO_ETHERIP (yet).
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.12 |
|
02-May-2000 |
niklas |
branches: 1.12.2; Merge with EOM 1.26
author: niklas style
author: angelos Move POLICY_FILE_DEFAULT definition to the .h file.
author: angelos Add etherip and protocol numbers in the transport protocol entries, document.
|
#
1.11 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.23
author: angelos Typo...
author: angelos *_ike_address -> *_negotiation_address (so it's not IKE specific)
author: angelos No need to use log_fatal...
|
#
1.10 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.20
author: niklas Hmm keynote does not exist in a dynamically linked version
author: angelos Add phase_1 attribute.
|
#
1.9 |
|
25-Feb-2000 |
niklas |
regress/crypto/Makefile: Merge with EOM 1.5 regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36
author: niklas Made debug logging a compile time selectable feature
|
#
1.8 |
|
19-Feb-2000 |
niklas |
Merge with EOM 1.17
author: niklas Copyright 2000
|
#
1.7 |
|
11-Feb-2000 |
niklas |
Merge with EOM 1.16
author: angelos Do a policy check on the Initiator, when notified by the Responder on the SA selection. For efficiency, we should replicate this check on the first message sent by the Initiator (so we only send proposals we know we'll eventually accept).
author: angelos Add an initiator attribute, and make the code amenable to be invoked by the initiator as well (for policy compliance checking).
|
#
1.6 |
|
01-Feb-2000 |
niklas |
apps/certpatch/certpatch.8: Merge with EOM 1.4 apps/certpatch/certpatch.c: Merge with EOM 1.6 exchange.c: Merge with EOM 1.114 ike_quick_mode.c: Merge with EOM 1.110 ike_phase_1.c: Merge with EOM 1.16 ike_auth.c: Merge with EOM 1.41 ike_aggressive.c: Merge with EOM 1.4 libcrypto.c: Merge with EOM 1.10 libcrypto.h: Merge with EOM 1.10 isakmpd.8: Merge with EOM 1.19 isakmpd.c: Merge with EOM 1.42 ipsec.h: Merge with EOM 1.40 init.c: Merge with EOM 1.22 message.c: Merge with EOM 1.143 message.h: Merge with EOM 1.49 sa.c: Merge with EOM 1.98 sa.h: Merge with EOM 1.54 policy.c: Merge with EOM 1.14 pf_key_v2.c: Merge with EOM 1.36 x509.c: Merge with EOM 1.32 x509.h: Merge with EOM 1.9 udp.c: Merge with EOM 1.46
author: niklas Angelos copyrights
|
#
1.5 |
|
27-Jan-2000 |
niklas |
Merge with EOM 1.13
author: ho Bugfix for IPSEC_ID_USER_FQDN from <<Jorgen.Granstam@abc.se>. Apply similar to the IPSEC_ID_FQDN case plus fix the log messages.
|
#
1.4 |
|
26-Jan-2000 |
niklas |
Merge with EOM 1.12
date: 2000/01/25 02:21:10; author: angelos; state: Exp; lines: +2 -2 Move the policy file location
author: angelos GMTTimeOfDay and LocalTimeOfDay attributes, comment in x509.c.
author: angelos Oops on previous PFS-policy patch. Small fixes in the manpages.
author: angelos Add pfs keynote attribute.
author: angelos Include files, in anticipation of the keynote.h changes.
|
#
1.3 |
|
26-Oct-1999 |
angelos |
sync with latest libkeynote (include file changes only)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.2 |
|
26-Aug-1999 |
niklas |
Merge with EOM 1.7
author: niklas Support dynamic loading of libkeynote too. Build isakmpd static by default. Stylistic cleanup of keynote policy code. Correct some libcrypto calls.
author: niklas more style
author: niklas isakmpd style
author: angelos Hopefully better wording of variables.
author: angelos Complete policy work; tested for the shared-key case. Documentation needed.
|
#
1.1 |
|
07-Jul-1999 |
niklas |
policy.h: Merge with EOM 1.2 policy.c: Merge with EOM 1.2
author: niklas Remove $EOM$ from Eom repository version
author: niklas New file, for keynote policy handling. By angelos@openbsd.org
|
#
1.101 |
|
03-Jul-2019 |
deraadt |
snprintf/vsnprintf return < 0 on error, rather than -1.
|
#
1.100 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.99 |
|
15-Jan-2018 |
mpi |
Spacing, no object change.
|
#
1.98 |
|
04-Jan-2018 |
mpi |
space -> tab
No object change.
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.97 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.96 |
|
16-Apr-2013 |
deraadt |
remove casts to time_t * which are not needed
|
#
1.95 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.94 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.93 |
|
06-Apr-2011 |
miod |
Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0' for chars.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.92 |
|
22-Sep-2010 |
mikeb |
Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC (as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.91 |
|
05-Aug-2007 |
tom |
Allow key exchange with RSA signature authentication to work with Cisco IOS and other initiators that only send their certs in response to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several others who did lots of testing - thanks to all.
ok hshoexer@
|
#
1.90 |
|
16-Apr-2007 |
moritz |
There's no point in checking ptr for NULL before doing free(ptr) since free(NULL) is just fine.
ok hshoexer@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.89 |
|
03-Mar-2007 |
cloder |
keynote_cert_obtain should not leak in case of error. OK moritz@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
17-Jun-2006 |
hshoexer |
Do not leak file descriptor in error path. From Andrey Matveev <evol at online dot ptt dot ru>, thanks!
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.87 |
|
14-Nov-2005 |
deraadt |
use snprintf; ok cloder. also looked at by a few other people
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.86 |
|
14-Jun-2005 |
hshoexer |
add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947
ok markus
|
#
1.85 |
|
08-Apr-2005 |
cloder |
Make deterministic randomness (only ever used for testing) a compile-time option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer
|
#
1.84 |
|
08-Apr-2005 |
deraadt |
we have IPPROTO_ETHERIP
|
#
1.83 |
|
08-Apr-2005 |
deraadt |
nat-traversal always
|
#
1.82 |
|
06-Apr-2005 |
deraadt |
knf, ok cloder
|
#
1.81 |
|
04-Apr-2005 |
deraadt |
spacing; ok cloder
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.80 |
|
03-Mar-2005 |
hshoexer |
handle return value of snprintf more carefully
ok cloder ho
|
#
1.79 |
|
27-Feb-2005 |
hshoexer |
where possible, use bzero instead of memset
ok cloder henning
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.78 |
|
08-Aug-2004 |
deraadt |
spacing
|
#
1.77 |
|
25-Jun-2004 |
hshoexer |
Keynote policy checking can now be disabled by "-K" switch and config tag "Use-Keynote". Default is to use keynote.
ok henning@ ho@
|
#
1.76 |
|
24-Jun-2004 |
hshoexer |
Also handle keys from x509-certificates embedded in keynote credentials.
with msf@ ok ho@
|
#
1.75 |
|
20-Jun-2004 |
ho |
NAT-Traversal for isakmpd. Work in progress... hshoexer@ ok.
|
#
1.74 |
|
14-Jun-2004 |
ho |
KNF, style, 80c, etc. hshoexer@ ok
|
#
1.73 |
|
23-May-2004 |
hshoexer |
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
|
#
1.72 |
|
23-May-2004 |
deraadt |
stat before open is flawed
|
#
1.71 |
|
28-Apr-2004 |
hshoexer |
remove unused variable and shorten names of two other. Removed some spaces while around.
ok ho@ markus@
|
#
1.70 |
|
15-Apr-2004 |
deraadt |
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
|
#
1.69 |
|
07-Apr-2004 |
ho |
-Wsign-compare nits. hshoexer@ ok.
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.68 |
|
19-Mar-2004 |
hshoexer |
Add missing bits to make already present privsep code work. Enable privsep.
ok ho@ deraadt@ markus@
|
#
1.67 |
|
06-Nov-2003 |
ho |
Style nits.
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.66 |
|
25-Jul-2003 |
markus |
add sha2 support; ok ho@
|
#
1.65 |
|
10-Jun-2003 |
deraadt |
boring cleanups
|
#
1.64 |
|
04-Jun-2003 |
ho |
Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos.
|
#
1.63 |
|
03-Jun-2003 |
ho |
Cleanup. Use 'sizeof variable' instead of magic constants.
|
#
1.62 |
|
18-May-2003 |
ho |
More isakmpd privsep work. X509 private keys are now kept in the privileged process only. Various cleanup and bugfixes. markus@ ok
|
#
1.61 |
|
15-May-2003 |
ho |
Start of privilege separation for isakmpd. There are some kinks left, so keep it default disabled for now. markus@ says ok to commit.
|
#
1.60 |
|
14-May-2003 |
ho |
Policy file default defined twice, kill the local copy.
|
#
1.59 |
|
14-May-2003 |
ho |
I did not test this enough. Unbreak.
|
#
1.58 |
|
12-May-2003 |
ho |
AES -> AES_128_CBC
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.57 |
|
14-Nov-2002 |
ho |
Use %d instead of %2d for better matching. From Mike Neuman. Fixes PR#2848.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.56 |
|
11-Sep-2002 |
ho |
signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.
|
#
1.55 |
|
15-Jun-2002 |
angelos |
ecn_* policy attributes --- ok ho@
|
#
1.54 |
|
10-Jun-2002 |
ho |
The dlopen() stuff goes away.
|
#
1.53 |
|
09-Jun-2002 |
todd |
rm trailing whitespace
|
#
1.52 |
|
01-Jun-2002 |
deraadt |
size_t must be cast to (unsigned long) and printed using %lu
|
#
1.51 |
|
28-May-2002 |
ho |
off_t to size_t change for printf format and malloc. Pointed out by <greg@nest.cx>
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.50 |
|
23-Jan-2002 |
angelos |
Actually return the ESP/AH/COMP ground descriptions for policy comparisons -- from cjkim2000@yahoo.com
|
#
1.49 |
|
23-Jan-2002 |
ho |
no more strcpy/sprintf
|
#
1.48 |
|
23-Jan-2002 |
ho |
strcpy->strlcpy, sprintf->snprintf
|
#
1.47 |
|
03-Jan-2002 |
ho |
strftime format fixes. From Christo Butcher <christo@fox-it.com>.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.46 |
|
26-Aug-2001 |
niklas |
more style
|
#
1.45 |
|
25-Aug-2001 |
niklas |
Use x509_DN_string API. Style fixes.
|
#
1.44 |
|
24-Aug-2001 |
ho |
I was only going to remove #include "init.h", but found 8 more #include's we don't need here.
|
#
1.43 |
|
11-Aug-2001 |
angelos |
Allocate slightly larger buffer for cert.
|
#
1.42 |
|
05-Jul-2001 |
angelos |
DER_ASN1_DN ID handling --- untested
|
#
1.41 |
|
04-Jul-2001 |
angelos |
Better handling of Key IDs.
|
#
1.40 |
|
03-Jul-2001 |
angelos |
Fix policy information for IPv6 subnet/range cases. This is ugly, I'll have to find another way of dealing with IPv6 addresses.
|
#
1.39 |
|
03-Jul-2001 |
ho |
Wait with strlcpy a while, change to strncpy.
|
#
1.38 |
|
03-Jul-2001 |
ho |
use strlcpy instead of memcpy to copy strings
|
#
1.37 |
|
01-Jul-2001 |
niklas |
Style
|
#
1.36 |
|
01-Jul-2001 |
angelos |
Start support for IPv6 addresses in policy.
|
#
1.35 |
|
01-Jul-2001 |
angelos |
Fix remote_negotiation_address attribute; fix sockaddr2text() return value when zero-filling; log_error()->log_print() consistently.
|
#
1.34 |
|
29-Jun-2001 |
ho |
Change get_src/get_dst API as we get the length with sa_len.
|
#
1.33 |
|
29-Jun-2001 |
ho |
Initial IPv6 support. (niklas@ ok)
|
#
1.32 |
|
07-Jun-2001 |
angelos |
No need to allocate/free X509 policy information -- the certs are converted as needed, and the CA certs are irrelevant.
|
#
1.31 |
|
07-Jun-2001 |
angelos |
Get rid of the main policy session (unnecessary).
|
#
1.30 |
|
07-Jun-2001 |
angelos |
Add some log_print()
|
#
1.29 |
|
31-May-2001 |
angelos |
Routines for handling KeyNote cert representation.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.28 |
|
09-Apr-2001 |
ho |
Style police a'la niklas@.
|
#
1.27 |
|
05-Apr-2001 |
ho |
As the isakmpd.policy file can contain sensitive information, we want the same mode checks we use for isakmpd.conf. Style.
|
#
1.26 |
|
14-Mar-2001 |
tholo |
Make these compile again...
|
#
1.25 |
|
14-Mar-2001 |
niklas |
Indentation and style fascism
|
#
1.24 |
|
13-Mar-2001 |
ho |
Add logging classes for Negotiation and Policy, and change a number of debug messages to use these instead. Change a number of 'log_print' to debug messages to keep the noise down. Use 'log_error' instead of 'log_print' in some cases when we have errno. Some indentation fixes. (niklas@ ok)
|
#
1.23 |
|
07-Mar-2001 |
angelos |
Oops, use the right legnth for the key id.
|
#
1.22 |
|
07-Mar-2001 |
angelos |
Add KEY_ID support (mostly from roland@digitalvampire.org)
|
#
1.21 |
|
27-Jan-2001 |
niklas |
(c) 2001
|
#
1.20 |
|
26-Jan-2001 |
niklas |
Pedantic style police
|
#
1.19 |
|
10-Jan-2001 |
angelos |
Handle null remote_id/local_filter/remote_filter nicer.
|
#
1.18 |
|
23-Nov-2000 |
niklas |
policy.c: Merge with EOM 1.49 util.h: Merge with EOM 1.10
author: niklas style and removal of unused, unneeded code
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.17 |
|
16-Oct-2000 |
niklas |
branches: 1.17.2; Merge with EOM 1.48
author: angelos Fix comment.
author: angelos Add RIPEMD negotiation/configuration.
|
#
1.16 |
|
09-Oct-2000 |
niklas |
samples/VPN-3way-template.conf: Merge with EOM 1.8 samples/VPN-east.conf: Merge with EOM 1.12 samples/VPN-west.conf: Merge with EOM 1.13 samples/policy: Merge with EOM 1.6 samples/singlehost-west.conf: Merge with EOM 1.9 samples/singlehost-east.conf: Merge with EOM 1.9 conf.c: Merge with EOM 1.37 ipsec.c: Merge with EOM 1.133 ipsec_num.cst: Merge with EOM 1.4 isakmpd.conf.5: Merge with EOM 1.48 isakmpd.policy.5: Merge with EOM 1.21 policy.c: Merge with EOM 1.46
author: angelos AES support.
|
#
1.15 |
|
07-Oct-2000 |
niklas |
Merge with EOM 1.45
author: angelos Unsigned integers for most attributes.
author: niklas Multiple subject name matching, makes certificate interop with PGPnet at least partly working. Added some error checking.
author: ho Nowadays we can use #include <openssl/...> instead of <ssl/...>
author: angelos Typo on checking esp lifetimes.
author: angelos Use the correct protocol from the IDi/IDr.
|
#
1.14 |
|
03-Aug-2000 |
niklas |
Merge with EOM 1.40
author: angelos Get the right value.
author: angelos Add "phase1_group_desc" attribute, and explain the various values.
|
#
1.13 |
|
08-Jun-2000 |
niklas |
Merge with EOM 1.38
author: angelos No need for NODEBUG actually...
author: angelos Use LOG_DBG() instead of log_debug()
author: angelos NODEBUG compile option, so regress doesn't barf.
author: angelos No point adding a handling attribute for the generic session.
author: angelos log_debug() for the action attributes.
author: angelos Different policy/Keynote sessions per Phase 1 SA.
author: angelos Allow exchange of KeyNote credentials over IKE. Multiple credentials may be passed in a single CERT payload. KeyNote is used if a directory named as the local ID we use in an exchange exists in the KeyNote directory (default: /etc/isakmpd/keynote/). Note that asymmetric credentials are possible (use KeyNote in one direction and X509 in the other); such authentication is envisioned to be the most common: the clients will use KeyNote credentials to authenticate and authorize with a server, whilst the server will just provide an X509 certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction, RSA in the other) is not supported by the IKE protocol.
author: angelos Correct pointer handling.
author: angelos A few more certificate handling routines for KeyNote.
author: angelos Some more support for KeyNote credential exchange (not yet done).
author: angelos Add a couple more KeyNote functions in the sym entries.
author: ho Some systems do not define IPPROTO_ETHERIP (yet).
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.12 |
|
02-May-2000 |
niklas |
branches: 1.12.2; Merge with EOM 1.26
author: niklas style
author: angelos Move POLICY_FILE_DEFAULT definition to the .h file.
author: angelos Add etherip and protocol numbers in the transport protocol entries, document.
|
#
1.11 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.23
author: angelos Typo...
author: angelos *_ike_address -> *_negotiation_address (so it's not IKE specific)
author: angelos No need to use log_fatal...
|
#
1.10 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.20
author: niklas Hmm keynote does not exist in a dynamically linked version
author: angelos Add phase_1 attribute.
|
#
1.9 |
|
25-Feb-2000 |
niklas |
regress/crypto/Makefile: Merge with EOM 1.5 regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36
author: niklas Made debug logging a compile time selectable feature
|
#
1.8 |
|
19-Feb-2000 |
niklas |
Merge with EOM 1.17
author: niklas Copyright 2000
|
#
1.7 |
|
11-Feb-2000 |
niklas |
Merge with EOM 1.16
author: angelos Do a policy check on the Initiator, when notified by the Responder on the SA selection. For efficiency, we should replicate this check on the first message sent by the Initiator (so we only send proposals we know we'll eventually accept).
author: angelos Add an initiator attribute, and make the code amenable to be invoked by the initiator as well (for policy compliance checking).
|
#
1.6 |
|
01-Feb-2000 |
niklas |
apps/certpatch/certpatch.8: Merge with EOM 1.4 apps/certpatch/certpatch.c: Merge with EOM 1.6 exchange.c: Merge with EOM 1.114 ike_quick_mode.c: Merge with EOM 1.110 ike_phase_1.c: Merge with EOM 1.16 ike_auth.c: Merge with EOM 1.41 ike_aggressive.c: Merge with EOM 1.4 libcrypto.c: Merge with EOM 1.10 libcrypto.h: Merge with EOM 1.10 isakmpd.8: Merge with EOM 1.19 isakmpd.c: Merge with EOM 1.42 ipsec.h: Merge with EOM 1.40 init.c: Merge with EOM 1.22 message.c: Merge with EOM 1.143 message.h: Merge with EOM 1.49 sa.c: Merge with EOM 1.98 sa.h: Merge with EOM 1.54 policy.c: Merge with EOM 1.14 pf_key_v2.c: Merge with EOM 1.36 x509.c: Merge with EOM 1.32 x509.h: Merge with EOM 1.9 udp.c: Merge with EOM 1.46
author: niklas Angelos copyrights
|
#
1.5 |
|
27-Jan-2000 |
niklas |
Merge with EOM 1.13
author: ho Bugfix for IPSEC_ID_USER_FQDN from <<Jorgen.Granstam@abc.se>. Apply similar to the IPSEC_ID_FQDN case plus fix the log messages.
|
#
1.4 |
|
26-Jan-2000 |
niklas |
Merge with EOM 1.12
date: 2000/01/25 02:21:10; author: angelos; state: Exp; lines: +2 -2 Move the policy file location
author: angelos GMTTimeOfDay and LocalTimeOfDay attributes, comment in x509.c.
author: angelos Oops on previous PFS-policy patch. Small fixes in the manpages.
author: angelos Add pfs keynote attribute.
author: angelos Include files, in anticipation of the keynote.h changes.
|
#
1.3 |
|
26-Oct-1999 |
angelos |
sync with latest libkeynote (include file changes only)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.2 |
|
26-Aug-1999 |
niklas |
Merge with EOM 1.7
author: niklas Support dynamic loading of libkeynote too. Build isakmpd static by default. Stylistic cleanup of keynote policy code. Correct some libcrypto calls.
author: niklas more style
author: niklas isakmpd style
author: angelos Hopefully better wording of variables.
author: angelos Complete policy work; tested for the shared-key case. Documentation needed.
|
#
1.1 |
|
07-Jul-1999 |
niklas |
policy.h: Merge with EOM 1.2 policy.c: Merge with EOM 1.2
author: niklas Remove $EOM$ from Eom repository version
author: niklas New file, for keynote policy handling. By angelos@openbsd.org
|
#
1.100 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.99 |
|
15-Jan-2018 |
mpi |
Spacing, no object change.
|
#
1.98 |
|
04-Jan-2018 |
mpi |
space -> tab
No object change.
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.97 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.96 |
|
16-Apr-2013 |
deraadt |
remove casts to time_t * which are not needed
|
#
1.95 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.94 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.93 |
|
06-Apr-2011 |
miod |
Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0' for chars.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.92 |
|
22-Sep-2010 |
mikeb |
Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC (as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.91 |
|
05-Aug-2007 |
tom |
Allow key exchange with RSA signature authentication to work with Cisco IOS and other initiators that only send their certs in response to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several others who did lots of testing - thanks to all.
ok hshoexer@
|
#
1.90 |
|
16-Apr-2007 |
moritz |
There's no point in checking ptr for NULL before doing free(ptr) since free(NULL) is just fine.
ok hshoexer@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.89 |
|
03-Mar-2007 |
cloder |
keynote_cert_obtain should not leak in case of error. OK moritz@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
17-Jun-2006 |
hshoexer |
Do not leak file descriptor in error path. From Andrey Matveev <evol at online dot ptt dot ru>, thanks!
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.87 |
|
14-Nov-2005 |
deraadt |
use snprintf; ok cloder. also looked at by a few other people
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.86 |
|
14-Jun-2005 |
hshoexer |
add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947
ok markus
|
#
1.85 |
|
08-Apr-2005 |
cloder |
Make deterministic randomness (only ever used for testing) a compile-time option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer
|
#
1.84 |
|
08-Apr-2005 |
deraadt |
we have IPPROTO_ETHERIP
|
#
1.83 |
|
08-Apr-2005 |
deraadt |
nat-traversal always
|
#
1.82 |
|
06-Apr-2005 |
deraadt |
knf, ok cloder
|
#
1.81 |
|
04-Apr-2005 |
deraadt |
spacing; ok cloder
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.80 |
|
03-Mar-2005 |
hshoexer |
handle return value of snprintf more carefully
ok cloder ho
|
#
1.79 |
|
27-Feb-2005 |
hshoexer |
where possible, use bzero instead of memset
ok cloder henning
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.78 |
|
08-Aug-2004 |
deraadt |
spacing
|
#
1.77 |
|
25-Jun-2004 |
hshoexer |
Keynote policy checking can now be disabled by "-K" switch and config tag "Use-Keynote". Default is to use keynote.
ok henning@ ho@
|
#
1.76 |
|
24-Jun-2004 |
hshoexer |
Also handle keys from x509-certificates embedded in keynote credentials.
with msf@ ok ho@
|
#
1.75 |
|
20-Jun-2004 |
ho |
NAT-Traversal for isakmpd. Work in progress... hshoexer@ ok.
|
#
1.74 |
|
14-Jun-2004 |
ho |
KNF, style, 80c, etc. hshoexer@ ok
|
#
1.73 |
|
23-May-2004 |
hshoexer |
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
|
#
1.72 |
|
23-May-2004 |
deraadt |
stat before open is flawed
|
#
1.71 |
|
28-Apr-2004 |
hshoexer |
remove unused variable and shorten names of two other. Removed some spaces while around.
ok ho@ markus@
|
#
1.70 |
|
15-Apr-2004 |
deraadt |
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
|
#
1.69 |
|
07-Apr-2004 |
ho |
-Wsign-compare nits. hshoexer@ ok.
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.68 |
|
19-Mar-2004 |
hshoexer |
Add missing bits to make already present privsep code work. Enable privsep.
ok ho@ deraadt@ markus@
|
#
1.67 |
|
06-Nov-2003 |
ho |
Style nits.
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.66 |
|
25-Jul-2003 |
markus |
add sha2 support; ok ho@
|
#
1.65 |
|
10-Jun-2003 |
deraadt |
boring cleanups
|
#
1.64 |
|
04-Jun-2003 |
ho |
Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos.
|
#
1.63 |
|
03-Jun-2003 |
ho |
Cleanup. Use 'sizeof variable' instead of magic constants.
|
#
1.62 |
|
18-May-2003 |
ho |
More isakmpd privsep work. X509 private keys are now kept in the privileged process only. Various cleanup and bugfixes. markus@ ok
|
#
1.61 |
|
15-May-2003 |
ho |
Start of privilege separation for isakmpd. There are some kinks left, so keep it default disabled for now. markus@ says ok to commit.
|
#
1.60 |
|
14-May-2003 |
ho |
Policy file default defined twice, kill the local copy.
|
#
1.59 |
|
14-May-2003 |
ho |
I did not test this enough. Unbreak.
|
#
1.58 |
|
12-May-2003 |
ho |
AES -> AES_128_CBC
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.57 |
|
14-Nov-2002 |
ho |
Use %d instead of %2d for better matching. From Mike Neuman. Fixes PR#2848.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.56 |
|
11-Sep-2002 |
ho |
signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.
|
#
1.55 |
|
15-Jun-2002 |
angelos |
ecn_* policy attributes --- ok ho@
|
#
1.54 |
|
10-Jun-2002 |
ho |
The dlopen() stuff goes away.
|
#
1.53 |
|
09-Jun-2002 |
todd |
rm trailing whitespace
|
#
1.52 |
|
01-Jun-2002 |
deraadt |
size_t must be cast to (unsigned long) and printed using %lu
|
#
1.51 |
|
28-May-2002 |
ho |
off_t to size_t change for printf format and malloc. Pointed out by <greg@nest.cx>
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.50 |
|
23-Jan-2002 |
angelos |
Actually return the ESP/AH/COMP ground descriptions for policy comparisons -- from cjkim2000@yahoo.com
|
#
1.49 |
|
23-Jan-2002 |
ho |
no more strcpy/sprintf
|
#
1.48 |
|
23-Jan-2002 |
ho |
strcpy->strlcpy, sprintf->snprintf
|
#
1.47 |
|
03-Jan-2002 |
ho |
strftime format fixes. From Christo Butcher <christo@fox-it.com>.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.46 |
|
26-Aug-2001 |
niklas |
more style
|
#
1.45 |
|
25-Aug-2001 |
niklas |
Use x509_DN_string API. Style fixes.
|
#
1.44 |
|
24-Aug-2001 |
ho |
I was only going to remove #include "init.h", but found 8 more #include's we don't need here.
|
#
1.43 |
|
11-Aug-2001 |
angelos |
Allocate slightly larger buffer for cert.
|
#
1.42 |
|
05-Jul-2001 |
angelos |
DER_ASN1_DN ID handling --- untested
|
#
1.41 |
|
04-Jul-2001 |
angelos |
Better handling of Key IDs.
|
#
1.40 |
|
03-Jul-2001 |
angelos |
Fix policy information for IPv6 subnet/range cases. This is ugly, I'll have to find another way of dealing with IPv6 addresses.
|
#
1.39 |
|
03-Jul-2001 |
ho |
Wait with strlcpy a while, change to strncpy.
|
#
1.38 |
|
03-Jul-2001 |
ho |
use strlcpy instead of memcpy to copy strings
|
#
1.37 |
|
01-Jul-2001 |
niklas |
Style
|
#
1.36 |
|
01-Jul-2001 |
angelos |
Start support for IPv6 addresses in policy.
|
#
1.35 |
|
01-Jul-2001 |
angelos |
Fix remote_negotiation_address attribute; fix sockaddr2text() return value when zero-filling; log_error()->log_print() consistently.
|
#
1.34 |
|
29-Jun-2001 |
ho |
Change get_src/get_dst API as we get the length with sa_len.
|
#
1.33 |
|
29-Jun-2001 |
ho |
Initial IPv6 support. (niklas@ ok)
|
#
1.32 |
|
07-Jun-2001 |
angelos |
No need to allocate/free X509 policy information -- the certs are converted as needed, and the CA certs are irrelevant.
|
#
1.31 |
|
07-Jun-2001 |
angelos |
Get rid of the main policy session (unnecessary).
|
#
1.30 |
|
07-Jun-2001 |
angelos |
Add some log_print()
|
#
1.29 |
|
31-May-2001 |
angelos |
Routines for handling KeyNote cert representation.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.28 |
|
09-Apr-2001 |
ho |
Style police a'la niklas@.
|
#
1.27 |
|
05-Apr-2001 |
ho |
As the isakmpd.policy file can contain sensitive information, we want the same mode checks we use for isakmpd.conf. Style.
|
#
1.26 |
|
14-Mar-2001 |
tholo |
Make these compile again...
|
#
1.25 |
|
14-Mar-2001 |
niklas |
Indentation and style fascism
|
#
1.24 |
|
13-Mar-2001 |
ho |
Add logging classes for Negotiation and Policy, and change a number of debug messages to use these instead. Change a number of 'log_print' to debug messages to keep the noise down. Use 'log_error' instead of 'log_print' in some cases when we have errno. Some indentation fixes. (niklas@ ok)
|
#
1.23 |
|
07-Mar-2001 |
angelos |
Oops, use the right legnth for the key id.
|
#
1.22 |
|
07-Mar-2001 |
angelos |
Add KEY_ID support (mostly from roland@digitalvampire.org)
|
#
1.21 |
|
27-Jan-2001 |
niklas |
(c) 2001
|
#
1.20 |
|
26-Jan-2001 |
niklas |
Pedantic style police
|
#
1.19 |
|
10-Jan-2001 |
angelos |
Handle null remote_id/local_filter/remote_filter nicer.
|
#
1.18 |
|
23-Nov-2000 |
niklas |
policy.c: Merge with EOM 1.49 util.h: Merge with EOM 1.10
author: niklas style and removal of unused, unneeded code
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.17 |
|
16-Oct-2000 |
niklas |
branches: 1.17.2; Merge with EOM 1.48
author: angelos Fix comment.
author: angelos Add RIPEMD negotiation/configuration.
|
#
1.16 |
|
09-Oct-2000 |
niklas |
samples/VPN-3way-template.conf: Merge with EOM 1.8 samples/VPN-east.conf: Merge with EOM 1.12 samples/VPN-west.conf: Merge with EOM 1.13 samples/policy: Merge with EOM 1.6 samples/singlehost-west.conf: Merge with EOM 1.9 samples/singlehost-east.conf: Merge with EOM 1.9 conf.c: Merge with EOM 1.37 ipsec.c: Merge with EOM 1.133 ipsec_num.cst: Merge with EOM 1.4 isakmpd.conf.5: Merge with EOM 1.48 isakmpd.policy.5: Merge with EOM 1.21 policy.c: Merge with EOM 1.46
author: angelos AES support.
|
#
1.15 |
|
07-Oct-2000 |
niklas |
Merge with EOM 1.45
author: angelos Unsigned integers for most attributes.
author: niklas Multiple subject name matching, makes certificate interop with PGPnet at least partly working. Added some error checking.
author: ho Nowadays we can use #include <openssl/...> instead of <ssl/...>
author: angelos Typo on checking esp lifetimes.
author: angelos Use the correct protocol from the IDi/IDr.
|
#
1.14 |
|
03-Aug-2000 |
niklas |
Merge with EOM 1.40
author: angelos Get the right value.
author: angelos Add "phase1_group_desc" attribute, and explain the various values.
|
#
1.13 |
|
08-Jun-2000 |
niklas |
Merge with EOM 1.38
author: angelos No need for NODEBUG actually...
author: angelos Use LOG_DBG() instead of log_debug()
author: angelos NODEBUG compile option, so regress doesn't barf.
author: angelos No point adding a handling attribute for the generic session.
author: angelos log_debug() for the action attributes.
author: angelos Different policy/Keynote sessions per Phase 1 SA.
author: angelos Allow exchange of KeyNote credentials over IKE. Multiple credentials may be passed in a single CERT payload. KeyNote is used if a directory named as the local ID we use in an exchange exists in the KeyNote directory (default: /etc/isakmpd/keynote/). Note that asymmetric credentials are possible (use KeyNote in one direction and X509 in the other); such authentication is envisioned to be the most common: the clients will use KeyNote credentials to authenticate and authorize with a server, whilst the server will just provide an X509 certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction, RSA in the other) is not supported by the IKE protocol.
author: angelos Correct pointer handling.
author: angelos A few more certificate handling routines for KeyNote.
author: angelos Some more support for KeyNote credential exchange (not yet done).
author: angelos Add a couple more KeyNote functions in the sym entries.
author: ho Some systems do not define IPPROTO_ETHERIP (yet).
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.12 |
|
02-May-2000 |
niklas |
branches: 1.12.2; Merge with EOM 1.26
author: niklas style
author: angelos Move POLICY_FILE_DEFAULT definition to the .h file.
author: angelos Add etherip and protocol numbers in the transport protocol entries, document.
|
#
1.11 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.23
author: angelos Typo...
author: angelos *_ike_address -> *_negotiation_address (so it's not IKE specific)
author: angelos No need to use log_fatal...
|
#
1.10 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.20
author: niklas Hmm keynote does not exist in a dynamically linked version
author: angelos Add phase_1 attribute.
|
#
1.9 |
|
25-Feb-2000 |
niklas |
regress/crypto/Makefile: Merge with EOM 1.5 regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36
author: niklas Made debug logging a compile time selectable feature
|
#
1.8 |
|
19-Feb-2000 |
niklas |
Merge with EOM 1.17
author: niklas Copyright 2000
|
#
1.7 |
|
11-Feb-2000 |
niklas |
Merge with EOM 1.16
author: angelos Do a policy check on the Initiator, when notified by the Responder on the SA selection. For efficiency, we should replicate this check on the first message sent by the Initiator (so we only send proposals we know we'll eventually accept).
author: angelos Add an initiator attribute, and make the code amenable to be invoked by the initiator as well (for policy compliance checking).
|
#
1.6 |
|
01-Feb-2000 |
niklas |
apps/certpatch/certpatch.8: Merge with EOM 1.4 apps/certpatch/certpatch.c: Merge with EOM 1.6 exchange.c: Merge with EOM 1.114 ike_quick_mode.c: Merge with EOM 1.110 ike_phase_1.c: Merge with EOM 1.16 ike_auth.c: Merge with EOM 1.41 ike_aggressive.c: Merge with EOM 1.4 libcrypto.c: Merge with EOM 1.10 libcrypto.h: Merge with EOM 1.10 isakmpd.8: Merge with EOM 1.19 isakmpd.c: Merge with EOM 1.42 ipsec.h: Merge with EOM 1.40 init.c: Merge with EOM 1.22 message.c: Merge with EOM 1.143 message.h: Merge with EOM 1.49 sa.c: Merge with EOM 1.98 sa.h: Merge with EOM 1.54 policy.c: Merge with EOM 1.14 pf_key_v2.c: Merge with EOM 1.36 x509.c: Merge with EOM 1.32 x509.h: Merge with EOM 1.9 udp.c: Merge with EOM 1.46
author: niklas Angelos copyrights
|
#
1.5 |
|
27-Jan-2000 |
niklas |
Merge with EOM 1.13
author: ho Bugfix for IPSEC_ID_USER_FQDN from <<Jorgen.Granstam@abc.se>. Apply similar to the IPSEC_ID_FQDN case plus fix the log messages.
|
#
1.4 |
|
26-Jan-2000 |
niklas |
Merge with EOM 1.12
date: 2000/01/25 02:21:10; author: angelos; state: Exp; lines: +2 -2 Move the policy file location
author: angelos GMTTimeOfDay and LocalTimeOfDay attributes, comment in x509.c.
author: angelos Oops on previous PFS-policy patch. Small fixes in the manpages.
author: angelos Add pfs keynote attribute.
author: angelos Include files, in anticipation of the keynote.h changes.
|
#
1.3 |
|
26-Oct-1999 |
angelos |
sync with latest libkeynote (include file changes only)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.2 |
|
26-Aug-1999 |
niklas |
Merge with EOM 1.7
author: niklas Support dynamic loading of libkeynote too. Build isakmpd static by default. Stylistic cleanup of keynote policy code. Correct some libcrypto calls.
author: niklas more style
author: niklas isakmpd style
author: angelos Hopefully better wording of variables.
author: angelos Complete policy work; tested for the shared-key case. Documentation needed.
|
#
1.1 |
|
07-Jul-1999 |
niklas |
policy.h: Merge with EOM 1.2 policy.c: Merge with EOM 1.2
author: niklas Remove $EOM$ from Eom repository version
author: niklas New file, for keynote policy handling. By angelos@openbsd.org
|
#
1.99 |
|
15-Jan-2018 |
mpi |
Spacing, no object change.
|
#
1.98 |
|
04-Jan-2018 |
mpi |
space -> tab
No object change.
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.97 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.96 |
|
16-Apr-2013 |
deraadt |
remove casts to time_t * which are not needed
|
#
1.95 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.94 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.93 |
|
06-Apr-2011 |
miod |
Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0' for chars.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.92 |
|
22-Sep-2010 |
mikeb |
Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC (as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.91 |
|
05-Aug-2007 |
tom |
Allow key exchange with RSA signature authentication to work with Cisco IOS and other initiators that only send their certs in response to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several others who did lots of testing - thanks to all.
ok hshoexer@
|
#
1.90 |
|
16-Apr-2007 |
moritz |
There's no point in checking ptr for NULL before doing free(ptr) since free(NULL) is just fine.
ok hshoexer@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.89 |
|
03-Mar-2007 |
cloder |
keynote_cert_obtain should not leak in case of error. OK moritz@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
17-Jun-2006 |
hshoexer |
Do not leak file descriptor in error path. From Andrey Matveev <evol at online dot ptt dot ru>, thanks!
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.87 |
|
14-Nov-2005 |
deraadt |
use snprintf; ok cloder. also looked at by a few other people
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.86 |
|
14-Jun-2005 |
hshoexer |
add ENCAP_UDP_{TUNNEL,TRANSPORT} types according to rfc 3947
ok markus
|
#
1.85 |
|
08-Apr-2005 |
cloder |
Make deterministic randomness (only ever used for testing) a compile-time option. Reduces chances of somehow setting regrand when it's not supposed to be set. Remove "-r" option from man page. Also xref certpatch(8) while we are in there. And remove some include sysdep.h where it is no longer needed. OK hshoexer
|
#
1.84 |
|
08-Apr-2005 |
deraadt |
we have IPPROTO_ETHERIP
|
#
1.83 |
|
08-Apr-2005 |
deraadt |
nat-traversal always
|
#
1.82 |
|
06-Apr-2005 |
deraadt |
knf, ok cloder
|
#
1.81 |
|
04-Apr-2005 |
deraadt |
spacing; ok cloder
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.80 |
|
03-Mar-2005 |
hshoexer |
handle return value of snprintf more carefully
ok cloder ho
|
#
1.79 |
|
27-Feb-2005 |
hshoexer |
where possible, use bzero instead of memset
ok cloder henning
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.78 |
|
08-Aug-2004 |
deraadt |
spacing
|
#
1.77 |
|
25-Jun-2004 |
hshoexer |
Keynote policy checking can now be disabled by "-K" switch and config tag "Use-Keynote". Default is to use keynote.
ok henning@ ho@
|
#
1.76 |
|
24-Jun-2004 |
hshoexer |
Also handle keys from x509-certificates embedded in keynote credentials.
with msf@ ok ho@
|
#
1.75 |
|
20-Jun-2004 |
ho |
NAT-Traversal for isakmpd. Work in progress... hshoexer@ ok.
|
#
1.74 |
|
14-Jun-2004 |
ho |
KNF, style, 80c, etc. hshoexer@ ok
|
#
1.73 |
|
23-May-2004 |
hshoexer |
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
|
#
1.72 |
|
23-May-2004 |
deraadt |
stat before open is flawed
|
#
1.71 |
|
28-Apr-2004 |
hshoexer |
remove unused variable and shorten names of two other. Removed some spaces while around.
ok ho@ markus@
|
#
1.70 |
|
15-Apr-2004 |
deraadt |
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
|
#
1.69 |
|
07-Apr-2004 |
ho |
-Wsign-compare nits. hshoexer@ ok.
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.68 |
|
19-Mar-2004 |
hshoexer |
Add missing bits to make already present privsep code work. Enable privsep.
ok ho@ deraadt@ markus@
|
#
1.67 |
|
06-Nov-2003 |
ho |
Style nits.
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.66 |
|
25-Jul-2003 |
markus |
add sha2 support; ok ho@
|
#
1.65 |
|
10-Jun-2003 |
deraadt |
boring cleanups
|
#
1.64 |
|
04-Jun-2003 |
ho |
Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos.
|
#
1.63 |
|
03-Jun-2003 |
ho |
Cleanup. Use 'sizeof variable' instead of magic constants.
|
#
1.62 |
|
18-May-2003 |
ho |
More isakmpd privsep work. X509 private keys are now kept in the privileged process only. Various cleanup and bugfixes. markus@ ok
|
#
1.61 |
|
15-May-2003 |
ho |
Start of privilege separation for isakmpd. There are some kinks left, so keep it default disabled for now. markus@ says ok to commit.
|
#
1.60 |
|
14-May-2003 |
ho |
Policy file default defined twice, kill the local copy.
|
#
1.59 |
|
14-May-2003 |
ho |
I did not test this enough. Unbreak.
|
#
1.58 |
|
12-May-2003 |
ho |
AES -> AES_128_CBC
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.57 |
|
14-Nov-2002 |
ho |
Use %d instead of %2d for better matching. From Mike Neuman. Fixes PR#2848.
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.56 |
|
11-Sep-2002 |
ho |
signed vs unsigned, some void * arithmetic, from -pedantic. niklas@ ok.
|
#
1.55 |
|
15-Jun-2002 |
angelos |
ecn_* policy attributes --- ok ho@
|
#
1.54 |
|
10-Jun-2002 |
ho |
The dlopen() stuff goes away.
|
#
1.53 |
|
09-Jun-2002 |
todd |
rm trailing whitespace
|
#
1.52 |
|
01-Jun-2002 |
deraadt |
size_t must be cast to (unsigned long) and printed using %lu
|
#
1.51 |
|
28-May-2002 |
ho |
off_t to size_t change for printf format and malloc. Pointed out by <greg@nest.cx>
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.50 |
|
23-Jan-2002 |
angelos |
Actually return the ESP/AH/COMP ground descriptions for policy comparisons -- from cjkim2000@yahoo.com
|
#
1.49 |
|
23-Jan-2002 |
ho |
no more strcpy/sprintf
|
#
1.48 |
|
23-Jan-2002 |
ho |
strcpy->strlcpy, sprintf->snprintf
|
#
1.47 |
|
03-Jan-2002 |
ho |
strftime format fixes. From Christo Butcher <christo@fox-it.com>.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.46 |
|
26-Aug-2001 |
niklas |
more style
|
#
1.45 |
|
25-Aug-2001 |
niklas |
Use x509_DN_string API. Style fixes.
|
#
1.44 |
|
24-Aug-2001 |
ho |
I was only going to remove #include "init.h", but found 8 more #include's we don't need here.
|
#
1.43 |
|
11-Aug-2001 |
angelos |
Allocate slightly larger buffer for cert.
|
#
1.42 |
|
05-Jul-2001 |
angelos |
DER_ASN1_DN ID handling --- untested
|
#
1.41 |
|
04-Jul-2001 |
angelos |
Better handling of Key IDs.
|
#
1.40 |
|
03-Jul-2001 |
angelos |
Fix policy information for IPv6 subnet/range cases. This is ugly, I'll have to find another way of dealing with IPv6 addresses.
|
#
1.39 |
|
03-Jul-2001 |
ho |
Wait with strlcpy a while, change to strncpy.
|
#
1.38 |
|
03-Jul-2001 |
ho |
use strlcpy instead of memcpy to copy strings
|
#
1.37 |
|
01-Jul-2001 |
niklas |
Style
|
#
1.36 |
|
01-Jul-2001 |
angelos |
Start support for IPv6 addresses in policy.
|
#
1.35 |
|
01-Jul-2001 |
angelos |
Fix remote_negotiation_address attribute; fix sockaddr2text() return value when zero-filling; log_error()->log_print() consistently.
|
#
1.34 |
|
29-Jun-2001 |
ho |
Change get_src/get_dst API as we get the length with sa_len.
|
#
1.33 |
|
29-Jun-2001 |
ho |
Initial IPv6 support. (niklas@ ok)
|
#
1.32 |
|
07-Jun-2001 |
angelos |
No need to allocate/free X509 policy information -- the certs are converted as needed, and the CA certs are irrelevant.
|
#
1.31 |
|
07-Jun-2001 |
angelos |
Get rid of the main policy session (unnecessary).
|
#
1.30 |
|
07-Jun-2001 |
angelos |
Add some log_print()
|
#
1.29 |
|
31-May-2001 |
angelos |
Routines for handling KeyNote cert representation.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.28 |
|
09-Apr-2001 |
ho |
Style police a'la niklas@.
|
#
1.27 |
|
05-Apr-2001 |
ho |
As the isakmpd.policy file can contain sensitive information, we want the same mode checks we use for isakmpd.conf. Style.
|
#
1.26 |
|
14-Mar-2001 |
tholo |
Make these compile again...
|
#
1.25 |
|
14-Mar-2001 |
niklas |
Indentation and style fascism
|
#
1.24 |
|
13-Mar-2001 |
ho |
Add logging classes for Negotiation and Policy, and change a number of debug messages to use these instead. Change a number of 'log_print' to debug messages to keep the noise down. Use 'log_error' instead of 'log_print' in some cases when we have errno. Some indentation fixes. (niklas@ ok)
|
#
1.23 |
|
07-Mar-2001 |
angelos |
Oops, use the right legnth for the key id.
|
#
1.22 |
|
07-Mar-2001 |
angelos |
Add KEY_ID support (mostly from roland@digitalvampire.org)
|
#
1.21 |
|
27-Jan-2001 |
niklas |
(c) 2001
|
#
1.20 |
|
26-Jan-2001 |
niklas |
Pedantic style police
|
#
1.19 |
|
10-Jan-2001 |
angelos |
Handle null remote_id/local_filter/remote_filter nicer.
|
#
1.18 |
|
23-Nov-2000 |
niklas |
policy.c: Merge with EOM 1.49 util.h: Merge with EOM 1.10
author: niklas style and removal of unused, unneeded code
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.17 |
|
16-Oct-2000 |
niklas |
branches: 1.17.2; Merge with EOM 1.48
author: angelos Fix comment.
author: angelos Add RIPEMD negotiation/configuration.
|
#
1.16 |
|
09-Oct-2000 |
niklas |
samples/VPN-3way-template.conf: Merge with EOM 1.8 samples/VPN-east.conf: Merge with EOM 1.12 samples/VPN-west.conf: Merge with EOM 1.13 samples/policy: Merge with EOM 1.6 samples/singlehost-west.conf: Merge with EOM 1.9 samples/singlehost-east.conf: Merge with EOM 1.9 conf.c: Merge with EOM 1.37 ipsec.c: Merge with EOM 1.133 ipsec_num.cst: Merge with EOM 1.4 isakmpd.conf.5: Merge with EOM 1.48 isakmpd.policy.5: Merge with EOM 1.21 policy.c: Merge with EOM 1.46
author: angelos AES support.
|
#
1.15 |
|
07-Oct-2000 |
niklas |
Merge with EOM 1.45
author: angelos Unsigned integers for most attributes.
author: niklas Multiple subject name matching, makes certificate interop with PGPnet at least partly working. Added some error checking.
author: ho Nowadays we can use #include <openssl/...> instead of <ssl/...>
author: angelos Typo on checking esp lifetimes.
author: angelos Use the correct protocol from the IDi/IDr.
|
#
1.14 |
|
03-Aug-2000 |
niklas |
Merge with EOM 1.40
author: angelos Get the right value.
author: angelos Add "phase1_group_desc" attribute, and explain the various values.
|
#
1.13 |
|
08-Jun-2000 |
niklas |
Merge with EOM 1.38
author: angelos No need for NODEBUG actually...
author: angelos Use LOG_DBG() instead of log_debug()
author: angelos NODEBUG compile option, so regress doesn't barf.
author: angelos No point adding a handling attribute for the generic session.
author: angelos log_debug() for the action attributes.
author: angelos Different policy/Keynote sessions per Phase 1 SA.
author: angelos Allow exchange of KeyNote credentials over IKE. Multiple credentials may be passed in a single CERT payload. KeyNote is used if a directory named as the local ID we use in an exchange exists in the KeyNote directory (default: /etc/isakmpd/keynote/). Note that asymmetric credentials are possible (use KeyNote in one direction and X509 in the other); such authentication is envisioned to be the most common: the clients will use KeyNote credentials to authenticate and authorize with a server, whilst the server will just provide an X509 certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction, RSA in the other) is not supported by the IKE protocol.
author: angelos Correct pointer handling.
author: angelos A few more certificate handling routines for KeyNote.
author: angelos Some more support for KeyNote credential exchange (not yet done).
author: angelos Add a couple more KeyNote functions in the sym entries.
author: ho Some systems do not define IPPROTO_ETHERIP (yet).
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.12 |
|
02-May-2000 |
niklas |
branches: 1.12.2; Merge with EOM 1.26
author: niklas style
author: angelos Move POLICY_FILE_DEFAULT definition to the .h file.
author: angelos Add etherip and protocol numbers in the transport protocol entries, document.
|
#
1.11 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.23
author: angelos Typo...
author: angelos *_ike_address -> *_negotiation_address (so it's not IKE specific)
author: angelos No need to use log_fatal...
|
#
1.10 |
|
07-Apr-2000 |
niklas |
Merge with EOM 1.20
author: niklas Hmm keynote does not exist in a dynamically linked version
author: angelos Add phase_1 attribute.
|
#
1.9 |
|
25-Feb-2000 |
niklas |
regress/crypto/Makefile: Merge with EOM 1.5 regress/dh/Makefile: Merge with EOM 1.7 regress/group/Makefile: Merge with EOM 1.9 regress/prf/Makefile: Merge with EOM 1.4 regress/rsakeygen/Makefile: Merge with EOM 1.8 regress/x509/Makefile: Merge with EOM 1.10 Makefile: Merge with EOM 1.62 attribute.c: Merge with EOM 1.10 sa.c: Merge with EOM 1.99 conf.c: Merge with EOM 1.20 crypto.c: Merge with EOM 1.28 isakmpd.c: Merge with EOM 1.45 connection.c: Merge with EOM 1.19 doi.h: Merge with EOM 1.28 field.c: Merge with EOM 1.11 exchange.c: Merge with EOM 1.116 ike_auth.c: Merge with EOM 1.44 pf_key_v2.c: Merge with EOM 1.37 ike_phase_1.c: Merge with EOM 1.22 ipsec.c: Merge with EOM 1.118 isakmp_doi.c: Merge with EOM 1.40 log.c: Merge with EOM 1.26 log.h: Merge with EOM 1.18 math_group.c: Merge with EOM 1.23 message.c: Merge with EOM 1.144 pf_encap.c: Merge with EOM 1.70 policy.c: Merge with EOM 1.18 timer.c: Merge with EOM 1.13 transport.c: Merge with EOM 1.41 udp.c: Merge with EOM 1.47 ui.c: Merge with EOM 1.37 x509.c: Merge with EOM 1.36
author: niklas Made debug logging a compile time selectable feature
|
#
1.8 |
|
19-Feb-2000 |
niklas |
Merge with EOM 1.17
author: niklas Copyright 2000
|
#
1.7 |
|
11-Feb-2000 |
niklas |
Merge with EOM 1.16
author: angelos Do a policy check on the Initiator, when notified by the Responder on the SA selection. For efficiency, we should replicate this check on the first message sent by the Initiator (so we only send proposals we know we'll eventually accept).
author: angelos Add an initiator attribute, and make the code amenable to be invoked by the initiator as well (for policy compliance checking).
|
#
1.6 |
|
01-Feb-2000 |
niklas |
apps/certpatch/certpatch.8: Merge with EOM 1.4 apps/certpatch/certpatch.c: Merge with EOM 1.6 exchange.c: Merge with EOM 1.114 ike_quick_mode.c: Merge with EOM 1.110 ike_phase_1.c: Merge with EOM 1.16 ike_auth.c: Merge with EOM 1.41 ike_aggressive.c: Merge with EOM 1.4 libcrypto.c: Merge with EOM 1.10 libcrypto.h: Merge with EOM 1.10 isakmpd.8: Merge with EOM 1.19 isakmpd.c: Merge with EOM 1.42 ipsec.h: Merge with EOM 1.40 init.c: Merge with EOM 1.22 message.c: Merge with EOM 1.143 message.h: Merge with EOM 1.49 sa.c: Merge with EOM 1.98 sa.h: Merge with EOM 1.54 policy.c: Merge with EOM 1.14 pf_key_v2.c: Merge with EOM 1.36 x509.c: Merge with EOM 1.32 x509.h: Merge with EOM 1.9 udp.c: Merge with EOM 1.46
author: niklas Angelos copyrights
|
#
1.5 |
|
27-Jan-2000 |
niklas |
Merge with EOM 1.13
author: ho Bugfix for IPSEC_ID_USER_FQDN from <<Jorgen.Granstam@abc.se>. Apply similar to the IPSEC_ID_FQDN case plus fix the log messages.
|
#
1.4 |
|
26-Jan-2000 |
niklas |
Merge with EOM 1.12
date: 2000/01/25 02:21:10; author: angelos; state: Exp; lines: +2 -2 Move the policy file location
author: angelos GMTTimeOfDay and LocalTimeOfDay attributes, comment in x509.c.
author: angelos Oops on previous PFS-policy patch. Small fixes in the manpages.
author: angelos Add pfs keynote attribute.
author: angelos Include files, in anticipation of the keynote.h changes.
|
#
1.3 |
|
26-Oct-1999 |
angelos |
sync with latest libkeynote (include file changes only)
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.2 |
|
26-Aug-1999 |
niklas |
Merge with EOM 1.7
author: niklas Support dynamic loading of libkeynote too. Build isakmpd static by default. Stylistic cleanup of keynote policy code. Correct some libcrypto calls.
author: niklas more style
author: niklas isakmpd style
author: angelos Hopefully better wording of variables.
author: angelos Complete policy work; tested for the shared-key case. Documentation needed.
|
#
1.1 |
|
07-Jul-1999 |
niklas |
policy.h: Merge with EOM 1.2 policy.c: Merge with EOM 1.2
author: niklas Remove $EOM$ from Eom repository version
author: niklas New file, for keynote policy handling. By angelos@openbsd.org
|