------------------------------------------------------------------------
r482 | mgrooms | 2008-06-19 12:44:07 -0500 (Thu, 19 Jun 2008) | 1 line
Branch for 2.1.0 release.
------------------------------------------------------------------------
r481 | mgrooms | 2008-06-18 23:35:54 -0500 (Wed, 18 Jun 2008) | 1 line
Create 2.1 maintenance branch.
------------------------------------------------------------------------
r476 | mgrooms | 2008-06-17 22:29:34 -0500 (Tue, 17 Jun 2008) | 1 line
Correct a regression on Windows 2000 that occurred after fixing the
return value issue with the generic IPC send path. This version of
windows behaves a bit differently.
------------------------------------------------------------------------
r475 | mgrooms | 2008-06-17 17:06:06 -0500 (Tue, 17 Jun 2008) | 1 line
Correct a bug where the generic IPC lower send function returned success
when an error condition occurred. This caused the higher send function
to endlessly loop. Initially reported by Fabian Weber.
------------------------------------------------------------------------
r474 | mgrooms | 2008-06-14 14:35:35 -0500 (Sat, 14 Jun 2008) | 1 line
Correct a bug in iked where it could enter a high utilization loop if
the pfkey interface is unavailable.
------------------------------------------------------------------------
r473 | mgrooms | 2008-06-10 19:21:53 -0500 (Tue, 10 Jun 2008) | 2 lines
Correct a bug just committed to ikec that caused invalid nameservers to
be configured.
------------------------------------------------------------------------
r472 | mgrooms | 2008-06-10 19:08:36 -0500 (Tue, 10 Jun 2008) | 2 lines
Add support to ikec for multiple WINS and DNS servers being read from a
site configuration file. Requested by Juan Rios.
------------------------------------------------------------------------
r471 | mgrooms | 2008-06-10 18:13:26 -0500 (Tue, 10 Jun 2008) | 1 line
Fix a bug in iked where we are not handling failed user authentication.
Reported by Juan Rios.
------------------------------------------------------------------------
r470 | mgrooms | 2008-06-09 21:24:20 -0500 (Mon, 09 Jun 2008) | 2 lines
Update the iked configuration file parser and Unix VPN Trace application
to support the new DPD parameters.
------------------------------------------------------------------------
r469 | mgrooms | 2008-06-09 21:13:52 -0500 (Mon, 09 Jun 2008) | 5 lines
Modify iked to use an improved Dead Peer Detection algorithm. This uses
less DPD notifications per minute and provides for more aggressive retry
attempts before declaring a tunnel dead. Also improve DPD event logging.
Modify iked to use an ISAKMP grace of several seconds before deletion to
allow for time drift between peers. Outbound messages are never
processed using an expired ISAKMP SA but received messages can be
processed using an expired SA during this grace period. This prevents us
from dropping notifications sent by a peer that prefers older ISAKMP SAs
until they expire.
Update our todo list.
------------------------------------------------------------------------
r468 | mgrooms | 2008-06-06 14:25:21 -0500 (Fri, 06 Jun 2008) | 1 line
Update our in tree versions of the mode-cfg IETF draft documents.
------------------------------------------------------------------------
r467 | mgrooms | 2008-06-06 00:07:45 -0500 (Fri, 06 Jun 2008) | 1 line
Correct an error condition in iked where a DPD timeout was being
reported as a DHCP over IPsec error. Reported by Dietmar Papperitz.
------------------------------------------------------------------------
r466 | mgrooms | 2008-06-01 16:28:50 -0500 (Sun, 01 Jun 2008) | 1 line
Correct a problem where iked would report invalid DPD timeouts. This
issue occurred when a peer responded to a DPD ARE-YOU-THERE request
notification using a different ISAKMP SA. We now store a single DPD
state event in the tunnel handle. In my testing, this change can improve
connection stability when communicating with some commercial gateways.
------------------------------------------------------------------------
r465 | mgrooms | 2008-05-31 19:41:48 -0500 (Sat, 31 May 2008) | 2 lines
Update the unix GUI about window and add new brand logo.
------------------------------------------------------------------------
r464 | mgrooms | 2008-05-31 17:29:55 -0500 (Sat, 31 May 2008) | 1 line
Update the unix platform builds to use the improved icon set.
------------------------------------------------------------------------
r463 | mgrooms | 2008-05-29 14:00:29 -0500 (Thu, 29 May 2008) | 1 line
Update todo list.
------------------------------------------------------------------------
r462 | mgrooms | 2008-05-29 13:47:55 -0500 (Thu, 29 May 2008) | 1 line
Correct an issue in iked where we need to wakeup after the DHCP over
IPsec response timeout has expired.
------------------------------------------------------------------------
r461 | mgrooms | 2008-05-29 02:29:37 -0500 (Thu, 29 May 2008) | 1 line
Correct a bug in iked where we could hang on an acquire message due to
an reference count running negative.
------------------------------------------------------------------------
r460 | mgrooms | 2008-05-28 23:07:19 -0500 (Wed, 28 May 2008) | 2 lines
Fix a problem in ikea where the virtual adapter address and netmask
entry boxes were not being grayed out properly. Reported by Harondel
Sibble.
------------------------------------------------------------------------
r459 | mgrooms | 2008-05-22 16:44:36 -0500 (Thu, 22 May 2008) | 1 line
Modify iked to only copy the isakmp sa cookie values to the phase2
handle when acting as a responder.
------------------------------------------------------------------------
r458 | mgrooms | 2008-05-22 16:35:14 -0500 (Thu, 22 May 2008) | 2 lines
Correct a few problems on unix targets where the name service member
function was renamed. Reported by Juan Rios.
------------------------------------------------------------------------
r457 | mgrooms | 2008-05-22 15:57:55 -0500 (Thu, 22 May 2008) | 5 lines
Modify a name service configuration structure data member used by iked.
This is to accurately denote it is related to DNS.
Modify iked to improve logging while processing an inbound or outbound
packet. We now include the ISAKMP SA cookies values.
Correct an issue in iked where we were responding to a new quick mode
negotiation using a different ISAKMP SA than the initiator. While
technically this is a perfectly legal thing to do, Cisco gateways ( and
possibly others ) treat this as an error condition. The problem could be
easily reproduced by configuring the phase2 lifetime values to be equal
to the phase1 lifetime. We now store the ISAKMP cookie values used to
initiate a quick mode exchange in the phase2 handle and use them to
lookup the phase1 SA handle before responding. If the SA is not found,
potentially due to lifetime expiration, we remove the phase2 handle and
wait for a new negotiation. In my testing, this substantially improves
the connection stability when no traffic is being sent by the client.
------------------------------------------------------------------------
r456 | mgrooms | 2008-05-20 10:25:14 -0500 (Tue, 20 May 2008) | 2 lines
Set the default adapter MTU for new Site Configurations to 1380 bytes on
unix targets.
------------------------------------------------------------------------
r455 | mgrooms | 2008-05-19 20:37:24 -0500 (Mon, 19 May 2008) | 3 lines
Correct an issue in ikea where a delimiter was being interpreted
incorrectly. This was truncating
some configuration values. Reported by Tomas Svensson.
------------------------------------------------------------------------
r454 | mgrooms | 2008-05-18 16:35:53 -0500 (Sun, 18 May 2008) | 3 lines
Correct the logic that determines if configuration processing is
required for a tunnel. This was preventing clients from connecting
properly in some configuration modes.
Correct a bug in iked that could lead to a crash if the peer
configuration failed. This was due to referencing a null pointing in the
client IO loop.
------------------------------------------------------------------------
r453 | mgrooms | 2008-05-17 11:23:42 -0500 (Sat, 17 May 2008) | 2 lines
Correct an issue with the unix access manager application. Pre-shared
key values were getting trashed whenever a site configuration was loaded
and re-saved. We now null terminate the string before pushing the text
to the edit control to prevent this.
------------------------------------------------------------------------
r452 | mgrooms | 2008-05-16 13:28:54 -0500 (Fri, 16 May 2008) | 1 line
Fix sending tunnel statistics updates to connected clients which was
broken during the IPC rewrite. A tunnel event is now used to send an
update once a second.
------------------------------------------------------------------------
r451 | mgrooms | 2008-05-16 13:06:06 -0500 (Fri, 16 May 2008) | 1 line
Make sure we reset the buffer offset before reading a message header in
libike.
------------------------------------------------------------------------
r450 | mgrooms | 2008-05-16 12:42:41 -0500 (Fri, 16 May 2008) | 1 line
Correct a problem in iked where the client thread was not being woken
properly after DHCP over IPsec completes.
------------------------------------------------------------------------
r449 | mgrooms | 2008-05-16 12:22:32 -0500 (Fri, 16 May 2008) | 2 lines
Move the recently introduced libith IO wrapper functions out from under
the win32 ifdef. These are shared across platforms.
------------------------------------------------------------------------
r448 | mgrooms | 2008-05-16 12:15:48 -0500 (Fri, 16 May 2008) | 1 line
Correct a deficiency in the libith generic IPC client class. Provide
wrappers for the io_recv and io_send functions that loop until a
specified number of bytes have been processed. This becomes the used
case for all consumers. The original functions were modified to have an
additional parameter that separately return the bytes sent or received.
------------------------------------------------------------------------
r447 | mgrooms | 2008-05-16 11:07:06 -0500 (Fri, 16 May 2008) | 5 lines
Correct a problem in iked where the client thread was not being woken
properly after the post phase 1 configuration step. Reported by Stephan
Berberig.
Make a few changes to the error checking code in the libith windows IPC
recv function. A workaround was also added to the libpfk windows IPC
subclass to ensure complete messages are read in all circumstances. A
more general fix needs to be applied.
Update the todo list.
------------------------------------------------------------------------
r446 | mgrooms | 2008-05-15 17:15:30 -0500 (Thu, 15 May 2008) | 1 line
Update todo list.
------------------------------------------------------------------------
r445 | mgrooms | 2008-05-15 17:11:45 -0500 (Thu, 15 May 2008) | 1 line
Now that the libpfk IPC interface blocks indefinitely, make sure we call
wakeup on the object during shutdown.
------------------------------------------------------------------------
r444 | mgrooms | 2008-05-15 16:59:48 -0500 (Thu, 15 May 2008) | 2 lines
Update libpfk to correct the unix IPC support now that it is based on
libith.
------------------------------------------------------------------------
r443 | mgrooms | 2008-05-15 16:10:51 -0500 (Thu, 15 May 2008) | 3 lines
Correct some issues with the generic IPC class. The event handles or
socket pairs were being closed when the IPC client called detach or the
IPC server called done. This prevented instances from being reused.
Modify libpfk to be based on the generic IPC class. This removes latency
in communication between iked and ipsecd on windows platforms. This
commit breaks the unix version of libpfk which will be fixed in a follow
up commit.
------------------------------------------------------------------------
r442 | mgrooms | 2008-05-15 12:04:19 -0500 (Thu, 15 May 2008) | 2 lines
Increase the pfkey and network select timeouts from 10ms to 500ms. This
should effect nothing but the shutdown time.
------------------------------------------------------------------------
r441 | mgrooms | 2008-05-15 12:02:59 -0500 (Thu, 15 May 2008) | 1 line
Correct the log output for iked where we report threads beginning
instead of exiting.
------------------------------------------------------------------------
r440 | mgrooms | 2008-05-14 03:30:10 -0500 (Wed, 14 May 2008) | 2 lines
Fix two typos in the sample configurations of the iked man page.
Reported by Tai-hwa Liang.
------------------------------------------------------------------------
r439 | mgrooms | 2008-05-14 02:41:27 -0500 (Wed, 14 May 2008) | 5 lines
Modify iked to work around an issue in ipsec tools version 0.7. The
unity split network data sent during modecfg can contain bogus port and
protocol information. Although I have committed a fix for this in both
the 0.7 and head ipsec tools branches, the code will need to settle for
some time before the work around can be removed.
Modify iked to check return values properly inside the IPC server
connection thread loop. This was causing the program to hang during
shutdown when running as a service.
Modify libith to correct a bug in the windows version of the IPC server
class. When creating a named pipe with explicit access, you must specify
FILE_CREATE_PIPE_INSTANCE for an SID that is appropriate for the account
that owns your process. Otherwise, after creating the initial pipe
instance and assigning the access control, your process will loose its
ability to create more than one pipe instance.
------------------------------------------------------------------------
r438 | mgrooms | 2008-05-12 21:03:29 -0500 (Mon, 12 May 2008) | 4 lines
Fix a bug in the unix ikec program that was enabling instead of
disabling the tunnel when the cancel button was being pressed.
Fix a bug in the unix wait condition class that was causing the caller
to block indefinately.
------------------------------------------------------------------------
r437 | mgrooms | 2008-05-12 20:02:42 -0500 (Mon, 12 May 2008) | 1 line
Fix a bug I just introduced in the reference counting shutdown code.
------------------------------------------------------------------------
r436 | mgrooms | 2008-05-12 19:51:12 -0500 (Mon, 12 May 2008) | 1 line
Further improve the shutdown process for iked. Protect the runtime
reference counts using the run lock and use wait conditions instead of
loops to check shutdown readiness.
------------------------------------------------------------------------
r435 | mgrooms | 2008-05-12 16:46:42 -0500 (Mon, 12 May 2008) | 5 lines
Add workaround in iked for gateways that neglect to include an XAuth
type attribute. Reported by Hiren Joshi.
Improve the shutdown procedure for iked, ipsecd and dtpd. Some issues
with the code were preventing it from stopping correctly when acting as
a service. This needs to be looked at closer once all the IPC work has
settled.
Correct access control assignments for the generic IPC layer. This issue
was preventing Vista clients from connecting to named pipe instances.
------------------------------------------------------------------------
r434 | mgrooms | 2008-05-11 23:13:13 -0500 (Sun, 11 May 2008) | 2 lines
Correct a bug in the unix event timer and remove some debug printf
statements.
------------------------------------------------------------------------
r433 | mgrooms | 2008-05-11 15:03:13 -0500 (Sun, 11 May 2008) | 2 lines
Add missing CMakeLists file for the ith timer test program.
------------------------------------------------------------------------
r432 | mgrooms | 2008-05-11 14:17:38 -0500 (Sun, 11 May 2008) | 2 lines
Add a unix implementation for the missing libith classes. There is still
a bug in the timer class that needs to be corrected.
------------------------------------------------------------------------
r431 | mgrooms | 2008-05-11 12:20:29 -0500 (Sun, 11 May 2008) | 1 line
Add a simple test program for the event timer classes.
------------------------------------------------------------------------
r430 | mgrooms | 2008-05-11 12:17:38 -0500 (Sun, 11 May 2008) | 3 lines
Improve libith. Modify the event timer class to not use a polling event
loop. It now sleeps until the next event should be executed or a wakeup
request is received. A new class has also been added that provides
provides a timed wait condition that can be woken by another thread.
Update iked to now wait on the event loop to exit. Since the main
process thread was previously responsible for accepting ipc connections,
this code path has been moved to a dedicated thread. This was necessary
as the ipc server thread was recently modified to enter an efficient
block state while waiting for clients to connect.
------------------------------------------------------------------------
r429 | mgrooms | 2008-05-09 21:33:54 -0500 (Fri, 09 May 2008) | 4 lines
Implement wakeup event handling for the libith generic unix IPC class
and fix a few remaining issues.
Correct iked shutdown behavior for unix targets.
------------------------------------------------------------------------
r428 | mgrooms | 2008-05-09 18:40:13 -0500 (Fri, 09 May 2008) | 2 lines
Improve the libith generic unix IPC code. The wakeup conditions are not
yet implemented.
------------------------------------------------------------------------
r427 | mgrooms | 2008-05-09 17:27:13 -0500 (Fri, 09 May 2008) | 1 line
Add initial code for libith generic unix IPC mechanism.
------------------------------------------------------------------------
r426 | mgrooms | 2008-05-09 16:02:25 -0500 (Fri, 09 May 2008) | 2 lines
Udate the unix ikec program to use the new libike API. This fixes the
build but will not work until the generic IPC unix classes have been
added.
------------------------------------------------------------------------
r425 | mgrooms | 2008-05-09 15:05:12 -0500 (Fri, 09 May 2008) | 1 line
Add a skeletons for the libith IPC unix classes.
------------------------------------------------------------------------
r424 | mgrooms | 2008-05-09 14:53:11 -0500 (Fri, 09 May 2008) | 3 lines
Third round of commits to improve generic IPC class. The service
inbound() function now blocks indefinitely to avoid looped polling for
connections until one becomes available or a wakeup condition is
triggered. Some of the other member functions were also modified to
improve error handling. The iked, libike and ipsecc sources were updated
to follow these changes.
Fix a number of errors in iked where a BDATA pointer was being passed in
place of its buffer context. These bugs were introduced recently and
would have caused immediate segfaults.
------------------------------------------------------------------------
r423 | mgrooms | 2008-05-08 17:39:42 -0500 (Thu, 08 May 2008) | 7 lines
Second round of commits to improve generic IPC class. Endpoints now
block indefinitely to avoid looped reads until data becomes available or
a wakeup condition is triggered. This commit includes a new
implementation of libiked based on the new system. All consumers have
been updated to follow these changes. A unix implementation of the
generic IPC class is still absent so this commit may break the build
temporarily.
Move the iked object dereference calls back under the delete operators
and protect it with the list lock. This avoids potential lock issues and
removes some ugly code.
Correct a problem in iked where a resend event would be scheduled when
the tunnel is being shutdown. This caused the connection to linger for
several seconds after the tunnel close had been requested. To accomplish
this, the packet resend procedures were rewritten to check the flag
before queuing the resend event.
Consolidate the unix root uid check under the existing ifdefs in main().
------------------------------------------------------------------------
r422 | mgrooms | 2008-04-30 00:20:56 -0500 (Wed, 30 Apr 2008) | 2 lines
Update the unix build to reflect the idb.* to libidb.* file name
changes.
------------------------------------------------------------------------
r421 | mgrooms | 2008-04-30 00:12:35 -0500 (Wed, 30 Apr 2008) | 3 lines
Add a new generic IPC class to libith. This class will used as a base
for all IPC mechanisms. At the moment, only the windows variant has been
implemented using named pipes. A unix variant implemented using unix
domain sockets will be added in a follow up commit.
Rename the idb.* files as libidb.* to match the library name and to be
consistent with other library naming. This will temporarily break the
unix build until a the build files are updated in a follow up commit.
------------------------------------------------------------------------
r420 | mgrooms | 2008-03-07 17:43:20 -0600 (Fri, 07 Mar 2008) | 3 lines
Add option to name service configuration to disable dynamic DNS updates
for a windows adapter.
Update our todo list.
------------------------------------------------------------------------
r419 | mgrooms | 2008-03-01 02:11:42 -0600 (Sat, 01 Mar 2008) | 1 line
Revert a change made to the DHCP over IPsec code. After further thought,
using a single address for the remote ID instead of 0.0.0.0/0 wont
interfere with DHCP operations the OS may have in flight for the public
network adapter in use. We send the DHCP request as a unicast message
due to socket limitations of the underlying OS so this also happens to
be a better match for our traffic pattern.
------------------------------------------------------------------------
r418 | mgrooms | 2008-02-29 19:52:13 -0600 (Fri, 29 Feb 2008) | 3 lines
Improve the definition of a unity split network. The 6 bytes that were
previously marked as padding are actually the protocol, source and
destination ports used to build a policy entry. Assign all appropriate
values to the PH2ID structure before adding to our remote id list. The
exception is the source port which is currently discarded.
Improve the utility function that creates a phase2 ID text
representation. Use the protocol and port values in addition to the
type, address and mask.
------------------------------------------------------------------------
r417 | mgrooms | 2008-02-28 19:20:55 -0600 (Thu, 28 Feb 2008) | 1 line
Add support for the standard IP4 subnet configuration attribute to iked.
When the peer does not identify itself as cisco unity compliant, attempt
to use the IP4 subnet attribute instead of the unity split network
attribute to negotiate polices.
------------------------------------------------------------------------
r416 | mgrooms | 2008-02-28 16:58:45 -0600 (Thu, 28 Feb 2008) | 3 lines
Fix a bug in iked that was causing the phase2 ID port selector to be
transmitted in host byte order. This was causing DHCP over IPsec
failures when communicating with Fortigate MR6 firmware.
Make our DHCP over IPsec implementation a bit more flexible. Generate a
random DHCP hardware ID for a session instead of using a mutated form of
the local peer address. This should be stored in a leases file somewhere
in the future. Also alternate DHCP discover messages using the DHCP over
IPsec specified hardware type and a standard Ethernet hardware type. We
send request messages using the hardware type that is received in an
offer message. Use a 0.0.0.0/0|UDP:67 remote id selector when setting up
our DHCP over IPsec policies. We should probably be using a
0.0.0.0/0|UDP:68 for the local ID as well but the current method of
[local addr]/32|UDP:68 allows for multiple concurrent DHCP over IPsec
adapter policies.
------------------------------------------------------------------------
r415 | mgrooms | 2008-02-27 22:44:17 -0600 (Wed, 27 Feb 2008) | 4 lines
Correct a difference between site configuration attributes on unix
platforms and windows platforms. The configuration version is bumped
after changing any existing client-dns-enable numeric attribute to a
client-dns-used attribute.
Document the list of site configuration attributes used in the README
file.
------------------------------------------------------------------------
r414 | mgrooms | 2008-02-27 22:26:31 -0600 (Wed, 27 Feb 2008) | 1 line
Update the site configuration file format version to 2 and update our
todo list.
------------------------------------------------------------------------
r413 | mgrooms | 2008-02-27 14:29:11 -0600 (Wed, 27 Feb 2008) | 2 lines
Add a new dialog to the unix Access manager utility that helps resolve
imported file name conflicts.
------------------------------------------------------------------------
r412 | mgrooms | 2008-02-24 12:12:12 -0600 (Sun, 24 Feb 2008) | 1 line
Modify liblog to include timestamps for non syslog output. When syslog
output is used, null terminate each line.
------------------------------------------------------------------------
r411 | mgrooms | 2008-02-23 22:20:10 -0600 (Sat, 23 Feb 2008) | 1 line
Update the todo list.
------------------------------------------------------------------------
r410 | mgrooms | 2008-02-23 12:56:01 -0600 (Sat, 23 Feb 2008) | 1 line
Fix a minor bug in iked where a delete message was being sent to SAD
after an SA had expired. This is unnecessary.
------------------------------------------------------------------------
r409 | mgrooms | 2008-02-22 23:55:40 -0600 (Fri, 22 Feb 2008) | 2 lines
Correct an issues where the CONFIG class file parser would choke when
reading an attribute with a zero length value.
------------------------------------------------------------------------
r408 | mgrooms | 2008-02-20 20:17:08 -0600 (Wed, 20 Feb 2008) | 2 lines
When parsing site configuration files on unix that were edited on
windows, make sure we ignore CR before NL.
------------------------------------------------------------------------
r407 | mgrooms | 2008-02-20 19:33:35 -0600 (Wed, 20 Feb 2008) | 2 lines
Fix the fix for the unix build.
------------------------------------------------------------------------
r406 | mgrooms | 2008-02-20 11:37:13 -0600 (Wed, 20 Feb 2008) | 2 lines
Fix a libarary dependency for the ikea build on Linux. Reported by Don
Seiler.
------------------------------------------------------------------------
r405 | mgrooms | 2008-02-20 02:43:23 -0600 (Wed, 20 Feb 2008) | 2 lines
Modify the unix access manager application to support site configuration
import and export. We include key/certificate file data which makes it
easier to distribute complete site configurations.
------------------------------------------------------------------------
r404 | mgrooms | 2008-02-20 01:10:05 -0600 (Wed, 20 Feb 2008) | 1 line
Remove the notion of a relative key/certificate path from iked. This was
only used on windows and just confused the matter. Fully qualified paths
are now required for all files fed to iked.
------------------------------------------------------------------------
r403 | mgrooms | 2008-02-19 16:50:08 -0600 (Tue, 19 Feb 2008) | 2 lines
Modify the unix CONFIG class used to store site configuration data. We
now base it on IDB and use the new base64 encode/decode to handle binary
attributes. The only attribute that has been migrated is the ike
preshared key attribute. Site configuration file format versions have
also been introduced with automatic update functionality. With this in
place, we can now provide backwards compatibility for previous versions
of a site configuration when the file format version changes for any
reason. This is currently used to update the ike preshared key
attribute. The delimiter used for multi-string values has also been
replaced with a comma.
------------------------------------------------------------------------
r402 | mgrooms | 2008-02-19 12:36:49 -0600 (Tue, 19 Feb 2008) | 2 lines
Update the libidb CMakeLists file to include the new base64 source file.
------------------------------------------------------------------------
r401 | mgrooms | 2008-02-19 12:19:48 -0600 (Tue, 19 Feb 2008) | 1 line
Add base64 encode/decode support to the BDATA class in libidb. This is
used to implement binary attributes in site configuration files.
------------------------------------------------------------------------
r400 | mgrooms | 2008-02-18 14:59:41 -0600 (Mon, 18 Feb 2008) | 1 line
Fix a bug in iked that was preventing a vendor id matches when we only
compare a prefix value.
------------------------------------------------------------------------
r399 | mgrooms | 2008-02-18 14:52:08 -0600 (Mon, 18 Feb 2008) | 2 lines
Update the cmake build environment and unix specific bits to match the
recent libip and libidb changes.
------------------------------------------------------------------------
r398 | mgrooms | 2008-02-18 14:13:18 -0600 (Mon, 18 Feb 2008) | 1 line
Move the BDATA class out of libip and into libidb. Remove the old LIST
class from libip and replace all instances with IDB_LIST. This involved
a huge amount of mechanical changes. The unix build system will be
updated shortly in a separate commit.
------------------------------------------------------------------------
r397 | mgrooms | 2008-02-17 16:34:17 -0600 (Sun, 17 Feb 2008) | 1 line
Add a global client configuration file version number.
------------------------------------------------------------------------
r396 | mgrooms | 2008-02-16 03:05:37 -0600 (Sat, 16 Feb 2008) | 2 lines
Correct a bug in the ikea GUI front that fixes a problem with the policy
entry dialog rejecting valid entries. Submitted by CJ Kucera.
------------------------------------------------------------------------
r395 | mgrooms | 2008-02-15 02:46:47 -0600 (Fri, 15 Feb 2008) | 1 line
Fix a problem in iked where we could try to read a value from a pointer
that has been deallocated during route removal.
------------------------------------------------------------------------
r394 | mgrooms | 2008-02-15 02:43:20 -0600 (Fri, 15 Feb 2008) | 1 line
Fix a problem in iked where the SPD policy add message was not handling
the message sequence number correctly. Before we were matching on an
uninitialized value of zero.
------------------------------------------------------------------------
r393 | mgrooms | 2008-02-14 22:32:10 -0600 (Thu, 14 Feb 2008) | 2 lines
Make sure we block a few basic signals for unix pthreads in libith so
they don't terminate while holding object references.
------------------------------------------------------------------------
r392 | mgrooms | 2008-02-14 21:20:52 -0600 (Thu, 14 Feb 2008) | 1 line
Attempt to avoid all recursive locking in iked. This can lead to
problems.
------------------------------------------------------------------------
r391 | mgrooms | 2008-02-14 17:03:48 -0600 (Thu, 14 Feb 2008) | 2 lines
Modify the ikea and ikec unix GUI programs to support the new nailed
peer option. There appears to be a problem with the new pfkey
interaction however and will be corrected in a future commit.
------------------------------------------------------------------------
r390 | mgrooms | 2008-02-14 16:15:07 -0600 (Thu, 14 Feb 2008) | 3 lines
Correct a bug in the recent commit where we didn't dereference a policy
after the SDB add message was received. This prevented the policy from
being deleted during the policy cleanup process.
Update our todo list.
------------------------------------------------------------------------
r389 | mgrooms | 2008-02-14 15:47:33 -0600 (Thu, 14 Feb 2008) | 1 line
Remove a hack from iked that was used to temporarily make all peers use
the new nailed tunnel option for testing.
------------------------------------------------------------------------
r388 | mgrooms | 2008-02-14 15:40:20 -0600 (Thu, 14 Feb 2008) | 3 lines
Modify iked to split the pfkey_recv_acquire message handler into two
functions. The first function, still named pfkey_recv_acquire, just
handles the message parsing and calls the second function named
pfkey_init_phase2. The second function handles the phase2 setup and
exchange initiation. This allows other code paths to initiate new phase2
exchanges by specifying the outbound policy id and policy type.
Add support for nailed connections to iked. When enabled for a peer
configuration, iked will mark any related tunnel generated policies as
nailed. When a policy add response message is received from SPD,
negotiations will be immediately initiated for a new SA that matches the
policy. The policy ID is cached in the phase2 handle so that when a
phase2 soft expire event fires, a replacement SA is then negotiated. Any
acquire messages received for a nailed policy are ignored as iked will
manage exchange initiation internally.
------------------------------------------------------------------------
r387 | mgrooms | 2008-02-14 13:50:46 -0600 (Thu, 14 Feb 2008) | 3 lines
Modify the way iked tracks policy information. In the case where a
policy is generated by client connections, create our local entry before
sending the spadd request to SPD. When the reply is received, we match
the message using the sequence ID and update the assigned policy ID.
This allows us to track state information regarding the policy while SPD
is processing our request. One of the ways we use this new process is by
remembering if a policy route addition succeeded or failed. More
informed decisions are now made when attempting to cleanup the route
table.
Fix a bug in the policy route removal code where a missing break
statement was causing multiple routes to be deleted. In a typical
failure case, the default route was removed which caused the workstation
to loose connectivity with everything but the local subnet.
------------------------------------------------------------------------
r386 | mgrooms | 2008-02-13 16:55:16 -0600 (Wed, 13 Feb 2008) | 2 lines
Fix the check in iked that prevents it from treating a delete
notification for an ISAKMP SA as an error when a replacement SA has been
negotiated.
------------------------------------------------------------------------
r385 | mgrooms | 2008-02-13 15:56:25 -0600 (Wed, 13 Feb 2008) | 1 line
Add a check to iked to prevent it from treating a delete notification
for an ISAKMP SA as an error when a replacement SA has been negotiated.
Also fix some locking parameters inside various exchange object
destructors.
------------------------------------------------------------------------
r384 | mgrooms | 2008-02-13 10:05:52 -0600 (Wed, 13 Feb 2008) | 1 line
Fix a few minor bugs in iked. When a remote peer advertises a Shrew Soft
vendor id, also mark the flag that implies unity compatibility. Make
sure we flag the phase2 handle with the HASKEYS life state flag so a
delete notification will be sent when appropriate. Only send an SAD
delete message when a phase2 sa has reached maturity.
------------------------------------------------------------------------
r383 | mgrooms | 2008-02-13 08:58:03 -0600 (Wed, 13 Feb 2008) | 1 line
Resolve a problem after a conflicted file was committed by accident.
------------------------------------------------------------------------
r382 | mgrooms | 2008-02-13 08:54:46 -0600 (Wed, 13 Feb 2008) | 1 line
Modify iked to be smarter about handling vendor id payloads. Also
perform some cleanup by collapsing all vendor state values into a
structure with bitmap values.
------------------------------------------------------------------------
r381 | mgrooms | 2008-02-12 18:40:25 -0600 (Tue, 12 Feb 2008) | 2 lines
Add the missing CMakeLists.txt for the new libidb target. Pointed out by
Don Seiler.
------------------------------------------------------------------------
r380 | mgrooms | 2008-02-12 18:09:58 -0600 (Tue, 12 Feb 2008) | 1 line
Make some minor modifications to the IDB object removal process
behavior.
------------------------------------------------------------------------
r379 | mgrooms | 2008-02-12 04:49:07 -0600 (Tue, 12 Feb 2008) | 2 lines
Bring the unix build up to date after the recent IDB related commits.
While here, fix a few problems with iked acting as a responder.
------------------------------------------------------------------------
r378 | mgrooms | 2008-02-12 02:22:31 -0600 (Tue, 12 Feb 2008) | 1 line
Massive cleanup of the IKE internal database system part three : This
commit breaks out the portable object db components and places them into
a new library named libidb. This library is currently only used by iked
but will replace the current object db system in both ipsecd and dtpd in
a future commit. The iked shutdown code as also been cleaned up
substantially.
------------------------------------------------------------------------
r377 | mgrooms | 2008-02-11 04:19:48 -0600 (Mon, 11 Feb 2008) | 1 line
Massive cleanup of the IKE internal database system part two : This
commit changes all simple object lists to use a more sane API. This
includes all proposal, notification, certificate, phase2 ID, network map
and domain name object lists. The code is now much more uniform and
compact.
------------------------------------------------------------------------
r376 | mgrooms | 2008-02-10 23:08:01 -0600 (Sun, 10 Feb 2008) | 1 line
Massive cleanup of the IKE internal database system part one : This
commit changes all reference counted DB objects to use a more sane API.
This includes all peer, tunnel and derived exchange class objects.
Exchange objects no longer use bit flags to store basic life state
information. Instead, a single enumerated status value is managed by the
base exchange class. Packet resend operations are also implemented
entirely without co-operation from derived classes. This makes exchange
objects much more uniform and easier to work with. The feedback
mechanism used to pass error conditions to the client interface has also
been simplified.
------------------------------------------------------------------------
r375 | mgrooms | 2008-02-09 02:20:08 -0600 (Sat, 09 Feb 2008) | 8 lines
Add support to iked for negotiating replacement IKSAMP SAs. This means
the that the tunnel connection can now exist beyond the lifetime
negotiated during phase1. A new soft lifetime expire event was added to
initiate a replacement ISAKMP SA when the previous SA is close to
expiration time. For now, the tunnel Xauth and config state are cleared
to support gateways that require a full Xauth during the ISAKMP rekey
process. NAT-T negotiation state was moved into the tunnel handle. This
is to preserve state across ISAKMP SA negotiations.
Fix a bug in iked that was causing a crash. This occurred when a peer
attempted to initiate a new ISAKMP SA negotiation with iked running in
client mode. Part of the problem resolution involved moving the policy
and address release code out of the phase1 cleanup handler and into the
tunnel cleanup handler. This also gets us closer to supporting ISAKMP
rekey attempts as a responder when iked is configured to act as client
gateway. Bug reported by David Santinoli.
Modify iked to gracefully handle the condition where a route to the
distant host is not available at connection time. Bug reported some time
ago by Alex Funk.
Add a new client feedback message to iked that more accurately notifies
the client when phase1 negotiations have failed. Previously the client
reported that the peer gateway was not responding.
------------------------------------------------------------------------
r374 | mgrooms | 2008-02-08 14:41:16 -0600 (Fri, 08 Feb 2008) | 1 line
Add a bit more logging to the tunnel destroy process.
------------------------------------------------------------------------
r373 | mgrooms | 2008-02-08 14:11:06 -0600 (Fri, 08 Feb 2008) | 1 line
Improve the debug logging inside process_ike_recv. A crash has been
reported by David Santinoli and we need to get a better idea of where
the problem is coming from. Also, fix the log output level for route
deletion failure.
------------------------------------------------------------------------
r372 | mgrooms | 2008-02-08 13:12:50 -0600 (Fri, 08 Feb 2008) | 1 line
Update todo list.
------------------------------------------------------------------------
r371 | mgrooms | 2008-02-04 15:55:40 -0600 (Mon, 04 Feb 2008) | 3 lines
Modify iked and libip to push some windows specific iproute workarounds
into the windows specific code. Also, introduce some Vista specific code
to avoid problems with MS API incompatibilities on that platform.
Update our TODO list.
------------------------------------------------------------------------
r370 | mgrooms | 2008-01-12 13:15:21 -0600 (Sat, 12 Jan 2008) | 1 line
Fix cast128 usage for platforms that define the pfkeyv2
SADB_X_EALG_CAST128CBC as SADB_X_EALG_CASTCBC. I commented this out at
some point and forgot to address the issue.
------------------------------------------------------------------------
r369 | mgrooms | 2008-01-04 15:15:11 -0600 (Fri, 04 Jan 2008) | 1 line
Make sure we clear the attribute list before sending the Xauth
acknowledgment message in iked.
------------------------------------------------------------------------
r368 | mgrooms | 2008-01-04 08:46:42 -0600 (Fri, 04 Jan 2008) | 1 line
Add experimental sidewinder vendor ID support to iked.
------------------------------------------------------------------------
r367 | mgrooms | 2008-01-03 16:52:10 -0600 (Thu, 03 Jan 2008) | 1 line
Modify iked to log unknown vendor ID values when the debug level output
is being used.
------------------------------------------------------------------------
r366 | mgrooms | 2008-01-03 15:17:24 -0600 (Thu, 03 Jan 2008) | 1 line
Correct a bug in iked where the hash data accumulator was not being
cleared when processing multiple configuration messages using a single
handle. This is an instance where the usage was not corrected after the
bdata class set member function semantics was modified.
------------------------------------------------------------------------
r365 | mgrooms | 2008-01-03 14:17:16 -0600 (Thu, 03 Jan 2008) | 1 line
Modify iked to add a newline to Xauth messages when appropriate. Revert
part of the last commit that removed the conditional deletion of the
configuration handle.
------------------------------------------------------------------------
r364 | mgrooms | 2008-01-03 12:56:04 -0600 (Thu, 03 Jan 2008) | 1 line
Add support for the standard Xauth message attribute in iked. Also,
change a case that was causing a configuration handle to not be deleted
properly.
------------------------------------------------------------------------
r363 | mgrooms | 2007-12-29 20:23:47 -0600 (Sat, 29 Dec 2007) | 1 line
Perform some general cleanup in the iked phase1 exchange handler. This
includes removing many one line comments that stated obvious things,
caching the selected isakmp authentication type to avoid examining the
proposal list, NAT-T related cleanups and corrections when acting as a
responder.
------------------------------------------------------------------------
r362 | mgrooms | 2007-12-29 12:24:00 -0600 (Sat, 29 Dec 2007) | 1 line
Modify iked to make the Xauth client a bit more flexible. We now accept
the username and password to be requested separately when using standard
Xauth. Previously, this was only allowed when using the Checkpoint
compatible Xauth variant.
------------------------------------------------------------------------
r361 | mgrooms | 2007-12-27 19:44:37 -0600 (Thu, 27 Dec 2007) | 2 lines
Redefine a parse token in iked for unix so that it doesn't conflict with
another c definition.
------------------------------------------------------------------------
r360 | mgrooms | 2007-12-27 19:39:20 -0600 (Thu, 27 Dec 2007) | 1 line
Juggle some defines for the unix build.
------------------------------------------------------------------------
r359 | mgrooms | 2007-12-27 19:27:23 -0600 (Thu, 27 Dec 2007) | 1 line
Update our windows client to support the new DNS proxy daemon
configuration interface.
------------------------------------------------------------------------
r358 | mgrooms | 2007-12-27 14:15:37 -0600 (Thu, 27 Dec 2007) | 1 line
Introduce function calls that contain the DNS transparent proxy related
code. Move this into the windows specific files to cleanup the open
source code base.
------------------------------------------------------------------------
r357 | mgrooms | 2007-12-21 21:13:24 -0600 (Fri, 21 Dec 2007) | 2 lines
Add support for configuring the adapter MTU on unix platforms.
------------------------------------------------------------------------
r356 | mgrooms | 2007-12-21 20:46:00 -0600 (Fri, 21 Dec 2007) | 1 line
Add support to iked for configuring the virtual adapter MTU.
------------------------------------------------------------------------
r355 | mgrooms | 2007-12-21 02:43:06 -0600 (Fri, 21 Dec 2007) | 2 lines
Update iked, ikea and ikec to support the name service changes on unix
platforms.
------------------------------------------------------------------------
r354 | mgrooms | 2007-12-21 02:24:01 -0600 (Fri, 21 Dec 2007) | 1 line
Modify iked to support DNS and WINS settings using direct adapter mode.
Move the name service related client settings into a new structure.
Rename vnet_setup to client_setup and introduce a new function named
client_cleanup. Unconditionally call the client functions now that name
services settings can be used in direct adapter mode. These changes will
break the unix build. A follow up commit will correct this.
------------------------------------------------------------------------
r353 | mgrooms | 2007-12-15 12:56:15 -0600 (Sat, 15 Dec 2007) | 1 line
Correct a logging bug in iked where a packet with an unknown isakmp SA
was having its cookie values recorded wrong.
------------------------------------------------------------------------
r352 | mgrooms | 2007-12-14 03:40:49 -0600 (Fri, 14 Dec 2007) | 1 line
Modify iked to support nat-t 00 and 01 drafts. This required changes to
the protocol handlers and filter rule management. Changes were also made
the the nat-t force modes of operation. Version 00 and 01 use a similar
packet format where 02, 03 and the RFC specification use a different
packet format. When specifying force draft, it now means to select the
older draft packet format. When specifying force rfc, it now means to
select the newer rfc packet format.
------------------------------------------------------------------------
r351 | mgrooms | 2007-12-13 14:24:24 -0600 (Thu, 13 Dec 2007) | 1 line
Add some alternate nat-t and udp-encaps drafts to our documentation
directory.
------------------------------------------------------------------------
r350 | mgrooms | 2007-12-13 03:53:46 -0600 (Thu, 13 Dec 2007) | 1 line
Add some alternate nat-t drafts to our documentation directory.
------------------------------------------------------------------------
r349 | mgrooms | 2007-12-11 02:51:53 -0600 (Tue, 11 Dec 2007) | 1 line
Correct a problem with our route retry loop in iked. It was failing to
break out of the attempt loop even after a route had been properly
created.
------------------------------------------------------------------------
r348 | mgrooms | 2007-12-10 23:17:47 -0600 (Mon, 10 Dec 2007) | 1 line
Correct a few problems related to reading multiple DNS and WINS server
addresses from a DHCP over IPsec packet.
------------------------------------------------------------------------
r347 | mgrooms | 2007-12-10 22:58:36 -0600 (Mon, 10 Dec 2007) | 2 lines
Modify the unix config file and virtual adapter code to support multiple
DNS and WINS servers.
------------------------------------------------------------------------
r346 | mgrooms | 2007-12-10 16:50:04 -0600 (Mon, 10 Dec 2007) | 3 lines
Update iked to support multiple DNS and WINS servers for adapter
configuration. This commit will temporarily break the Unix build until I
have a chance to update the configuration parser, ikea and ikec.
Add a work around for route management problems when a windows host
takes an unusually long time for new network adapter settings to settle.
------------------------------------------------------------------------
r345 | mgrooms | 2007-12-09 18:18:37 -0600 (Sun, 09 Dec 2007) | 1 line
Update the todo list.
------------------------------------------------------------------------
r344 | mgrooms | 2007-12-09 15:53:23 -0600 (Sun, 09 Dec 2007) | 1 line
Modify iked to not rely on UDP destination port value comparison to
determine the packet type. If the datagram has reached the packet
receive function, it has been received on a known IKE socket and should
be processed. We now only unconditionally check for a non-ESP marker to
determine if the packet is a NAT-T or a standard IKE packet.
------------------------------------------------------------------------
r343 | mgrooms | 2007-12-09 15:33:12 -0600 (Sun, 09 Dec 2007) | 2 lines
Update the unix build to reflect a file name change.
------------------------------------------------------------------------
r342 | mgrooms | 2007-12-09 15:28:45 -0600 (Sun, 09 Dec 2007) | 1 line
Rename a source code file from ike.idb.xch.cpp to ike.idb.exch.cpp which
is a bit easier to interpret as exchange.
------------------------------------------------------------------------
r341 | mgrooms | 2007-12-09 15:22:42 -0600 (Sun, 09 Dec 2007) | 2 lines
Catch the unix iked build up to recent source code re-organization.
------------------------------------------------------------------------
r340 | mgrooms | 2007-12-09 15:21:33 -0600 (Sun, 09 Dec 2007) | 1 line
Fold the functions from ike.utility.cpp into ike.nethlp.cpp as both
files contained network helper functions.
------------------------------------------------------------------------
r339 | mgrooms | 2007-12-09 15:14:19 -0600 (Sun, 09 Dec 2007) | 1 line
Move windows specific files into the private build repository. This just
untangles unnecessary code from the open source release.
------------------------------------------------------------------------
r338 | mgrooms | 2007-12-09 14:08:41 -0600 (Sun, 09 Dec 2007) | 1 line
Modify iked to use exchange specific resend handlers to provide better
logging.
------------------------------------------------------------------------
r337 | mgrooms | 2007-12-09 12:57:40 -0600 (Sun, 09 Dec 2007) | 1 line
Correct a bug in iked that was causing the daemon to always switch to
NAT-T even when addresses where not being translated.
------------------------------------------------------------------------
r336 | mgrooms | 2007-12-06 16:32:31 -0600 (Thu, 06 Dec 2007) | 1 line
Correct a few reference counting issues in iked that relate to
configuration packet handling.
------------------------------------------------------------------------
r335 | mgrooms | 2007-12-05 02:15:21 -0600 (Wed, 05 Dec 2007) | 1 line
Modify iked to log the packet type being processed.
------------------------------------------------------------------------
r334 | mgrooms | 2007-12-05 00:53:41 -0600 (Wed, 05 Dec 2007) | 3 lines
Modify the iked rsa encrypt/decrypt functions to take two parameters
instead of one. This is mostly just for clarity sake. Cleanup some bad
code style and correct a few comments surrounding rsa authentication.
Fix the xauth hybrid name strings which had the dss and rsa types
reversed.
Correct a logic problem with ike payload fragmentation. If the last
fragment payload size was equal to the maximum fragment size, the
FRAG_FLAG_LAST bit was not being set properly. This was causing the peer
to wait for additional fragments which never arrive. Cleanup some
comments here as well.
------------------------------------------------------------------------
r333 | mgrooms | 2007-11-28 14:45:53 -0600 (Wed, 28 Nov 2007) | 1 line
Remove a hack in iked where the signature verification process was being
bypassed.
------------------------------------------------------------------------
r332 | mgrooms | 2007-11-28 14:40:43 -0600 (Wed, 28 Nov 2007) | 2 lines
Update unix VPN Connect application to support the -u, -p and -a
parameters.
------------------------------------------------------------------------
r331 | mgrooms | 2007-11-28 14:16:03 -0600 (Wed, 28 Nov 2007) | 2 lines
Correct an issue with the unix VPN Access manager where the main mode
hybrid local ids were restricted.
------------------------------------------------------------------------
r330 | mgrooms | 2007-11-27 21:59:12 -0600 (Tue, 27 Nov 2007) | 1 line
Update todo list.
------------------------------------------------------------------------
r329 | mgrooms | 2007-11-27 21:44:07 -0600 (Tue, 27 Nov 2007) | 1 line
Update some debug output in iked to make things more consistent. Fix a
small bug that was preventing a configuration exchange handler from
being removed at the proper time.
------------------------------------------------------------------------
r328 | mgrooms | 2007-11-27 18:48:32 -0600 (Tue, 27 Nov 2007) | 1 line
Correct a few issues with iked and the NATT force options. Correct the
Netscreen vendor id check and add a new heartbeat notify check.
------------------------------------------------------------------------
r327 | mgrooms | 2007-11-27 17:45:39 -0600 (Tue, 27 Nov 2007) | 2 lines
Disable the null identity type in the unix VPN accesss manager. It was
introduced for checkpoint hybrid compatibility but turned out to be
unnecessary. Instead, allow null identity values to be used for all but
a manually defined address. Also add support for forcing NATT to either
the draft or rfc mode of operation.
------------------------------------------------------------------------
r326 | mgrooms | 2007-11-27 16:17:16 -0600 (Tue, 27 Nov 2007) | 1 line
Update iked to support forcing the NATT mode to either the draft or rfc
mode. Also add a shrew soft and sonic wall vendor ids.
------------------------------------------------------------------------
r325 | mgrooms | 2007-11-25 02:45:00 -0600 (Sun, 25 Nov 2007) | 1 line
Correct a bug in iked where we were not initializing the natt version
which caused a comparison operation to fail for draft support.
------------------------------------------------------------------------
r324 | mgrooms | 2007-11-25 02:23:45 -0600 (Sun, 25 Nov 2007) | 1 line
Modify iked to support zywall gateways. We now accept but ignore NATT
original address payloads. A hack was also required to log but ignore
invalid hash values. This is only allowed when a zywall generated
configuration packet is correctly decrypted and has passed a payload
integrity check.
------------------------------------------------------------------------
r323 | mgrooms | 2007-11-25 01:30:18 -0600 (Sun, 25 Nov 2007) | 1 line
Correct pfkey related NATT draft support.
------------------------------------------------------------------------
r322 | mgrooms | 2007-11-25 01:24:23 -0600 (Sun, 25 Nov 2007) | 1 line
Update iked to include more vendor ids and add NATT support for all
draft versions.
------------------------------------------------------------------------
r321 | mgrooms | 2007-11-25 00:29:22 -0600 (Sun, 25 Nov 2007) | 1 line
Update iked to request attributes using 4 null byte values. This appears
to be necessary for compatibility.
------------------------------------------------------------------------
r320 | mgrooms | 2007-11-24 13:27:37 -0600 (Sat, 24 Nov 2007) | 1 line
Modify iked to set the attribute payload identity value before
submitting an configuration request to checkpoint gateways.
------------------------------------------------------------------------
r319 | mgrooms | 2007-11-24 13:21:35 -0600 (Sat, 24 Nov 2007) | 1 line
Add some cursory checkpoint configuration mode support to iked.
------------------------------------------------------------------------
r318 | mgrooms | 2007-11-24 04:50:51 -0600 (Sat, 24 Nov 2007) | 1 line
Cleanup some comments in the iked DHCP code. Update the config structure
and include a new address expiry field.
------------------------------------------------------------------------
r317 | mgrooms | 2007-11-24 01:55:37 -0600 (Sat, 24 Nov 2007) | 1 line
Modify iked to once again send a fully detailed checkpoint vendor id.
This was pulled in a previous commit to simplify the code during trouble
shooting.
------------------------------------------------------------------------
r316 | mgrooms | 2007-11-23 20:23:36 -0600 (Fri, 23 Nov 2007) | 3 lines
Define the IKE payload header structure and use it where appropriate.
This allows us to read payload header information in one buffer copy.
Introduce a new packet validation step after decryption occurs. By
validating the payload headers and described lengths against the actual
packet length, we can reasonably determine if the packet has been
properly decoded. Not only does this provide additional protection
against maliciously formed packets, it also allows iked to easily
discard duplicate packets that may not have already been culled by
another mechanism.
------------------------------------------------------------------------
r315 | mgrooms | 2007-11-23 18:39:45 -0600 (Fri, 23 Nov 2007) | 1 line
Define the IKE header structure and use it where appropriate. This
allows us to read header information in one buffer copy and consolidate
data members in the IKE packet class.
------------------------------------------------------------------------
r314 | mgrooms | 2007-11-23 17:45:54 -0600 (Fri, 23 Nov 2007) | 1 line
Correct an issue with liblog that was causing buffer overruns when
logging binary data.
------------------------------------------------------------------------
r313 | mgrooms | 2007-11-21 18:15:51 -0600 (Wed, 21 Nov 2007) | 3 lines
Improve iked resilience to re-transmission of duplicate packets during
phase1. iked was prone to re-process duplicate exchange packets which
lead to spurious decode errors as the cipher initialization vector had
already been updated during previous packet processing. We now implement
several safeguards to avoid this situation but more work is required to
prevent this error condition from occurring during phase2 and
configuration exchanges.
Modify iked to ensure that our packet decode function properly inspects
and trims any padding that may have been added to support a particular
cipher block size. This should allow us to improve our hash validation
functions during phase2 and configuration exchanges.
------------------------------------------------------------------------
r312 | mgrooms | 2007-11-21 13:46:19 -0600 (Wed, 21 Nov 2007) | 1 line
Add support for the checkpoint Xauth status attribute.
------------------------------------------------------------------------
r311 | mgrooms | 2007-11-21 04:08:39 -0600 (Wed, 21 Nov 2007) | 1 line
Update iked to detect an Xauth request after sending a complete
response. In this case, our credentials are invalid and the gateway is
restarting the authentication cycle. Since the client does not support
interactive user prompts, simply fail the connection.
------------------------------------------------------------------------
r310 | mgrooms | 2007-11-21 03:17:21 -0600 (Wed, 21 Nov 2007) | 1 line
Modify iked to not delete the Xauth configuration mode handler for the
checkpoint case.
------------------------------------------------------------------------
r309 | mgrooms | 2007-11-21 01:09:17 -0600 (Wed, 21 Nov 2007) | 1 line
Update iked to report when we receive an unknown modecfg attribute type.
Null terminate the user name stored in the handle instead of making a
copy for debug output.
------------------------------------------------------------------------
r308 | mgrooms | 2007-11-21 00:42:08 -0600 (Wed, 21 Nov 2007) | 1 line
Fix a bug in iked that was causing Xauth to not complete on checkpoint.
------------------------------------------------------------------------
r307 | mgrooms | 2007-11-20 22:38:26 -0600 (Tue, 20 Nov 2007) | 1 line
Correct some checkpoint related state checks for the Xauth handler in
iked.
------------------------------------------------------------------------
r306 | mgrooms | 2007-11-20 03:29:41 -0600 (Tue, 20 Nov 2007) | 1 line
Update iked to use the simplified checkpoint vendor ID and send it as
the last payload in the packet. Otherwise, the gateway will choke on it.
------------------------------------------------------------------------
r305 | mgrooms | 2007-11-17 08:56:46 -0600 (Sat, 17 Nov 2007) | 1 line
Modify iked to support checkpoint hybrid authentication. This is a first
attempt and will likely require some modification later.
------------------------------------------------------------------------
r304 | mgrooms | 2007-11-16 20:09:09 -0600 (Fri, 16 Nov 2007) | 1 line
Modify iked to not process config mode packets for immature SAs. Correct
a problems with one of the new vendor payloads being added as a null
length and improve our checkpoint client identifier. Restructure Xauth
support in preparation for testing the custom checkpoint authentication.
------------------------------------------------------------------------
r303 | mgrooms | 2007-11-16 17:08:57 -0600 (Fri, 16 Nov 2007) | 1 line
Update iked to handle more vendor id types. Also disable certificate
sorting temporarily until I figure out why the openssl call is causing a
segfault.
------------------------------------------------------------------------
r302 | mgrooms | 2007-11-15 18:06:02 -0600 (Thu, 15 Nov 2007) | 1 line
Modify iked to ensure we don't process additional packets when dealing
with an SA that is either mature or marked as dead.
------------------------------------------------------------------------
r301 | mgrooms | 2007-11-15 17:49:37 -0600 (Thu, 15 Nov 2007) | 1 line
Cleanup some certificate handling code in iked. If we store more than
one element in our certificate chain, we need to sort them before
attempting verification.
------------------------------------------------------------------------