------------------------------------------------------------------------
r1027 | mgrooms | 2007-07-31 10:56:48 +0000 (Tue, 31 Jul 2007) | 1 line
A few updates for the 2.0 release documentation.
------------------------------------------------------------------------
r1017 | mgrooms | 2007-07-25 12:26:31 +0000 (Wed, 25 Jul 2007) | 1 line
Branch for initial 2.0.0 release.
------------------------------------------------------------------------
r1016 | mgrooms | 2007-07-25 11:38:06 +0000 (Wed, 25 Jul 2007) | 1 line
Update the NSIS installer scripts and inf files to allow for XP 64bit
installs. Also add builds for a AMD64 version of the virtual network
driver. This platform support still isn't complete due to class
installer issues.
------------------------------------------------------------------------
r1015 | mgrooms | 2007-07-24 15:15:58 +0000 (Tue, 24 Jul 2007) | 1 line
Update the build environment to produce both 32bit and 64bit kernel
drivers. Correct the build for ipsecc.
------------------------------------------------------------------------
r1014 | mgrooms | 2007-07-24 15:15:05 +0000 (Tue, 24 Jul 2007) | 1 line
Update the build environment to produce both 32bit and 64bit kernel
drivers.
------------------------------------------------------------------------
r1013 | mgrooms | 2007-07-18 21:10:20 +0000 (Wed, 18 Jul 2007) | 1 line
Demote the kernel driver debug output levels and correct a build
breakage for the vnet driver.
------------------------------------------------------------------------
r1012 | mgrooms | 2007-07-17 21:54:57 +0000 (Tue, 17 Jul 2007) | 1 line
Minor driver fixes for x64 compatibility.
------------------------------------------------------------------------
r1011 | mgrooms | 2007-07-14 12:49:50 +0000 (Sat, 14 Jul 2007) | 3 lines
When a vflt device io control function returns a hard error, be sure
that userland processes close their file handle. Although the handles
were not being leaked, this problem was causing the vflt intermediate
driver to wait indefinitely for the deviceio references to be freed. As
a result, additional intermediate drivers ( like the ones shipped with
other VPN Clients ) can now be successfully installed along with the
shrew soft driver.
Minor updates to the 2.0 help documentation.
------------------------------------------------------------------------
r1010 | mgrooms | 2007-06-10 10:17:25 +0000 (Sun, 10 Jun 2007) | 1 line
More updates to the 2.0 client documentation.
------------------------------------------------------------------------
r1009 | mgrooms | 2007-06-05 00:04:06 +0000 (Tue, 05 Jun 2007) | 1 line
More updates to the 2.0 client documentation.
------------------------------------------------------------------------
r1008 | mgrooms | 2007-05-30 20:19:39 +0000 (Wed, 30 May 2007) | 1 line
Split the ipsec send and receive processing into two separate threads.
Correct some problems with the send processing. This resolves issues
reported by Brian Jones at boku dot net.
------------------------------------------------------------------------
r1007 | mgrooms | 2007-05-22 18:47:29 +0000 (Tue, 22 May 2007) | 5 lines
More updates to the 2.0 client documentation.
Add a debug output to ipsecd that logs sent PF_KEY AQUIRE messages.
Sync ipsecd timeout value with iked retry values to prevent an IPSEC SA
update message from failing. This happens when a LARVAL SA is removed
the SADB before the iked phase2 handle has exhausted all retry attempts.
------------------------------------------------------------------------
r1006 | mgrooms | 2007-05-20 10:30:04 +0000 (Sun, 20 May 2007) | 1 line
More updates to the 2.0 client documentation.
------------------------------------------------------------------------
r1005 | mgrooms | 2007-05-20 00:20:43 +0000 (Sun, 20 May 2007) | 1 line
More updates to the 2.0 client documentation.
------------------------------------------------------------------------
r1004 | mgrooms | 2007-05-19 15:09:58 +0000 (Sat, 19 May 2007) | 1 line
More updates to the 2.0 client documentation.
------------------------------------------------------------------------
r1003 | mgrooms | 2007-05-14 21:15:47 +0000 (Mon, 14 May 2007) | 3 lines
Be smarter when gathering the information used to build a Ethernet
headers in the vflt send path. Don't rely on ARP data when dealing with
PPP interfaces. Instead, read the MAC address directly. This resolves
issues when dealing with PPPOE or PPP dial-up adapters. While here, fix
a bug that caused a busy loop when ARP failed to resolve a layer 2
address.
Correct the log level used for a few instances of debug output in the
vflt kernel driver.
------------------------------------------------------------------------
r1002 | mgrooms | 2007-05-13 10:24:08 +0000 (Sun, 13 May 2007) | 3 lines
Correct the problem where IPsec transport packets being written to the
private dump file. This was a simple matter of dumping the packets
before ipsec processing instead of after.
Correct the output level for a vnet log statement.
------------------------------------------------------------------------
r1001 | mgrooms | 2007-05-13 09:29:48 +0000 (Sun, 13 May 2007) | 3 lines
Add a private forwarding table to vflt that caches address, mac and mtu
information. This corrects a problem with arp table lookups failing
under moderate to high network load and provides a noticeable increase
in performance. Split the single vflt lock into two locks to protect the
send and receive handles. Add better debug output for fragmentation in
the send path.
Correct a problem in ipsecd where only inbound packets were being
captured. This revealed a problem with outbound IPsec transport packets
being mirrored on the vflt receive interface. This will hopefully be
fixed in the next commit.
------------------------------------------------------------------------
r1000 | mgrooms | 2007-05-10 16:16:55 +0000 (Thu, 10 May 2007) | 1 line
When sending packets via the vflt interface, be sure to use the correct
MTU size when fragmenting packets. Special thanks to Tai-hwa Liang for
reporting the problem and testing the initial work around.
------------------------------------------------------------------------
r999 | mgrooms | 2007-05-10 06:53:04 +0000 (Thu, 10 May 2007) | 1 line
More updates to the 2.0 client documentation. Remove old images and
bring in new images.
------------------------------------------------------------------------
r998 | mgrooms | 2007-05-08 18:10:06 +0000 (Tue, 08 May 2007) | 1 line
More changes to the 2.0 client documentation.
------------------------------------------------------------------------
r997 | mgrooms | 2007-05-06 23:17:54 +0000 (Sun, 06 May 2007) | 1 line
More changes to the 2.0 client documentation.
------------------------------------------------------------------------
r996 | mgrooms | 2007-05-06 00:11:04 +0000 (Sun, 06 May 2007) | 1 line
More changes to the 2.0 client documentation.
------------------------------------------------------------------------
r995 | mgrooms | 2007-04-30 00:10:35 +0000 (Mon, 30 Apr 2007) | 1 line
More changes to the 2.0 client documentation.
------------------------------------------------------------------------
r994 | mgrooms | 2007-04-22 22:37:47 +0000 (Sun, 22 Apr 2007) | 1 line
Update some project setting changes that were missed in the last commit.
------------------------------------------------------------------------
r993 | mgrooms | 2007-04-22 22:32:59 +0000 (Sun, 22 Apr 2007) | 1 line
Stop using the Vizacc Help maker program and start using the IBE Soft
HelpNDoc program. The Vizacc software was just too buggy. Update the
build and install system to track these changes.
------------------------------------------------------------------------
r992 | mgrooms | 2007-04-21 01:38:23 +0000 (Sat, 21 Apr 2007) | 1 line
More changes to the 2.0 client documentation.
------------------------------------------------------------------------
r991 | mgrooms | 2007-04-20 21:30:19 +0000 (Fri, 20 Apr 2007) | 3 lines
More changes to the 2.0 client documentation.
Correct a problem with the ipsec trace program where a variable was not
being initialized properly.
------------------------------------------------------------------------
r990 | mgrooms | 2007-04-15 23:04:49 +0000 (Sun, 15 Apr 2007) | 1 line
First round of changes to the 2.0 client documentation.
------------------------------------------------------------------------
r989 | mgrooms | 2007-03-15 22:22:41 +0000 (Thu, 15 Mar 2007) | 1 line
Set the default dpd timeout and nattt keep-alive values for ipsecc to be
more compatible with cisco products.
------------------------------------------------------------------------
r988 | mgrooms | 2007-03-15 20:15:42 +0000 (Thu, 15 Mar 2007) | 1 line
Catch ipsecc up with libiked function name corrections.
------------------------------------------------------------------------
r987 | mgrooms | 2007-03-10 09:50:13 +0000 (Sat, 10 Mar 2007) | 1 line
Rename ikei and dpti library open/close functions to attach/detach so we
can avoid conflicts with libc functions on unix.
------------------------------------------------------------------------
r986 | mgrooms | 2007-02-23 00:19:18 +0000 (Fri, 23 Feb 2007) | 7 lines
Update the installer scripts to not create iked as a dependency on
ipsecd. All services should still function if stopped or started
independently.
When ipsecd or dtpd are running as services, don't pass a default debug
log level to the init function. We always want to use the configured
value.
Cleanup ipsec trace log ouptut. We were declaring the buffer as static
inside a class member function which was causing it to be shared across
all instances. As a result, log output text would be randomly corrupted.
Correct ipsec trace service control. This was just broken for windows xp
and did not work well for win32.
------------------------------------------------------------------------
r985 | mgrooms | 2007-02-20 17:49:34 +0000 (Tue, 20 Feb 2007) | 1 line
Cleanup the authentication ID tabs a bit and enable support for key id
types.
------------------------------------------------------------------------
r984 | mgrooms | 2007-02-20 01:19:53 +0000 (Tue, 20 Feb 2007) | 1 line
Correct a small issue in a dialog resource template where text was being
obscured.
------------------------------------------------------------------------
r983 | mgrooms | 2007-02-18 21:25:13 +0000 (Sun, 18 Feb 2007) | 1 line
Correct the ability to select pfs dh group auto negotiation via mode
config in the site configuration and the vpn client app.
------------------------------------------------------------------------
r982 | mgrooms | 2007-02-18 20:35:59 +0000 (Sun, 18 Feb 2007) | 1 line
Rework the client network tab so it will display something useful when
receiving a status message from iked. Since iked and ipsecd are now two
programs, iked no longer has access to detailed packet information.
Instead this now is recorded in the sad entries. For this reason, the
number of packets and bytes transmitted and received are no longer
displayed in this tab. Instead, IPSEC sa statistics and a few key
negotiated ike parameters are displayed.
------------------------------------------------------------------------
r981 | mgrooms | 2007-02-18 18:52:25 +0000 (Sun, 18 Feb 2007) | 1 line
Modify dtpd and ipsecd to delay programming the filter until the network
thread loop has been entered. This allows for more error recovery to
happen in the case where the device is closed unexpectedly.
------------------------------------------------------------------------
r980 | mgrooms | 2007-02-18 18:33:56 +0000 (Sun, 18 Feb 2007) | 7 lines
Modify the install scrips to add the default dtpd log file path. Also
correct a bug that was preventing the vpn trace application from
controlling the dtpd service.
Modify the libvnet adapter setup routine to remove stale parameters when
configuring a device. This is based on the flag info passed by iked.
Create a new per device io object parameter that allows a caller to
specify a priority level that dictates where rule processing should
begin when injecting packets into the kernel filter. This allows dtpd to
simplify its rule set and prevent injected packets from re-matching a
rule that has the same priority level. With this change, dns packets not
proxied by dtpd can now be picked up by ipsecd for security processing.
------------------------------------------------------------------------
r979 | mgrooms | 2007-02-18 14:11:15 +0000 (Sun, 18 Feb 2007) | 1 line
Modify the DNS Transparent Proxy Daemon to use the same style of
registry settings as ipsecd and iked. Update VPN Trace to offer
complimentary configuration options and a tab for this service. While
here, fix the horrible flickering issues with the rule set output. The
only flicker now visible in any tab is during resize. There is no way
around this unless we move away from a tabbed interface.
------------------------------------------------------------------------
r978 | mgrooms | 2007-02-18 00:22:17 +0000 (Sun, 18 Feb 2007) | 1 line
Add a 3 second delay before deleting an IPSEC SA. It would appear that
FreeBSD ( and likely others ) will prefer to use an older SA until its
completely dead. This can cause a scenario where peer processes an
outbound packet using an SA that the local host thinks has already
expired. The 3 second delay works around this issue by allowing the
inbound packet to be processed and not dropped.
------------------------------------------------------------------------
r977 | mgrooms | 2007-02-17 23:42:17 +0000 (Sat, 17 Feb 2007) | 3 lines
Add support to ipsecd to handle sa get requests. This is now used by the
ipsec trace program. Echo all reasonable pfkey messages to all
registered listeners. Catch ipsecd up to the recent libpfk changes.
Modify how the ipsec trace program interacts with sdb. Instead of
performing dumps, perform one dump at startup and process all
interesting pfkey messages to update our displayed list of sad and spd
entries. This allows users to view the information provided without
wanting to scratch their eyeballs out.
------------------------------------------------------------------------
r976 | mgrooms | 2007-02-14 19:30:10 +0000 (Wed, 14 Feb 2007) | 1 line
Correct a problem in ipsecc where policy include IDs were being created
as ipv4 addresses instead of ipv4 subnets.
------------------------------------------------------------------------
r975 | mgrooms | 2007-02-13 00:13:04 +0000 (Tue, 13 Feb 2007) | 1 line
Update some vfilter driver project settings.
------------------------------------------------------------------------
r974 | mgrooms | 2007-02-13 00:07:50 +0000 (Tue, 13 Feb 2007) | 1 line
Correct a couple of instances in the vfilter driver where we were
returning the Irp->IoStatus.Status after a call to IoCompleteRequest had
already been made. Since the Irp manager may have already freed this
resource, we were basically referencing memory that could have already
have been re-allocated and overwritten. This could have caused
unpredictable behavior. The good news is that this was the only error
picked during some recent testing with the Microsoft driver verifier
enabled.
------------------------------------------------------------------------
r973 | mgrooms | 2007-02-11 23:18:48 +0000 (Sun, 11 Feb 2007) | 1 line
Cleanup the site configuration client tab and configuration. Modify the
ipsecc program to follow suit.
------------------------------------------------------------------------
r972 | mgrooms | 2007-02-11 17:28:24 +0000 (Sun, 11 Feb 2007) | 1 line
Add the ability to select the configuration method in the site
configuration dialog. While here, correct a bug where some code was
conditional that should not have been. This was causing problems when
creating new site configurations that use the non-virtual adapter mode.
------------------------------------------------------------------------
r971 | mgrooms | 2007-02-11 15:40:32 +0000 (Sun, 11 Feb 2007) | 1 line
Only assign request ids to policies when not already specified.
------------------------------------------------------------------------
r970 | mgrooms | 2007-02-11 01:41:26 +0000 (Sun, 11 Feb 2007) | 1 line
Correct a few bugs that were preventing manual policy configuration from
working properly.
------------------------------------------------------------------------
r969 | mgrooms | 2007-02-07 23:27:32 +0000 (Wed, 07 Feb 2007) | 1 line
Modify ipseca and ipsecc to allow for manually configuring mixes include
and exclude policies. The distinction between address and network was
dropped. This simplifies the code and falls more in line with how split
network support works ( with network not address definitions ).
------------------------------------------------------------------------
r968 | mgrooms | 2007-02-05 23:22:43 +0000 (Mon, 05 Feb 2007) | 1 line
Remove a one second delay before SA deletion that was added previously
for testing purposes.
------------------------------------------------------------------------
r967 | mgrooms | 2007-02-05 21:56:35 +0000 (Mon, 05 Feb 2007) | 1 line
Correct a problem that was causing a vnet adapter from being configured
properly immediately after creation. Create the device in an enabled
state and immediately disable it before returning the adapter handle to
the caller. This leaves the device in a state that it can be configured
before the caller re-enables the device. Its ugly but it works.
------------------------------------------------------------------------
r966 | mgrooms | 2007-02-01 22:37:12 +0000 (Thu, 01 Feb 2007) | 1 line
Update dtpd to follow the recent libip iproute changes.
------------------------------------------------------------------------
r965 | mgrooms | 2007-01-30 00:30:52 +0000 (Tue, 30 Jan 2007) | 1 line
After reading the FreeBSD ipsec headers, its obvious that I have
confused the bypass and none ipsec policy types. We were using bypass in
certain instances but we really want none. Update ipsecd to reflect
this.
------------------------------------------------------------------------
r964 | mgrooms | 2007-01-28 22:06:11 +0000 (Sun, 28 Jan 2007) | 1 line
Be a bit smarter when we switch to using a replacement sa in ipsecd.
Prefer the dying sa over any newly created mature sas until half the
amount of time has elapsed between the soft and hard expire times. This
allows the remote end ample time to install the sa into its db before we
use it to process an outbound packet.
------------------------------------------------------------------------
r963 | mgrooms | 2007-01-28 16:02:52 +0000 (Sun, 28 Jan 2007) | 1 line
Simplify the ipsecd pfkey loop.
------------------------------------------------------------------------
r962 | mgrooms | 2007-01-28 14:56:00 +0000 (Sun, 28 Jan 2007) | 1 line
Update the project files for new win32 builds.
------------------------------------------------------------------------
r961 | mgrooms | 2007-01-28 14:51:09 +0000 (Sun, 28 Jan 2007) | 1 line
Move the projects for the public sources back into the private win32
directory. We really don't want to encourage building a win32 release.
------------------------------------------------------------------------
r960 | mgrooms | 2007-01-27 16:58:03 +0000 (Sat, 27 Jan 2007) | 1 line
Remove the now empty prv directory.
------------------------------------------------------------------------
r959 | mgrooms | 2007-01-27 16:56:18 +0000 (Sat, 27 Jan 2007) | 1 line
Move some folders around in the repository. They should not have been
committed under a prv directory.
------------------------------------------------------------------------
r958 | mgrooms | 2007-01-27 15:20:20 +0000 (Sat, 27 Jan 2007) | 1 line
Restructure the ipsec directory layout. This offers separation between
the open source components and the proprietary components.
------------------------------------------------------------------------
r957 | mgrooms | 2007-01-27 11:35:49 +0000 (Sat, 27 Jan 2007) | 1 line
Fix one pfkey log message case in iked where the log levels were
incorrect.
------------------------------------------------------------------------
r956 | mgrooms | 2007-01-27 11:24:08 +0000 (Sat, 27 Jan 2007) | 1 line
Improve iked debug output. Log basic pfkey message header information
when DEBUG level is specified and detailed information when DECODE is
specified. Introduce a new log level LOUD and move all reference count
logging under it. These log entries were responsible for a lot of output
and are rarely necessary for debugging.
------------------------------------------------------------------------
r955 | mgrooms | 2007-01-27 10:46:50 +0000 (Sat, 27 Jan 2007) | 1 line
Change the calling semantics of the proposal list class members. Instead
of using a proposal* as a result, have the caller pass in a proposal**
to be set and return a boolean result.
------------------------------------------------------------------------
r954 | mgrooms | 2007-01-25 23:09:05 +0000 (Thu, 25 Jan 2007) | 1 line
Correct a logic error in the iked pfkey loop that was causing the daemon
to hang at exit time when the pfkey interface could not be opened. I
noticed this on a amd64 box which is now running iked without issues!
------------------------------------------------------------------------
r953 | mgrooms | 2007-01-25 22:47:51 +0000 (Thu, 25 Jan 2007) | 1 line
Fix unix build after last commit.
------------------------------------------------------------------------
r952 | mgrooms | 2007-01-25 22:29:16 +0000 (Thu, 25 Jan 2007) | 1 line
Derive the PACKET class from the BDATA class and remove the code
duplication. Modify all caller to follow the minor api changes.
------------------------------------------------------------------------
r951 | mgrooms | 2007-01-24 23:42:14 +0000 (Wed, 24 Jan 2007) | 1 line
Simplify the libip bdata class and change its usage to be a bit more
like the packet class. This should ease the transition when the packet
class is modified to use the bdata class as its parent class to
eliminate the functional duplication.
------------------------------------------------------------------------
r950 | mgrooms | 2007-01-24 22:39:26 +0000 (Wed, 24 Jan 2007) | 1 line
Modify the BDATA and PACKET classes to use void * instead of
signed/unsigned char * types as parameters in the add/ins/set functions.
Remove all unnecessary casting.
------------------------------------------------------------------------
r949 | mgrooms | 2007-01-24 21:37:02 +0000 (Wed, 24 Jan 2007) | 1 line
Don't set the tunnel close value in iked if it is already set.
------------------------------------------------------------------------
r948 | mgrooms | 2007-01-24 21:26:51 +0000 (Wed, 24 Jan 2007) | 3 lines
Convert libip packet class to use inttypes instead of standard types.
Update iked and ipsecd to keep in sync with these changes.
Rename the IDB_PLCY class to IDB_POLICY. This is just a cosmetic change.
------------------------------------------------------------------------
r947 | mgrooms | 2007-01-23 23:02:34 +0000 (Tue, 23 Jan 2007) | 2 lines
Correct FreeBSD build issues on 6.2-RELEASE.
------------------------------------------------------------------------
r946 | mgrooms | 2007-01-23 23:01:26 +0000 (Tue, 23 Jan 2007) | 1 line
Correct a bug that crept into the win32 socket wrapper functions.
------------------------------------------------------------------------
r945 | mgrooms | 2007-01-23 22:17:46 +0000 (Tue, 23 Jan 2007) | 1 line
Perform some general unix Makefile cleanups. We now link the
intermediate dependency files for iked instead of linking the static
libs. Hopefully this will cure our amd64 arch issues as well as clean up
the build a bit.
------------------------------------------------------------------------
r944 | mgrooms | 2007-01-23 21:51:17 +0000 (Tue, 23 Jan 2007) | 1 line
Bring unix build up to date with the BDATA migration into libip.
------------------------------------------------------------------------
r943 | mgrooms | 2007-01-23 21:40:37 +0000 (Tue, 23 Jan 2007) | 1 line
Move the BDATA class out of the different applications and into libip.
This cuts down on a lot of duplication and will be used as a basis for a
new packet class.
------------------------------------------------------------------------
r942 | mgrooms | 2007-01-23 20:04:57 +0000 (Tue, 23 Jan 2007) | 1 line
Create a new life state flag LSTATE_PENDING that signifies that a ph2
handle is waiting on a mature ph1 handle for processing. When a new ph1
handle has reached maturity for a given tunnel, look for any pended ph2
handles and begin negotiations.
------------------------------------------------------------------------
r941 | mgrooms | 2007-01-23 19:14:08 +0000 (Tue, 23 Jan 2007) | 1 line
Modify iked socket functions to use IKE_SADDR instead of in_addr and
port values.
------------------------------------------------------------------------
r940 | mgrooms | 2007-01-22 23:55:44 +0000 (Mon, 22 Jan 2007) | 5 lines
Modify the ike unix config file parser to use the socket keyword instead
of listen. Add the ability to optionally define the peers port address.
This defaults to the standard ike port value if not specified.
Modify the way we define tunnel endpoint parameters when we receive an
acquire message in iked. Locate the local socket information using the
policy address and use the peer address for the remote address. This way
we select the appropriate port information along with the address info
and fail if we are not listening on a local address specified in the
policy.
Add a bit of route code to libip that will hopefully be useful on
freebsd some day.
------------------------------------------------------------------------
r939 | mgrooms | 2007-01-21 14:08:16 +0000 (Sun, 21 Jan 2007) | 1 line
Downgrade the iked pkfey message detail output to decode only.
------------------------------------------------------------------------
r938 | mgrooms | 2007-01-21 14:01:44 +0000 (Sun, 21 Jan 2007) | 1 line
Rename the iked unix config file section debug to daemon and add support
for specifying a list of addresses/ports to listen on. While here, clean
up a few other minor knits. Also update unix Makefile to exclude libvnet
from the build.
------------------------------------------------------------------------
r937 | mgrooms | 2007-01-21 12:31:39 +0000 (Sun, 21 Jan 2007) | 2 lines
Update project file for libvnet. This was missed in the last commit.
------------------------------------------------------------------------
r936 | mgrooms | 2007-01-21 12:27:25 +0000 (Sun, 21 Jan 2007) | 1 line
Abstract the virtual network adapter code in iked and remove the
abstraction that was previously pushed down into vnet.
------------------------------------------------------------------------
r935 | mgrooms | 2007-01-21 11:20:06 +0000 (Sun, 21 Jan 2007) | 1 line
Correct a broken section of code I added for unix while working in the
win32 environment.
------------------------------------------------------------------------
r934 | mgrooms | 2007-01-21 11:15:03 +0000 (Sun, 21 Jan 2007) | 1 line
Update project file for libvflt. This was missed in the last commit.
------------------------------------------------------------------------
r933 | mgrooms | 2007-01-21 11:13:15 +0000 (Sun, 21 Jan 2007) | 1 line
Bring the iked socket abstraction up to date for win32. Remove the
abstraction that was previously pushed down into libvnet. Fix a few bugs
along the way.
------------------------------------------------------------------------
r932 | mgrooms | 2007-01-21 10:40:22 +0000 (Sun, 21 Jan 2007) | 1 line
Replace all uses of vflt with the socket wrapper functions in iked. This
seems to work fine on unix but some catch-up needs to be done on win32.
------------------------------------------------------------------------
r931 | mgrooms | 2007-01-21 09:53:23 +0000 (Sun, 21 Jan 2007) | 1 line
Begin to abstract the socket code in iked. Nothing much really done at
the moment.
------------------------------------------------------------------------
r930 | mgrooms | 2007-01-21 08:50:23 +0000 (Sun, 21 Jan 2007) | 1 line
Fix some various memory leaks scattered throughout the code. Most were
harmless one time allocations for the config file parser on unix.
------------------------------------------------------------------------
r929 | mgrooms | 2007-01-20 14:37:51 +0000 (Sat, 20 Jan 2007) | 1 line
Be a bit smarter in our iked shutdown sequence. Don't expect all
policies to be deleted before shutting down as some of them were likely
not generated by us.
------------------------------------------------------------------------
r928 | mgrooms | 2007-01-20 14:23:40 +0000 (Sat, 20 Jan 2007) | 3 lines
Correct a bug in iked where netmaps were not getting deleted correctly
in the peer destructor. Also improve the peer cleanup process by adding
a peer end member function similar to the tunnel end function that
removes all references before attempting deletion.
Add a SIGINT trap to iked that calls the halt procedure. Improve the
halt procedure to do a better job of cleaning up any allocated memory.
We need to run a few memory debug utilities against the programs to
ensure no serious oversights have been made.
------------------------------------------------------------------------
r927 | mgrooms | 2007-01-20 12:53:34 +0000 (Sat, 20 Jan 2007) | 1 line
Update ipsecd to tally sa byte processing statistics based on the packet
size that includes the ipsec protocol headers. This makes sa dump output
a lot more uniform.
------------------------------------------------------------------------
r926 | mgrooms | 2007-01-20 12:31:27 +0000 (Sat, 20 Jan 2007) | 1 line
Bring back the simplistic packet queue system in ipsecd that will
attempt to process a single packet after sa negotiation has completed.
In most cases, this dramatically improves the user experience by
preventing the first outbound packet that triggers an acquire message
from being dropped. This is not a perfect solution but creating a more
intelligent multi packet queue is a non-trivial task and low on the
priority list at the moment.
------------------------------------------------------------------------
r925 | mgrooms | 2007-01-20 12:00:54 +0000 (Sat, 20 Jan 2007) | 1 line
Correct a bug in ipsect that was preventing it from displaying non-ipsec
policies. Now they are displayed but the output is simply hideous. Some
serious effort needs to be invested in this app before it will be
release worthy.
------------------------------------------------------------------------
r924 | mgrooms | 2007-01-20 11:51:35 +0000 (Sat, 20 Jan 2007) | 1 line
Correct a problem in ipsecd where unique policies were not being matched
to an SA with the same reqid value. This was preventing SAs for multiple
policies from being created simultaneously.
------------------------------------------------------------------------
r923 | mgrooms | 2007-01-19 00:55:08 +0000 (Fri, 19 Jan 2007) | 1 line
Improve state management locking for the dns transparent proxy daemon.
This closes a potential race condition when removing stale state
entries.
------------------------------------------------------------------------
r922 | mgrooms | 2007-01-17 23:03:41 +0000 (Wed, 17 Jan 2007) | 1 line
Implement dns state expiration in dtpd.
------------------------------------------------------------------------
r921 | mgrooms | 2007-01-17 18:14:50 +0000 (Wed, 17 Jan 2007) | 1 line
Back out the previous commit. The work around was ill-conceived.
------------------------------------------------------------------------
r920 | mgrooms | 2007-01-17 17:58:58 +0000 (Wed, 17 Jan 2007) | 1 line
Commit a workaround in iked for responder policy matching when a peer
does not support modecfg but are behind a natt device. This has only
been compile tested.
------------------------------------------------------------------------
r919 | mgrooms | 2007-01-17 17:21:41 +0000 (Wed, 17 Jan 2007) | 1 line
Juggle some logic related to client tunnel shutdown in iked. The purpose
is to allow for more accurate user feedback.
------------------------------------------------------------------------
r918 | mgrooms | 2007-01-17 17:03:35 +0000 (Wed, 17 Jan 2007) | 1 line
When a packet resend attempt finally times out, don't flag the client
tunnel as dead. If this is a phase1 handle, the tunnel will be removed
when the handle is removed. Other exchanges failures should not be
considered as critical.
------------------------------------------------------------------------
r917 | mgrooms | 2007-01-17 16:46:02 +0000 (Wed, 17 Jan 2007) | 1 line
Migrate the policy route management code from ipsecd to iked. These
changes allow us to remove the 1sec delay hack introduced in the last
commit. It also allows the functionality to be available on unix along
with iked port.
------------------------------------------------------------------------
r916 | mgrooms | 2007-01-17 14:38:06 +0000 (Wed, 17 Jan 2007) | 3 lines
Add a short delay between policy generation and dns proxy rule
generation in iked. This is just a work around at the moment to allow
the policy routes to be created before the local address is determined
for the dns proxy rules. A real solution needs to be worked out.
Pass received packets back through kernel filter in ipsecd. This is to
allow the dns proxy daemon a chance to inspect dns reply packets.
------------------------------------------------------------------------
r915 | mgrooms | 2007-01-17 12:21:59 +0000 (Wed, 17 Jan 2007) | 1 line
Improve some debug output in the modecfg exchange handler and correct a
nasty bug that was causing vnet adapters to be disabled twice. I'm not
sure how this works under the hood, but it would appear that MS OS's
have some serious problems with reference counting associated with
device instances. If a device instance is disabled or enabled multiple
times, it can cause the device to be stuck in that state. There was a
bug that was triggering this situation in the admin thread code. To
avoid this issue, we now track the state internally and only issue
enable or disable requests if the device is not currently in the
requested state.
------------------------------------------------------------------------
r914 | mgrooms | 2007-01-17 10:49:38 +0000 (Wed, 17 Jan 2007) | 1 line
Correct issue with NATT build option in iked. This was botched a few
commits ago.
------------------------------------------------------------------------
r913 | mgrooms | 2007-01-17 09:54:06 +0000 (Wed, 17 Jan 2007) | 1 line
Correct an invalid return value for remote port checking function in
iked.
------------------------------------------------------------------------
r912 | mgrooms | 2007-01-17 09:42:56 +0000 (Wed, 17 Jan 2007) | 1 line
Modify remote port checking in iked.
------------------------------------------------------------------------
r911 | mgrooms | 2007-01-16 23:43:50 +0000 (Tue, 16 Jan 2007) | 1 line
Correct a few missed switch cases in the packet send path. This fixes
main mode negotiations when iked is acting as a responder.
------------------------------------------------------------------------
r910 | mgrooms | 2007-01-16 23:21:23 +0000 (Tue, 16 Jan 2007) | 1 line
Really correct return value for phase1 id match function in iked.
------------------------------------------------------------------------
r909 | mgrooms | 2007-01-16 23:17:08 +0000 (Tue, 16 Jan 2007) | 1 line
Correct return value for phase1 id match function in iked.
------------------------------------------------------------------------
r908 | mgrooms | 2007-01-16 18:59:32 +0000 (Tue, 16 Jan 2007) | 1 line
Update installer scripts to reflect the dns proxy daemon split.
------------------------------------------------------------------------
r907 | mgrooms | 2007-01-16 18:32:59 +0000 (Tue, 16 Jan 2007) | 1 line
Update iked and dtpd to communicate with each other to add proxy rules
dynamically. Change the calling semantics of the dns packet type
slightly to be easier to use.
------------------------------------------------------------------------
r906 | mgrooms | 2007-01-16 12:33:34 +0000 (Tue, 16 Jan 2007) | 1 line
Implement modecfg split dns support in iked.
------------------------------------------------------------------------
r905 | mgrooms | 2007-01-16 11:30:26 +0000 (Tue, 16 Jan 2007) | 1 line
Modify the tunnel split dns configuration to expressed as a list of dns
suffixes instead of a encoded char array in iked.
------------------------------------------------------------------------
r904 | mgrooms | 2007-01-16 10:08:56 +0000 (Tue, 16 Jan 2007) | 3 lines
Split DNS Transparent Proxy support out into a separate daemon named
dtpd. Create a new interface library named libdtp. Neither are really
functional at the moment.
Update all copyright dates to 2007.
------------------------------------------------------------------------
r903 | mgrooms | 2007-01-14 18:42:30 +0000 (Sun, 14 Jan 2007) | 1 line
Remove an unused tunnel parameter and move the code that handles a
no-item list of split inclusion network ids in iked.
------------------------------------------------------------------------
r902 | mgrooms | 2007-01-14 18:27:07 +0000 (Sun, 14 Jan 2007) | 1 line
Fix an indexing bug when traversing proposal lists in iked.
------------------------------------------------------------------------
r901 | mgrooms | 2007-01-14 18:23:13 +0000 (Sun, 14 Jan 2007) | 1 line
Modify iked to sync initiator and responder lifetimes before pfkey
update.
------------------------------------------------------------------------
r900 | mgrooms | 2007-01-14 17:39:47 +0000 (Sun, 14 Jan 2007) | 1 line
Modify some code related to proposal lists in iked. This is the first
commit in an attempt to fix a responder lifetime issue I am seeing.
------------------------------------------------------------------------
r899 | mgrooms | 2007-01-14 16:26:53 +0000 (Sun, 14 Jan 2007) | 1 line
Really make sure the policy list is generated at the correct time when
acting as a client.
------------------------------------------------------------------------
r898 | mgrooms | 2007-01-14 16:23:12 +0000 (Sun, 14 Jan 2007) | 1 line
Make sure the policy list is generated at the correct time when acting
as a client.
------------------------------------------------------------------------
r897 | mgrooms | 2007-01-14 15:49:45 +0000 (Sun, 14 Jan 2007) | 5 lines
Correct issues with iked when acting as a win32 client. Make sure the
policy list is created after the virtual adapter is initialized. Make
sure the win32 build always includes support for NATT communications.
Modify iked and ipsect to not use the QUICK flag for filter rules that
mirror fragmented UDP packets.
Modify ipsect to display non-ipsec policies. This probably needs some
more work.
------------------------------------------------------------------------
r896 | mgrooms | 2007-01-14 12:12:19 +0000 (Sun, 14 Jan 2007) | 1 line
Make sure we obtain our client xconf before we generate policies for
config mode in iked.
------------------------------------------------------------------------
r895 | mgrooms | 2007-01-14 11:21:28 +0000 (Sun, 14 Jan 2007) | 1 line
Correct the peer policy type setting in ipsecc.
------------------------------------------------------------------------
r894 | mgrooms | 2007-01-13 17:50:39 +0000 (Sat, 13 Jan 2007) | 1 line
Correct a bug that was preventing internal non-ipsec policies from being
matched correctly in iked.
------------------------------------------------------------------------
r893 | mgrooms | 2007-01-13 17:27:11 +0000 (Sat, 13 Jan 2007) | 1 line
Don't skip non-ipsec policies when receiving pfkey spdump messages in
iked.
------------------------------------------------------------------------
r892 | mgrooms | 2007-01-13 17:22:56 +0000 (Sat, 13 Jan 2007) | 1 line
Modify iked and ipsecc to correct issues with client side policy
generation.
------------------------------------------------------------------------
r891 | mgrooms | 2007-01-13 16:57:28 +0000 (Sat, 13 Jan 2007) | 1 line
Update iked to be more flexible with regard to policy generation. Use a
separate include and exclude policy id lists per tunnel. Create ipsec
policies for the include list and either bypass ( initiator ) or discard
( responder ) policies for the exclude list.
------------------------------------------------------------------------
r890 | mgrooms | 2007-01-09 00:10:15 +0000 (Tue, 09 Jan 2007) | 1 line
Update iked build for NetBSD. Seems to build fine now but doesn't run
due to pthread problems.
------------------------------------------------------------------------
r889 | mgrooms | 2007-01-08 23:41:58 +0000 (Mon, 08 Jan 2007) | 1 line
Correct iked policy generation spd problems on unix.
------------------------------------------------------------------------
r888 | mgrooms | 2007-01-08 23:00:24 +0000 (Mon, 08 Jan 2007) | 1 line
Make some cosmetic modifications to the iked config code and ipsecc
status output.
------------------------------------------------------------------------
r887 | mgrooms | 2007-01-08 22:54:13 +0000 (Mon, 08 Jan 2007) | 1 line
Implement config and compat mode policy generation support in iked. Make
sure the policy create/remove functions work for a responder as well as
an initiator. This doesn't appear to be working yet on unix platforms
and will need more polish. Fix a minor unix config file parser typo
related to policy configuration.
------------------------------------------------------------------------
r886 | mgrooms | 2007-01-08 19:31:43 +0000 (Mon, 08 Jan 2007) | 1 line
Correct the way we derive the valid config options for a peer in iked.
------------------------------------------------------------------------
r885 | mgrooms | 2007-01-08 19:15:17 +0000 (Mon, 08 Jan 2007) | 3 lines
Cleanup some IKE_CONF and IKE_PEER variable and flag usage in iked and
ipsecc.
Cleanup some debug output in iked and ipsecd.
------------------------------------------------------------------------
r884 | mgrooms | 2007-01-08 18:36:51 +0000 (Mon, 08 Jan 2007) | 1 line
Correct a few bugs in the address pool acquisition and return functions
in iked. Modify the IKED_XCONF object to not inherit the IKE_XCONF
struct. Instead, include it as a data member.
------------------------------------------------------------------------
r883 | mgrooms | 2007-01-08 17:58:38 +0000 (Mon, 08 Jan 2007) | 1 line
Improve log output for iked config transaction.
------------------------------------------------------------------------
r882 | mgrooms | 2007-01-08 17:25:51 +0000 (Mon, 08 Jan 2007) | 1 line
Rework the ike send path one more time to handle packet fragmentation
without sucking. Modify the config exchange to support login banners.
------------------------------------------------------------------------
r881 | mgrooms | 2007-01-08 16:32:52 +0000 (Mon, 08 Jan 2007) | 1 line
Modify the iked xconf classes to pass the tunnel object. This allows us
to configure other parameters that are not contained within the
IKE_XCONF struct.
------------------------------------------------------------------------
r880 | mgrooms | 2007-01-08 16:31:17 +0000 (Mon, 08 Jan 2007) | 1 line
Modify the iked unix config file parsing to simplify the policy
configuration.
------------------------------------------------------------------------
r879 | mgrooms | 2007-01-08 00:10:29 +0000 (Mon, 08 Jan 2007) | 1 line
Implement basic local xconf server support. Some work still needs to be
done to support a few remaining attribute types.
------------------------------------------------------------------------
r878 | mgrooms | 2007-01-07 15:43:27 +0000 (Sun, 07 Jan 2007) | 1 line
Implement basic ipv4 address pool in iked for use with the IKED_XCONF
classes.
------------------------------------------------------------------------
r877 | mgrooms | 2007-01-07 11:57:12 +0000 (Sun, 07 Jan 2007) | 1 line
Rearrange some config options in iked. Move the basic xauth and xconf
parameters into the peer config. Rename XAUTH_SYSTEM to XAUTH_LOCAL and
re-factor some code to follow suit. Introduce a new parameter for compat
or config generation of policies.
------------------------------------------------------------------------
r876 | mgrooms | 2007-01-06 20:58:29 +0000 (Sat, 06 Jan 2007) | 1 line
Implement netmaps in iked that describe how policies should be generated
for a given peer.
------------------------------------------------------------------------
r875 | mgrooms | 2007-01-06 17:54:57 +0000 (Sat, 06 Jan 2007) | 1 line
Cleanup bdata usage now that the class has been extended.
------------------------------------------------------------------------
r874 | mgrooms | 2007-01-06 17:22:36 +0000 (Sat, 06 Jan 2007) | 1 line
Modify iked unix config file parser to read netgroups and add them to a
list. These groups will be used for policy generation. Also extend the
bdata class to support unsigned and signed char add and set functions. A
sweep will be needed to kill all the unsigned char * casts littered
throughout the code.
------------------------------------------------------------------------
r873 | mgrooms | 2007-01-06 14:07:00 +0000 (Sat, 06 Jan 2007) | 1 line
Cleanup some flex/bison parsing logic knits.
------------------------------------------------------------------------
r872 | mgrooms | 2007-01-05 21:37:25 +0000 (Fri, 05 Jan 2007) | 1 line
Correct some issues in iked related to ldap user authentication and
implement ldap group membership validation.
------------------------------------------------------------------------
r871 | mgrooms | 2007-01-05 20:19:38 +0000 (Fri, 05 Jan 2007) | 1 line
Add initial support to iked for ldap authentication.
------------------------------------------------------------------------
r870 | mgrooms | 2007-01-05 00:03:33 +0000 (Fri, 05 Jan 2007) | 1 line
Remove a snippet of unused code in iked xauth.
------------------------------------------------------------------------
r869 | mgrooms | 2007-01-05 00:01:44 +0000 (Fri, 05 Jan 2007) | 1 line
Update modified iked msvc project.
------------------------------------------------------------------------
r868 | mgrooms | 2007-01-04 23:57:53 +0000 (Thu, 04 Jan 2007) | 1 line
Implement the basic config file structure and xauth class functions for
unix password db authentication and group inclusion checks.
------------------------------------------------------------------------
r867 | mgrooms | 2007-01-04 21:42:12 +0000 (Thu, 04 Jan 2007) | 1 line
Correct build breakage after file rename.
------------------------------------------------------------------------
r866 | mgrooms | 2007-01-04 21:40:01 +0000 (Thu, 04 Jan 2007) | 1 line
Update our unix iked makefile and rename the config flex and bison input
files to improve the build dependency handling.
------------------------------------------------------------------------
r865 | mgrooms | 2007-01-04 18:43:36 +0000 (Thu, 04 Jan 2007) | 1 line
Correct an issue in iked where port values were being sent as part of a
pfkey delete message when NATT was not in use.
------------------------------------------------------------------------
r864 | mgrooms | 2007-01-04 18:24:57 +0000 (Thu, 04 Jan 2007) | 5 lines
Modify all unix Makefiles to support conditional natt and debug builds.
I'm not sure how portable the conditionals are so this may need more
work.
Correct a bug in iked where integers were being passed as strings in a
call to vprintf.
Attempt to correct a bug in the libith win32 event timer where a timeout
value was not being calculated correctly.
------------------------------------------------------------------------
r863 | mgrooms | 2007-01-03 23:11:16 +0000 (Wed, 03 Jan 2007) | 1 line
Correct a timer calculation issue in the libith timer event class on
unix.
------------------------------------------------------------------------
r862 | mgrooms | 2007-01-03 22:31:36 +0000 (Wed, 03 Jan 2007) | 1 line
Remove a few lines of code designed to force error conditions for debug
purposes in iked.
------------------------------------------------------------------------
r861 | mgrooms | 2007-01-03 22:17:18 +0000 (Wed, 03 Jan 2007) | 1 line
Tweak some pfkey related functions in iked and add ESP in UDP
encapsulation socket option calls to allow NATT to fully work in unix.
------------------------------------------------------------------------
r860 | mgrooms | 2007-01-02 18:24:09 +0000 (Tue, 02 Jan 2007) | 1 line
Perform a bit of code cleanup in the iked pfkey member functions.
------------------------------------------------------------------------
r859 | mgrooms | 2007-01-02 17:37:49 +0000 (Tue, 02 Jan 2007) | 1 line
Correct two issues in iked. Specify the replay window size and don't
incorrectly skip packets in an exchange handle resend queue.
------------------------------------------------------------------------
r858 | mgrooms | 2007-01-01 14:26:44 +0000 (Mon, 01 Jan 2007) | 1 line
Modify ipsecd to provide better handling of natt ports. Cleanup some
debug output.
------------------------------------------------------------------------
r857 | mgrooms | 2007-01-01 13:41:44 +0000 (Mon, 01 Jan 2007) | 1 line
Modify iked and ipsecd to provide better handling of natt ports.
------------------------------------------------------------------------
r856 | mgrooms | 2007-01-01 12:55:05 +0000 (Mon, 01 Jan 2007) | 1 line
Add some socket utility functions to ipsecd and perform some misc
cleanups.
------------------------------------------------------------------------
r855 | mgrooms | 2006-12-31 17:49:59 +0000 (Sun, 31 Dec 2006) | 1 line
Cleanup some text address conversion functions in ipsecd.
------------------------------------------------------------------------
r854 | mgrooms | 2006-12-31 17:02:31 +0000 (Sun, 31 Dec 2006) | 1 line
Modify iked to call resend clear in our phase2 handle cleanup member
function.
------------------------------------------------------------------------
r853 | mgrooms | 2006-12-31 14:38:21 +0000 (Sun, 31 Dec 2006) | 1 line
Correct a few bugs in iked related to packet resend events not being
canceled properly.
------------------------------------------------------------------------
r852 | mgrooms | 2006-12-31 14:14:39 +0000 (Sun, 31 Dec 2006) | 1 line
Complete the event driven packet resend implementation.
------------------------------------------------------------------------
r851 | mgrooms | 2006-12-31 13:25:20 +0000 (Sun, 31 Dec 2006) | 1 line
Modify iked to catch up to the new IDB member function changes and
replace the old resend sched/clean functions with a new event driven
skeleton. This will be fleshed out in the next commit.
------------------------------------------------------------------------
r850 | mgrooms | 2006-12-31 12:26:55 +0000 (Sun, 31 Dec 2006) | 3 lines
Modify iked to treat the iked object as a single global object. This
allows us to drop our per-event iked pointers. Also, move the idb
add/inc/dec functions out of iked and make them virtual member functions
of these objects. This will allow us to finally use events for packet
resend instead of our nasty sweep loop that runs once per second.
NOTE : The changes in this commit were only compile tested. This means
there may be bugs.
------------------------------------------------------------------------
r849 | mgrooms | 2006-12-20 18:46:08 +0000 (Wed, 20 Dec 2006) | 1 line
Correct an issue with iked where a invalid buffer was being passed to
the log function when a notification message contained a zero length spi
value.
------------------------------------------------------------------------
r848 | mgrooms | 2006-12-20 18:39:45 +0000 (Wed, 20 Dec 2006) | 1 line
Correct a problem in iked where an inappropriate notification code was
being set when phase2 negotiation fails.
------------------------------------------------------------------------
r847 | mgrooms | 2006-12-20 18:21:28 +0000 (Wed, 20 Dec 2006) | 1 line
Modify iked to only do what is realistically possible for phase2
notifications. The ike specification is so vague that there is no real
support for correlating phase2 notifications with a particular
negotiation still in progress. We fall in line with racoon and send a
general notification code with no notification data. At least this way
the remote system should log the received notification so an admin can
have a chance to interpret what may be causing the negotiation failure.
------------------------------------------------------------------------
r846 | mgrooms | 2006-12-19 22:51:24 +0000 (Tue, 19 Dec 2006) | 1 line
Modify iked to ensure that the correct SPI is being included when
sending notify or delete messages. Also make sure the correct SPI is
being matched when receiving notify or delete messages. A problem was
occurring due to the local and remote SPI being swapped in some of the
logic.
------------------------------------------------------------------------
r845 | mgrooms | 2006-12-19 19:52:14 +0000 (Tue, 19 Dec 2006) | 1 line
Modify iked to allow searching for an existing tunnel by address with
the port comparison optional.
------------------------------------------------------------------------
r844 | mgrooms | 2006-12-18 23:27:03 +0000 (Mon, 18 Dec 2006) | 3 lines
Correct some spelling mistakes in iked and libpfk.
Modify ipsecd to use two timeout events for the sa acquire cycle. The
first event is used in conjunction with a state variable to ensure
multiple acquires are not submitted in parallel for a single policy. The
second event is to ensure an sa is cleaned up if it does not reach
maturity before the timer expires. Also rename all event classes to use
an SA or SP prefix.
------------------------------------------------------------------------
r843 | mgrooms | 2006-12-17 16:35:18 +0000 (Sun, 17 Dec 2006) | 1 line
Modify the vflt kernel driver to match NATT keep alive packets when the
NON-ESP option flag is set for a rule.
------------------------------------------------------------------------
r842 | mgrooms | 2006-12-17 15:58:15 +0000 (Sun, 17 Dec 2006) | 1 line
Correct a bug in the unix version of libvflt where the wrong payload
size was being calculated before a send operation.
------------------------------------------------------------------------
r841 | mgrooms | 2006-12-17 15:30:43 +0000 (Sun, 17 Dec 2006) | 1 line
Remove a line of debug output from iked that is no longer used.
------------------------------------------------------------------------
r840 | mgrooms | 2006-12-17 15:22:48 +0000 (Sun, 17 Dec 2006) | 1 line
Correct the formation of NATT keep alive packets. We should only be
sending a single byte without the NON-ESP marker.
------------------------------------------------------------------------
r839 | mgrooms | 2006-12-17 14:56:38 +0000 (Sun, 17 Dec 2006) | 2 lines
Cleanup some life time variable usage and add event support for natt
keep alive messages.
------------------------------------------------------------------------
r838 | mgrooms | 2006-12-16 10:30:38 +0000 (Sat, 16 Dec 2006) | 1 line
Modify iked to make sure we assign our local sa lifetime were
appropriate as a responder. Also, check all notification payloads before
interacting with spd to catch responder lifetime notifications when
acting as an initiator.
------------------------------------------------------------------------
r837 | mgrooms | 2006-12-16 00:30:16 +0000 (Sat, 16 Dec 2006) | 1 line
Correct a bug in iked where ike attribute data was not being added to a
packet.
------------------------------------------------------------------------
r836 | mgrooms | 2006-12-16 00:06:37 +0000 (Sat, 16 Dec 2006) | 1 line
Correct a bug in iked where the wrong variable was being checked for a
life state flag.
------------------------------------------------------------------------
r835 | mgrooms | 2006-12-15 23:59:27 +0000 (Fri, 15 Dec 2006) | 1 line
Modify iked to improve logging for ipsec responder lifetime when claim
is used.
------------------------------------------------------------------------
r834 | mgrooms | 2006-12-15 23:35:56 +0000 (Fri, 15 Dec 2006) | 1 line
Update todo list.
------------------------------------------------------------------------
r833 | mgrooms | 2006-12-15 23:35:28 +0000 (Fri, 15 Dec 2006) | 1 line
Modify iked to improve logging for the responder life check claim case
and correct a bug that was reading past a valid buffer.
------------------------------------------------------------------------
r832 | mgrooms | 2006-12-15 22:09:30 +0000 (Fri, 15 Dec 2006) | 1 line
Modify the iked payload attribute handlers in to use struct IKE_ATTR.
Update the notify handler that reads the responder lifetime attributes
to follow suit. Modify the proposal lifetime based on the specified
lifetime check behavior when acting as a responder.
------------------------------------------------------------------------
r831 | mgrooms | 2006-12-15 01:03:07 +0000 (Fri, 15 Dec 2006) | 1 line
Remove the transform struct from the phase1 handle class. The
information is already contained in the peer proposal for initiator and
in the selected proposal list as a responder. Add the required config
settings and proposal checks for responder lifetime checking. More work
is required to make this feature complete.
------------------------------------------------------------------------
r830 | mgrooms | 2006-12-12 20:47:32 +0000 (Tue, 12 Dec 2006) | 1 line
Modify iked to determine if xauth will be used after we select a valid
peer proposal when acting as a responder.
------------------------------------------------------------------------
r829 | mgrooms | 2006-12-12 20:30:56 +0000 (Tue, 12 Dec 2006) | 1 line
Modify iked to only send a initiate a config exchange if we are the
initiator and don't need xauth or we are the responder and need xauth.
------------------------------------------------------------------------
r828 | mgrooms | 2006-12-12 20:01:50 +0000 (Tue, 12 Dec 2006) | 1 line
Modify iked to release the config handle after xauth response and
acknowledgment.
------------------------------------------------------------------------
r827 | mgrooms | 2006-12-12 00:10:47 +0000 (Tue, 12 Dec 2006) | 1 line
Correct an issue in iked where the dhgroup was not being setup early
enough to support aggressive mode exchanges.
------------------------------------------------------------------------
r826 | mgrooms | 2006-12-12 00:03:30 +0000 (Tue, 12 Dec 2006) | 1 line
Modify debug output for iked to be more verbose when rejecting a kex
payload.
------------------------------------------------------------------------
r825 | mgrooms | 2006-12-11 23:40:45 +0000 (Mon, 11 Dec 2006) | 1 line
Modify the unix configuration code to catch up with the peer proposal
list changes.
------------------------------------------------------------------------
r824 | mgrooms | 2006-12-11 23:16:41 +0000 (Mon, 11 Dec 2006) | 1 line
Modify iked to use a list to store a set of peer specific proposal
parameters instead of a static set embedded in the IKE_PEER structure.
Modify the ikei interface to support passing of proposal messages now
that the proposals are not included in the peer message.
------------------------------------------------------------------------
r823 | mgrooms | 2006-12-10 02:31:12 +0000 (Sun, 10 Dec 2006) | 1 line
Work around an issue with pfs in ipsecc and only send sa delete messages
via pfkey when the sa is mature.
------------------------------------------------------------------------
r822 | mgrooms | 2006-12-10 02:00:03 +0000 (Sun, 10 Dec 2006) | 1 line
Fix a build breakage for win32 related to a path name variable change.
------------------------------------------------------------------------
r821 | mgrooms | 2006-12-10 01:57:13 +0000 (Sun, 10 Dec 2006) | 1 line
Update todo list.
------------------------------------------------------------------------
r820 | mgrooms | 2006-12-10 00:53:45 +0000 (Sun, 10 Dec 2006) | 1 line
Add support for loading a configuration file on unix platforms using
flex and bison as the scanner and parser. Split out the registry config
functions into a separate file for win32. Make a few minor modifications
to idb peer and policy creation to support some optional values. Remove
the options for private and fragmented pcap dumps as they are not used
in iked.
------------------------------------------------------------------------
r819 | mgrooms | 2006-11-28 23:17:23 +0000 (Tue, 28 Nov 2006) | 1 line
Remove a debug printf from libvflt.
------------------------------------------------------------------------
r818 | mgrooms | 2006-11-28 23:14:38 +0000 (Tue, 28 Nov 2006) | 1 line
Rename the iked utility function match_ikeaddr to cmp_ikeaddr and make
it simply a call to cmp_sockaddr using the IKE_SADDR sockaddr members as
parameters.
------------------------------------------------------------------------
r817 | mgrooms | 2006-11-28 21:52:27 +0000 (Tue, 28 Nov 2006) | 1 line
Modify the IKE_XCONF struct to carry two option bit fields. The opts
field specifies the options that are valid and rqst field which
specifies the options to be negotiated.
------------------------------------------------------------------------
r816 | mgrooms | 2006-11-27 15:00:57 +0000 (Mon, 27 Nov 2006) | 1 line
Update iked to use the IKE_XAUTH struct when performing xauth
authentication.
------------------------------------------------------------------------
r815 | mgrooms | 2006-11-27 14:45:45 +0000 (Mon, 27 Nov 2006) | 1 line
Retire the IPSEC_OPTS_NATT flag and rename IPSEC_OPTS_AUTOPLCY to
IPSEC_OPTS_SPLITNET.
------------------------------------------------------------------------
r814 | mgrooms | 2006-11-27 14:27:55 +0000 (Mon, 27 Nov 2006) | 1 line
Retire the IPSEC_OPTS_XAUTH flag. This was really not necessary as the
behavior can be determined by examining the phase1 proposals
authentication type.
------------------------------------------------------------------------
r813 | mgrooms | 2006-11-27 14:12:35 +0000 (Mon, 27 Nov 2006) | 1 line
Update iked and ipsecc to send xauth username and password as config
strings.
------------------------------------------------------------------------
r812 | mgrooms | 2006-11-27 13:57:30 +0000 (Mon, 27 Nov 2006) | 1 line
Attempt to improve the use of xauth and mode config internal structures
and option flags.
------------------------------------------------------------------------
r811 | mgrooms | 2006-11-27 11:04:05 +0000 (Mon, 27 Nov 2006) | 1 line
Modify iked to include stub files and abstract classes for xauth and
xconf.
------------------------------------------------------------------------
r810 | mgrooms | 2006-11-27 10:26:27 +0000 (Mon, 27 Nov 2006) | 1 line
Modify the iked to flag the config exchange handle for deletion when
xauth fails.
------------------------------------------------------------------------
r809 | mgrooms | 2006-11-26 12:35:08 +0000 (Sun, 26 Nov 2006) | 1 line
Modify iked config exchange handler to behave better as both server and
client.
------------------------------------------------------------------------
r808 | mgrooms | 2006-11-26 11:23:08 +0000 (Sun, 26 Nov 2006) | 1 line
Retire the process_config_init function as its now handled by the
process_config_send.
------------------------------------------------------------------------
r807 | mgrooms | 2006-11-26 11:00:41 +0000 (Sun, 26 Nov 2006) | 1 line
Modify iked to reset the modecfg exchange attribute lists where
applicable.
------------------------------------------------------------------------
r806 | mgrooms | 2006-11-25 12:39:26 +0000 (Sat, 25 Nov 2006) | 1 line
Modify iked to go through the motions of verifying xauth user
credentials when the appropriate auth mode is in use.
------------------------------------------------------------------------
r805 | mgrooms | 2006-11-25 11:38:37 +0000 (Sat, 25 Nov 2006) | 1 line
Add a few minor changes to the config exchange handlers in preparation
of supporting server side xauth.
------------------------------------------------------------------------
r804 | mgrooms | 2006-11-25 10:49:43 +0000 (Sat, 25 Nov 2006) | 1 line
Split the iked config exchange handlers into send and receive. This is
similar to phase1 and phase2 handling. Add a new file to handle id
related functions and correct a bug where we would attempt to create an
asn1 text string from a null pointer.
------------------------------------------------------------------------
r803 | mgrooms | 2006-11-25 09:15:11 +0000 (Sat, 25 Nov 2006) | 1 line
Correct the use of the registry parameters that specify the log file
names for ipsecd and iked in the vpn trace application.
------------------------------------------------------------------------
r802 | mgrooms | 2006-11-24 23:06:36 +0000 (Fri, 24 Nov 2006) | 1 line
Commit msvc workspace setting changes.
------------------------------------------------------------------------
r801 | mgrooms | 2006-11-24 23:01:59 +0000 (Fri, 24 Nov 2006) | 3 lines
Add dump and spdump support to libpfk and ipsecd. Make sure the sa
lifetime statistics parameters are being updated correctly in ipsecd.
Modify ipsect to allow a user control and trace options for both iked
and ipsecd. Add new tabs for viewing sadb and spdb entries if the user
has the appropriate access to communicate via pfkey with ipsecd.
------------------------------------------------------------------------
r800 | mgrooms | 2006-11-20 23:27:25 +0000 (Mon, 20 Nov 2006) | 1 line
Modify the ipsect application to take into account there are now two
services both with their own separate log files. While there, attempt to
perform some general cleanup.
------------------------------------------------------------------------
r799 | mgrooms | 2006-11-19 14:50:42 +0000 (Sun, 19 Nov 2006) | 1 line
Rename the IKE_SA1 and IKE_SA2 structs to IKE_PH1 and IKE_PH2.
------------------------------------------------------------------------
r798 | mgrooms | 2006-11-19 14:20:45 +0000 (Sun, 19 Nov 2006) | 1 line
Correct some string format parameters to silence some build warnings.
------------------------------------------------------------------------
r797 | mgrooms | 2006-11-19 14:17:13 +0000 (Sun, 19 Nov 2006) | 3 lines
Rename the IKE_PEERID and IKE_IPV4ID structs to IKE_PH1ID and IKE_PH2ID.
This seems more logical and it unties the naming convention from a
particular ip version.
Retire an unused iked source file.
------------------------------------------------------------------------
r796 | mgrooms | 2006-11-19 13:39:58 +0000 (Sun, 19 Nov 2006) | 1 line
Correct an iked address to text use that was only included during a unix
build.
------------------------------------------------------------------------
r795 | mgrooms | 2006-11-19 13:35:16 +0000 (Sun, 19 Nov 2006) | 1 line
Update ipv4 address conversion function to be more portable.
------------------------------------------------------------------------
r794 | mgrooms | 2006-11-19 13:30:34 +0000 (Sun, 19 Nov 2006) | 1 line
Update iked to use a new set of cleaner text/id to string functions.
Since the daemon only supports ipv4, it is the only address family that
is currently handled. This will change once ipv6 support is added. A
global sweep of the code was made to convert to using these new
functions. Hopefully I didn't miss any.
------------------------------------------------------------------------
r793 | mgrooms | 2006-11-19 01:23:45 +0000 (Sun, 19 Nov 2006) | 3 lines
Remove some dead code from iked and rename IKE_PACKET to PACKET_IKE
which is consistent with the other packet sub classes.
Update the todo list.
------------------------------------------------------------------------
r792 | mgrooms | 2006-11-18 16:09:11 +0000 (Sat, 18 Nov 2006) | 1 line
Correct a bug iked where the protocol value was not being copied
correctly when a new notify was being added to a list.
------------------------------------------------------------------------
r791 | mgrooms | 2006-11-18 16:01:38 +0000 (Sat, 18 Nov 2006) | 1 line
Correct a bug in iked where the spi size was not being set after
receiving a new value from pfkey.
------------------------------------------------------------------------
r790 | mgrooms | 2006-11-18 15:41:54 +0000 (Sat, 18 Nov 2006) | 1 line
Modify iked and libpfk to not break when certain natt info is not
defined on a unix platform.
------------------------------------------------------------------------
r789 | mgrooms | 2006-11-18 15:38:57 +0000 (Sat, 18 Nov 2006) | 1 line
Modify the iked phase2 get function to support an spi parameter. This is
useful for looking up a phase2 handle by sa when a delete message is
received.
------------------------------------------------------------------------
r788 | mgrooms | 2006-11-18 15:20:39 +0000 (Sat, 18 Nov 2006) | 1 line
Modify iked to use a new data type named IKE_SPI. This replaced the home
rolled spi/cpi/cookie data and size variables used in the IKE_PROPOSAL
and IKE_NOTIFY structs.
------------------------------------------------------------------------
r787 | mgrooms | 2006-11-18 14:46:15 +0000 (Sat, 18 Nov 2006) | 3 lines
Modify iked to ensure a packet is only encrypted once before ike
fragmentation occurs.
Modify ipsecc, iked and libiked to use the ipv4id structure instead of
the superfluous ipsec remote structure. This was a unique type that was
previously introduced to prevent header pollution before the last round
of cleanups occurred.
------------------------------------------------------------------------
r786 | mgrooms | 2006-11-18 12:26:44 +0000 (Sat, 18 Nov 2006) | 1 line
Modify iked to simplify the ike send and encap code. It was a bit
confusing before and had offered some hackish functionality that should
not be relied on.
------------------------------------------------------------------------
r785 | mgrooms | 2006-11-18 10:11:25 +0000 (Sat, 18 Nov 2006) | 1 line
Modify ipsecd to specify the correct address when manipulating the route
table during the policy install and remove function calls.
------------------------------------------------------------------------
r784 | mgrooms | 2006-11-18 09:48:32 +0000 (Sat, 18 Nov 2006) | 1 line
Correct an issue with iked where the natt discovery payloads were being
initialized too early in main mode. This was causing a segfault as the
hash algorithm had not been negotiated or setup in the phase1 handle.
------------------------------------------------------------------------
r783 | mgrooms | 2006-11-18 08:58:33 +0000 (Sat, 18 Nov 2006) | 3 lines
Modify ipsecd to correctly calculate udp checksums when natt is being
used. The libip udp class needs to be augmented to provide udp header
creation while skipping the checksum step as the RFC states the checksum
should be omitted.
Add the RFC draft for mobile ike pfkey extensions as it describes some
of the extensions used by libpfk.
------------------------------------------------------------------------
r782 | mgrooms | 2006-11-17 18:45:36 +0000 (Fri, 17 Nov 2006) | 2 lines
Modify ipsecd to support support esp-udp sas. Fix some issues in iked
that was causing the port information to not be transmitted correctly.
------------------------------------------------------------------------
r781 | mgrooms | 2006-11-17 17:59:11 +0000 (Fri, 17 Nov 2006) | 1 line
Modify iked and libpfk to support esp-udp tunnels for use with natt. The
ipsec daemon still lacks support for this feature.
------------------------------------------------------------------------
r780 | mgrooms | 2006-11-14 18:48:47 +0000 (Tue, 14 Nov 2006) | 1 line
Modify iked to log the port address when handling pfkey messages.
------------------------------------------------------------------------
r779 | mgrooms | 2006-11-14 18:29:06 +0000 (Tue, 14 Nov 2006) | 1 line
Modify iked to include the tunnel mode when logging the getspi request
sent to pfkey.
------------------------------------------------------------------------
r778 | mgrooms | 2006-11-14 00:58:31 +0000 (Tue, 14 Nov 2006) | 1 line
Modify iked fix a typo that swapped the local and remote natt floated
ports. While here, employ a life state flag to ensure that ports are
only floated once for a given peer tunnel.
------------------------------------------------------------------------
r777 | mgrooms | 2006-11-13 21:04:45 +0000 (Mon, 13 Nov 2006) | 1 line
Modify iked to properly detect floating ports when acting as a
responder.
------------------------------------------------------------------------
r776 | mgrooms | 2006-11-13 20:33:22 +0000 (Mon, 13 Nov 2006) | 1 line
Modify iked to correct some issues with natt negotiation. Match the sa
by the cookies before matching the peer and tunnel definitions when
acting as a responder. Also, when natt is discovered switch the peer
port to the configured natt port when acting as an initiator.
------------------------------------------------------------------------
r775 | mgrooms | 2006-11-13 19:23:00 +0000 (Mon, 13 Nov 2006) | 1 line
Make sure we specify the natt port in network byte order before sending
from ipsecc to iked.
------------------------------------------------------------------------
r774 | mgrooms | 2006-11-13 19:19:02 +0000 (Mon, 13 Nov 2006) | 1 line
Modify iked to correctly use natt as an initiator or responder. We now
check the natt payloads at the end of the recv function instead of at
the end of the send function. This allows us to operate normally when
acting as a responder in aggressive mode.
------------------------------------------------------------------------
r773 | mgrooms | 2006-11-13 17:55:10 +0000 (Mon, 13 Nov 2006) | 1 line
Modify iked to centralize some natt related work.
------------------------------------------------------------------------
r772 | mgrooms | 2006-11-12 15:40:11 +0000 (Sun, 12 Nov 2006) | 1 line
Modify the top level unix makefile to not create the prefix/lib/iked
directory. It is no longer used.
------------------------------------------------------------------------
r771 | mgrooms | 2006-11-12 15:38:54 +0000 (Sun, 12 Nov 2006) | 1 line
Modify the unix make files to install the reusable dependency libraries
in our default prefix/lib and statically link to the others. The
prefix/lib/iked directory is no longer required.
------------------------------------------------------------------------
r770 | mgrooms | 2006-11-12 14:52:22 +0000 (Sun, 12 Nov 2006) | 1 line
Move some ipsec configuration constants into ike.h so they are visible
to the client app. This concludes all the changes required to build the
applicable project components on Win32, FreeBSD and NetBSD from the same
source tree. The unix build system is very rudimentary and will likely
need to be auto-tooled before the project can be cleanly ported to other
platforms such as Linux.
------------------------------------------------------------------------
r769 | mgrooms | 2006-11-12 14:37:56 +0000 (Sun, 12 Nov 2006) | 1 line
Modify a few header files to get the FreeBSD build working again.
------------------------------------------------------------------------
r768 | mgrooms | 2006-11-12 14:26:54 +0000 (Sun, 12 Nov 2006) | 1 line
Various cleanups to silence warnings using gcc 3.x builds. Minor
modifications to some make and header files to allow for compilation on
NetBSD.
------------------------------------------------------------------------
r767 | mgrooms | 2006-11-12 13:43:46 +0000 (Sun, 12 Nov 2006) | 1 line
Update project include directories for win32.
------------------------------------------------------------------------
r766 | mgrooms | 2006-11-12 13:41:33 +0000 (Sun, 12 Nov 2006) | 1 line
Remove compat entry from iked unix makefile.
------------------------------------------------------------------------
r765 | mgrooms | 2006-11-12 13:32:22 +0000 (Sun, 12 Nov 2006) | 1 line
Introduce a new directory called compat. Remove the compat.cpp file from
the iked project.
------------------------------------------------------------------------
r764 | mgrooms | 2006-11-12 13:01:27 +0000 (Sun, 12 Nov 2006) | 1 line
Update the main unix makefile to be more portable ( hopefully ) and
remove some binaries that should never have been committed.
------------------------------------------------------------------------
r763 | mgrooms | 2006-11-12 12:59:06 +0000 (Sun, 12 Nov 2006) | 1 line
Modify libvnet makefile to include a missing header include directory.
------------------------------------------------------------------------
r762 | mgrooms | 2006-11-12 12:45:41 +0000 (Sun, 12 Nov 2006) | 1 line
Cleanup some function and variable definitions in libpfk to avoid
compiler warnings.
------------------------------------------------------------------------
r761 | mgrooms | 2006-11-12 12:31:28 +0000 (Sun, 12 Nov 2006) | 1 line
Add some missing unix specific files to the source repository.
------------------------------------------------------------------------
r760 | mgrooms | 2006-11-11 15:58:10 +0000 (Sat, 11 Nov 2006) | 3 lines
Modify ipsecd to utilize a halt event for sas that do not reach maturity
before a specified time period.
Modify ipsecd to send a new acquire message to the ike daemon so that a
replacement sa will be negotiated when an outbound packet only matches
an sa in a dying state.
------------------------------------------------------------------------
r759 | mgrooms | 2006-11-09 21:27:19 +0000 (Thu, 09 Nov 2006) | 1 line
Modify libpfki, iked and ipsecd to handle sa delete messages. The ike
daemon will now submit delete messages when appropriate.
------------------------------------------------------------------------
r758 | mgrooms | 2006-11-09 19:25:13 +0000 (Thu, 09 Nov 2006) | 1 line
Fix a minor bug in iked that was causing anonymous peer configurations
to be skipped.
------------------------------------------------------------------------
r757 | mgrooms | 2006-11-09 19:20:45 +0000 (Thu, 09 Nov 2006) | 3 lines
Modify iked to handled socket addresses correctly when matching defined
peer and tunnel addresses. Some helper function have been added to
handled socket address comparison with optional port value comparison.
Also, make sure we don't copy the port values from a tunnel peer address
to a policy being generated.
Modify ipsecd to use a timer interface to handle soft and hard sa life
timeout events. Fix a bug that was causing issues on win32 where the
pfki interface was attempting to close a pipe handle that was already
closed.
------------------------------------------------------------------------
r756 | mgrooms | 2006-11-07 18:19:06 +0000 (Tue, 07 Nov 2006) | 1 line
Modify libpfki to return a failure when the socket descriptor is set to
the initial invalid value;
------------------------------------------------------------------------
r755 | mgrooms | 2006-11-07 18:15:09 +0000 (Tue, 07 Nov 2006) | 3 lines
Modify iked to re-open and re-register with the pfkey interface in the
event that it was closed.
Modify libpfki to return a failure error status when a named pipe is
closed on win32.
------------------------------------------------------------------------
r754 | mgrooms | 2006-11-07 17:48:15 +0000 (Tue, 07 Nov 2006) | 1 line
Modify iked to not leak a reference count when its soft lifetime event
is triggered.
------------------------------------------------------------------------
r753 | mgrooms | 2006-11-07 17:38:44 +0000 (Tue, 07 Nov 2006) | 3 lines
Modify iked by splitting gen_peerid into gen_peerid_l and gen_peerid_r
to correct a bad logic assumption.
Modify ipsecd in an attempt to correct some bad sa selection logic. This
still isn't working quite right yet.
------------------------------------------------------------------------
r752 | mgrooms | 2006-11-05 17:37:27 +0000 (Sun, 05 Nov 2006) | 5 lines
Modify iked to generate sas using the correct spi value for the
direction. Before this commit, the inbound / outbound values were being
reversed.
Modify iked to ensure the arp cache is being flushed when a tunnel is
removed.
Rework ipsecd packet processing functions to work correctly with the new
sa and sp databases. This will need a bit more attention but seems to
work well for now.
------------------------------------------------------------------------
r751 | mgrooms | 2006-11-04 17:59:50 +0000 (Sat, 04 Nov 2006) | 5 lines
Modify libpfki to send and receive policy delete messages as well as
send sa acquire messages.
Modify iked to generate a policy list based on the remote id list via
pfki when acting as a client. When the tunnel is removed, remove the
policy list via pfki. We still need to build affinity between policies
and security associations so that they can be removed along with the
policies.
Modify ipsecd to handle pfkey policy delete messages. Rework arp
spoofing and the outbound packet processing to the point where acquire
messages are submitted to a list of active pfkey listeners.
------------------------------------------------------------------------
r750 | mgrooms | 2006-11-04 11:49:46 +0000 (Sat, 04 Nov 2006) | 1 line
Modify ipsecd to manage routes and vflt rules when a policy is added or
removed via the pfkey interface. We support ipsec and bypass policy
types. The ipsec type is used to define ip security processing. The
bypass type is used to define security processing exclusions. This will
be useful when iked is configured to use the split exclude mode of
operation.
------------------------------------------------------------------------
r749 | mgrooms | 2006-11-04 00:26:39 +0000 (Sat, 04 Nov 2006) | 1 line
Modify ipsecd to allow for policies to be created via the pfkey
interface. The policy is first checked, assigned a policy number and
then added to spd. The logging will need to be improved for this
process.
------------------------------------------------------------------------
r748 | mgrooms | 2006-11-03 19:58:02 +0000 (Fri, 03 Nov 2006) | 1 line
Modify iked to use the correct parameters for generating a security
policy in our admin io thread. Remove some debug test code from iked
related to security policy generation.
------------------------------------------------------------------------
r747 | mgrooms | 2006-11-03 19:31:33 +0000 (Fri, 03 Nov 2006) | 1 line
Modify libpfki to hopefully correct the add policy issue.
------------------------------------------------------------------------
r746 | mgrooms | 2006-11-03 19:16:31 +0000 (Fri, 03 Nov 2006) | 1 line
Modify libpfki to support adding security policies. Its not quite
working yet.
------------------------------------------------------------------------
r745 | mgrooms | 2006-11-03 16:13:15 +0000 (Fri, 03 Nov 2006) | 1 line
Modify libpfki to simplify the read policy function.
------------------------------------------------------------------------
r744 | mgrooms | 2006-11-03 15:28:22 +0000 (Fri, 03 Nov 2006) | 1 line
Correct some erroneous debug output in iked and modify the way we
calculate the lifetime soft expiration value.
------------------------------------------------------------------------
r743 | mgrooms | 2006-11-03 14:34:50 +0000 (Fri, 03 Nov 2006) | 3 lines
Modify iked to improve some pfkey related debug output.
Modify ipsecd to handle getspi and update messages. The sa is now
created and stored in spd and updated properly.
------------------------------------------------------------------------
r742 | mgrooms | 2006-11-02 19:19:08 +0000 (Thu, 02 Nov 2006) | 1 line
Modify iked to send the correct vendor payloads when acting as a
responder. Also, make sure we setup the dh group early enough when
aggressive mode is used.
------------------------------------------------------------------------
r741 | mgrooms | 2006-11-02 18:04:40 +0000 (Thu, 02 Nov 2006) | 1 line
Modify iked to move the phase1 initial packet code into process_ike_send
where it belongs. Also improve the log output when sending notification
or delete messages.
------------------------------------------------------------------------
r740 | mgrooms | 2006-11-02 17:11:46 +0000 (Thu, 02 Nov 2006) | 1 line
Two minor fixes for iked that didn't show up on the win32 build.
------------------------------------------------------------------------
r739 | mgrooms | 2006-11-02 17:07:34 +0000 (Thu, 02 Nov 2006) | 3 lines
Simplify a portion of the internal state machine. The life state bit
flags have been decreased from 10 to 6. This was mostly possible due to
replacing the object sweep model with the new timer event model.
Modify iked reference counting and locking. Some problems were
identified with the previous locking strategy. It was possible for
several consumers to decrement a reference count multiple times in an
attempt to remove an object. This was bad for obvious reasons and is no
longer allowed. The delete life state flag is now used to hint that an
object should be deleted when its reference count reaches zero. Several
assertions have been added to catch any future attempt to decrease a
reference count to a negative value.
------------------------------------------------------------------------
r738 | mgrooms | 2006-11-02 11:15:16 +0000 (Thu, 02 Nov 2006) | 1 line
Implement unix specific functions for libith timer class.
------------------------------------------------------------------------
r737 | mgrooms | 2006-11-02 10:45:49 +0000 (Thu, 02 Nov 2006) | 3 lines
Add two new classes to libith named ITH_EVENT and ITH_TIMER. The timer
class tracks events stored in sorted order to provide a generic delayed
event callback facility with a configurable timed resolution. This class
is only fully implemented on win32. The missing unix components will be
added shortly.
Use the new timer and event classes to replace the sweep method
currently used to track dpd and sa timeout events in iked. Not only is
this more efficient, but the event time resolution has increased from
the nearest rounded second to around 1/10th of a second. Packet resend
events are still handled using the old sweep method but will eventually
be converted to the new event model as well.
------------------------------------------------------------------------
r736 | mgrooms | 2006-10-30 17:55:13 +0000 (Mon, 30 Oct 2006) | 1 line
Make sure the correct protocol is being specified when sending delete
notifications in iked.
------------------------------------------------------------------------
r735 | mgrooms | 2006-10-30 17:50:30 +0000 (Mon, 30 Oct 2006) | 1 line
Make sure the phase2 sa lifetime is initialized.
------------------------------------------------------------------------
r734 | mgrooms | 2006-10-30 17:43:45 +0000 (Mon, 30 Oct 2006) | 1 line
Correct a reference counting bug in the iked pfkey acquire handler.
------------------------------------------------------------------------
r733 | mgrooms | 2006-10-30 17:32:19 +0000 (Mon, 30 Oct 2006) | 3 lines
Make sure a config object is released when modecfg is not required.
Make sure the correct life state flag is being applied to an sa when a
valid delete message is received.
------------------------------------------------------------------------
r732 | mgrooms | 2006-10-30 16:51:48 +0000 (Mon, 30 Oct 2006) | 1 line
Make sure the send / cleanup function runs once a second and admin
attachments are processed in the main tread context for iked.
------------------------------------------------------------------------
r731 | mgrooms | 2006-10-30 16:33:11 +0000 (Mon, 30 Oct 2006) | 3 lines
Move ike db list wrapper classes into their own file.
Rework isakmp notification support to work with bundled SAs.
------------------------------------------------------------------------
r730 | mgrooms | 2006-10-30 11:37:30 +0000 (Mon, 30 Oct 2006) | 1 line
Do a bit of header file cleanup and make sure the private key is freed
when a peer config object is destroyed.
------------------------------------------------------------------------
r729 | mgrooms | 2006-10-30 11:15:39 +0000 (Mon, 30 Oct 2006) | 1 line
Cleanup ike header file and add copyright and license to all files.
------------------------------------------------------------------------
r728 | mgrooms | 2006-10-29 19:58:45 +0000 (Sun, 29 Oct 2006) | 1 line
Modify libpfki and iked to only send sa2 extensions during an add not an
update.
------------------------------------------------------------------------
r727 | mgrooms | 2006-10-29 19:42:23 +0000 (Sun, 29 Oct 2006) | 1 line
Rename PFKI policy struct to spinfo. This is just a cosmetic change to
match the sainfo struct.
------------------------------------------------------------------------
r726 | mgrooms | 2006-10-29 19:14:14 +0000 (Sun, 29 Oct 2006) | 1 line
Update our sockaddr copy utility function to take into the socket length
field on unix.
------------------------------------------------------------------------
r725 | mgrooms | 2006-10-29 18:19:42 +0000 (Sun, 29 Oct 2006) | 1 line
Update some log output in iked pfkey functions.
------------------------------------------------------------------------
r724 | mgrooms | 2006-10-29 17:58:55 +0000 (Sun, 29 Oct 2006) | 3 lines
Add two new functions to copy and compare socket addresses.
Modify iked to correctly respond to a phase1 initiator. This was broken
in the last commit.
------------------------------------------------------------------------
r723 | mgrooms | 2006-10-29 14:49:26 +0000 (Sun, 29 Oct 2006) | 1 line
Fix a bug that was preventing tunnel addresses from being assigned
correctly.
------------------------------------------------------------------------
r722 | mgrooms | 2006-10-29 14:40:50 +0000 (Sun, 29 Oct 2006) | 3 lines
Move some configuration members out of the tunnel object and into the
peer config object. The parameters are not unique to a particular peer
tunnel.
Update the iked unix make file to include a file added in the last
commit.
------------------------------------------------------------------------
r721 | mgrooms | 2006-10-29 14:09:19 +0000 (Sun, 29 Oct 2006) | 3 lines
Modify iked to un-bundle the peer configuration from the tunnel object.
The tunnel object now references a persistent peer config object that is
assigned when the tunnel is created. Reference counting is used to track
the usage of the peer config object by a number of tunnel objects. This
model is required for the stand alone iked configuration.
Move the address definitions out of the exchange objects and back into
the referenced tunnel object. This removes unnecessary duplication of
this information.
------------------------------------------------------------------------
r720 | mgrooms | 2006-10-29 10:23:03 +0000 (Sun, 29 Oct 2006) | 3 lines
Modify the libiked interface library to use return error codes instead
of boolean return codes. Update ipsecc and iked to follow these changes.
Modify iked to handle all message logic in the pfkey member functions
instead of the message receive loop.
------------------------------------------------------------------------
r719 | mgrooms | 2006-10-28 20:54:12 +0000 (Sat, 28 Oct 2006) | 1 line
Modify some unix specific pfki functions to match changes made in the
last commit.
------------------------------------------------------------------------
r718 | mgrooms | 2006-10-28 20:48:13 +0000 (Sat, 28 Oct 2006) | 1 line
Modify some iked responder parameter checking in phase2 and move it all
into a separate function. Correct id ordering issues when acting as a
responder.
------------------------------------------------------------------------
r717 | mgrooms | 2006-10-28 11:52:06 +0000 (Sat, 28 Oct 2006) | 1 line
Update libpfki to handle spi ranges in host byte order and spi values in
network byte order. The ike daemon can now establish phase2 on unix with
bundled proposals and install the correct bundled SAs using the pfkey
interface. We still need to implement the remaining pfkey message types.
------------------------------------------------------------------------
r716 | mgrooms | 2006-10-28 10:36:58 +0000 (Sat, 28 Oct 2006) | 1 line
Improve log output for phase2 id checking.
------------------------------------------------------------------------
r715 | mgrooms | 2006-10-27 17:28:10 +0000 (Fri, 27 Oct 2006) | 3 lines
Add rfc 2367 to our internal documents for reference.
Add a sequence number member to the iked phase2 class so it can be
associated with sadb messages. Attempt to always use getspi and update
messages even when creating inbound sas.
------------------------------------------------------------------------
r714 | mgrooms | 2006-10-27 15:04:19 +0000 (Fri, 27 Oct 2006) | 1 line
Really make sure we include the reqid when sending a getspi request to
pfkey.
------------------------------------------------------------------------
r713 | mgrooms | 2006-10-27 15:00:58 +0000 (Fri, 27 Oct 2006) | 1 line
Make sure we include the reqid when sending a getspi request to pfkey.
------------------------------------------------------------------------
r712 | mgrooms | 2006-10-27 14:55:35 +0000 (Fri, 27 Oct 2006) | 1 line
Update iked unix makefile and perform some whitespace cleanup.
------------------------------------------------------------------------
r711 | mgrooms | 2006-10-27 14:50:45 +0000 (Fri, 27 Oct 2006) | 3 lines
Add a new file for iked that contains some policy related utility
functions. Modify the policy match function to allow the policy id,
source and destination addressed to be considered. Update the pfkey
handlers to take advantage of these changes and to improve some log
output.
Make sure iked only selects inbound and outbound policies that have an
identical transform list for use when negotiating an SA.
------------------------------------------------------------------------
r710 | mgrooms | 2006-10-27 11:31:27 +0000 (Fri, 27 Oct 2006) | 3 lines
Implement sa add and update messages in libpfki and iked. At the moment,
unique SAs do not associate themselves with the appropriate request id.
This requires some updates to the phase2 and policy handlers which will
be added shortly.
Fix a bug in the generic list implementation that caused an invalid
pointer to be returned when caller provided a negative item index.
------------------------------------------------------------------------
r709 | mgrooms | 2006-10-26 12:02:11 +0000 (Thu, 26 Oct 2006) | 7 lines
More work on the pfkey interface. Make sure iked uses the pfkey
interface to acquire spis in all instances. Make iked match an inbound
and outbound policy before proceeding to negotiate an ipsec sa. Add the
ability to allocate spis to the ipsecd pfkey interface. Add a rough
implementation for handling an sa update via iked and libpfki.
Modify the libpfk and libiked to use overlapped io. This decreases
latency on win32 for these message interfaces. Some of this is kind of
ugly but it can't be helped as windows offers no facility to wait for
data to arrive on a named pipe without reading data from the pipe ( like
select on socket ).
Rename the ike admin interface class from ipseci to ikei. Update iked
and ipsecc to follow the changes.
Convert ipsecd to use the libith functions for thread and mutex
abstraction.
------------------------------------------------------------------------
r708 | mgrooms | 2006-10-24 17:34:16 +0000 (Tue, 24 Oct 2006) | 1 line
Catch the unix make files up with the recent changes. Fix a minor bug in
libpfk that was causing policy entries to be read incorrectly.
------------------------------------------------------------------------
r707 | mgrooms | 2006-10-24 16:55:06 +0000 (Tue, 24 Oct 2006) | 1 line
Continue iked and ipsecd separation work. Move the peer and client
configuration typedefs from the ipsec header to ike header. Move the
policy and security association configuration typedefs from the ipsec to
the libpfki header. Modify the policy typdef so it only relies on
internal types. Break ipsecd down into a basic shell project that
compiles. All packet processing functionality will be re-enabled after
the pfkey interface has been completed.
------------------------------------------------------------------------
r706 | mgrooms | 2006-10-24 12:31:14 +0000 (Tue, 24 Oct 2006) | 1 line
Remove IKE related functions from ipsecd. A good amount of cleanup is
still required.
------------------------------------------------------------------------
r705 | mgrooms | 2006-10-24 11:57:42 +0000 (Tue, 24 Oct 2006) | 1 line
Ongoing work in iked. Split phase1 and phase2 handlers into send and
receive. This mostly helps phase2 as we require a trip through pfkey to
acquire spis before we perform the send operation. Modify phase2 key
creations to support bundled SAs. Notify and delete exchange handling is
now broken and will need to be resurrected after the iked / ipsecd split
has been completed. The ike daemon is stand alone but ipsecd is still
integrated and requires a pfkey interface. Completing these changes is
next on the list.
------------------------------------------------------------------------
r704 | mgrooms | 2006-10-23 19:50:50 +0000 (Mon, 23 Oct 2006) | 1 line
Correctly handle negotiation of bundled proposals.
------------------------------------------------------------------------
r703 | mgrooms | 2006-10-23 09:59:01 +0000 (Mon, 23 Oct 2006) | 5 lines
Start to replace the ipv4 specific data types with IKE_SADDR which opens
up a path toward ipv6 compatibility. Providing ipv6 support is not a
high priority at the moment will hopefully be supported in iked before a
2.0 release.
Perform some heavy work in the pfkey area of iked. We are now able to
dump and read SPD, handle a SAD acquire and obtain SPIs on the unix
platform. After this support has been completed on unix, we will
implement pfkey support in ipsecd and finalize the iked/ipsecd
separation.
------------------------------------------------------------------------
r702 | mgrooms | 2006-10-18 14:33:49 +0000 (Wed, 18 Oct 2006) | 1 line
Sort out some internal class naming and header files. Mostly this
included renaming the SDB objects to IDB and un-polluting our ike
related header files.
------------------------------------------------------------------------
r701 | mgrooms | 2006-10-18 13:43:20 +0000 (Wed, 18 Oct 2006) | 1 line
Remove an unused header file from the ipsecd project.
------------------------------------------------------------------------
r700 | mgrooms | 2006-10-18 13:42:16 +0000 (Wed, 18 Oct 2006) | 1 line
Add our new pfkey library which is a work in progress. At the moment, it
only has decode support for a few message types in the unix environment.
------------------------------------------------------------------------
r699 | mgrooms | 2006-10-14 15:18:28 +0000 (Sat, 14 Oct 2006) | 3 lines
Modify some debug output for phase1 to catch up to the anonymous peer
support added in the last commit.
Add a new process thread to handle pfkey messages.
------------------------------------------------------------------------
r698 | mgrooms | 2006-10-14 13:47:42 +0000 (Sat, 14 Oct 2006) | 1 line
Second part of previous commit.
------------------------------------------------------------------------
r697 | mgrooms | 2006-10-14 13:47:12 +0000 (Sat, 14 Oct 2006) | 6 lines
Add a basic implementation of libvflt for the unix platform. This gets
iked communicating and can now successfully complete phase1
negotiations.
Modify the isakmp handlers to support support anonymous peer
configurations.
Modify the iked and support libraries to use our new thread and mutex
abstraction library.
------------------------------------------------------------------------
r696 | mgrooms | 2006-10-13 12:44:37 +0000 (Fri, 13 Oct 2006) | 1 line
Add missing libvflt unix file to the repository.
------------------------------------------------------------------------
r695 | mgrooms | 2006-10-12 20:19:11 +0000 (Thu, 12 Oct 2006) | 1 line
Build fixes for win32 related to openssl version differences.
------------------------------------------------------------------------
r694 | mgrooms | 2006-10-12 20:18:17 +0000 (Thu, 12 Oct 2006) | 1 line
Add a missing makefile for iked. This completes the initial framework
port of iked to unix. The application now compiles and runs on FreeBSD
but is missing some important os support due to stubbed out functions
and libraries.
------------------------------------------------------------------------
r693 | mgrooms | 2006-10-12 20:10:00 +0000 (Thu, 12 Oct 2006) | 1 line
------------------------------------------------------------------------
r692 | mgrooms | 2006-10-12 15:15:48 +0000 (Thu, 12 Oct 2006) | 1 line
Update some make files and rename the ipseci project to libiked.
------------------------------------------------------------------------
r691 | mgrooms | 2006-10-12 13:47:02 +0000 (Thu, 12 Oct 2006) | 1 line
Modify liblog, libvflt and libvnet to build on unix. Both libvflt and
libvnet are mostly stubbed out.
------------------------------------------------------------------------
r690 | mgrooms | 2006-10-12 12:13:21 +0000 (Thu, 12 Oct 2006) | 3 lines
Begin to port the project to unix with our target platform being
FreeBSD. Add a unix specific build directory and a set of simplistic
makefiles.
Modify libip to build on unix. At the moment, the iproute class is
stubbed out. The first priority is to get iked working and iproute is
only used by ipsecd.
------------------------------------------------------------------------
r689 | mgrooms | 2006-10-12 11:32:14 +0000 (Thu, 12 Oct 2006) | 1 line
Add missing ipsecd cpp file.
------------------------------------------------------------------------
r688 | mgrooms | 2006-10-12 09:53:44 +0000 (Thu, 12 Oct 2006) | 1 line
Initial separation of iked from ipsecd. Split out all ike related
functions and place them in a new project. Although this project builds
and executes, the pfkey interface components are missing so it is
unusable. The ipsecd project still contains the embedded ike
implementation so it is still functional. The new iked project will be
used to experiment with pfkey support so that a mature interface can be
grown between iked and ipsecd. When this is complete, the embedded ike
implementation will be removed from ipsecd.
------------------------------------------------------------------------
r687 | mgrooms | 2006-10-10 09:31:58 +0000 (Tue, 10 Oct 2006) | 1 line
Remove some unused openssl files from the repository.
------------------------------------------------------------------------
r686 | mgrooms | 2006-10-10 09:28:08 +0000 (Tue, 10 Oct 2006) | 3 lines
Update the internal build version of openssl to 0.9.8d.
Perform some cleanup in ipsecd related to the admin interface. Remove
some data members from the tunnel class which should be local to the
admin thread. Perform some minor complementary cleanup in ipseci as
well.
------------------------------------------------------------------------
r685 | mgrooms | 2006-10-09 09:11:13 +0000 (Mon, 09 Oct 2006) | 1 line
Add new ipsect files missed in the last commit.
------------------------------------------------------------------------
r684 | mgrooms | 2006-10-09 09:10:28 +0000 (Mon, 09 Oct 2006) | 9 lines
Modify vflt rule processing to be last match with a quick modifier. This
is a concept borrowed from ipf and pf. Add a hackish but necessary
optimization that allows vflt to distinguish between NATT IKE or ESP
packet using a rule flag modifier. Modify ipsecd to take advantage of
these changes.
Modify vflt to allow the rule set to be obtained through the userland
interface. Add the ability to view the active vflt rule set in ipsect.
Not only is this fun to watch, its also a very useful tool to help track
down problems as it shows rule hit counts being updated in real time.
There is some annoying window flicker that needs to be sorted out before
the 2.0 release. We probably need to import /etc/services and
/etc/protocol from one of the BSDs to use for the rule decode output
instead of only covering a very small subset.
Add the "no modecfg netmask" workaround that was committed to stable
after a branch but never made it into head.
Fix client status updates. This was broken in the last commit.
Fix DNS proxy packet loop that was introduced a few comitts ago.
------------------------------------------------------------------------
r683 | mgrooms | 2006-10-06 19:59:40 +0000 (Fri, 06 Oct 2006) | 1 line
Add file missed in the last commit.
------------------------------------------------------------------------
r682 | mgrooms | 2006-10-06 19:49:56 +0000 (Fri, 06 Oct 2006) | 3 lines
Modify the internal ike, ipsec and admin interfaces to run in separate
execution contexts and use unique network interfaces. There are now two
individual threads that handle ike processing and ipsec processing
respectively. Both threads have their own vflt interface which has
increased performance and lowered latency to almost zero. Since ipsec
processing for all tunnels are handled by in a central location, there
is no longer a need for the client receive thread. The client control
interface will be reinvented as a generic administrative interface that
can be used to interact with the ike system. This brings us much closer
to the goal of separating the ipsec and ike into two programs that
communicate via a pfkey-like interface.
The policy system was also modified to be a first class citizen of sdb.
Policies now reside in the security database, use reference counting and
are tied to the tunnel configuration much like the exchange handlers.
This change was made primarily to make the subsystem more easier
accessible to the admin interface once it has been rewritten.
------------------------------------------------------------------------
r681 | mgrooms | 2006-10-06 10:16:44 +0000 (Fri, 06 Oct 2006) | 1 line
Rearrange some files and their contents in preparation for the ipsec
network io and administrative io split.
------------------------------------------------------------------------
r680 | mgrooms | 2006-10-06 00:51:13 +0000 (Fri, 06 Oct 2006) | 5 lines
Rework packet resend queues. Add a generic ip packet queue class to
libip. Use this to implement multi packet resends for the different
isakmp handlers.
Do a bit more cleanup in the config handlers. A Cisco ASA device will
retransmit certain packet exchanges until the first IPSEC SA has been
established. Don't choke on these resent packets.
Modify the proposal selection process a bit. Cisco violates the RFC by
not returning the propoer proposal and transform numbers when acting as
a responder. Instead of failing the negotiation, log the error and
continue.
------------------------------------------------------------------------
r679 | mgrooms | 2006-10-05 14:12:12 +0000 (Thu, 05 Oct 2006) | 1 line
Correct processing of returned DNS proxy packets.
------------------------------------------------------------------------
r678 | mgrooms | 2006-10-05 13:11:19 +0000 (Thu, 05 Oct 2006) | 1 line
Rewrite the IPSEC packet processing code to operate as the IP Security
Architecture RFC suggests. Before, our stack was special cased for
ESP/tunnel or ESP/udp-tunnel. Now we support AH,ESP and IPCOMP in either
transport, tunnel or udp-tunnel mode. Unfortunately, open source support
for IPCOMP appears to be in a state of severe disarray. Although I am
99.9% certain my implementation is correct, I can't get it to
inter-operate with any BSD IPSEC stack. The Linux stack has been
reported to work but I can't get racoon to successfully install a valid
SA pair for IPCOMP deflate. This is a bit disappointing as support for
IPCOMP was the impetus for rewriting the proposal, policy and IPSEC
packet processing code.
------------------------------------------------------------------------
r677 | mgrooms | 2006-10-02 15:20:00 +0000 (Mon, 02 Oct 2006) | 3 lines
Update our internal docs to include hybrid-auth-05 and xauth-06 as they
are the latest drafts. It took a bit of digging to find them but appear
to be the latest versions.
Stop exporting unnecessary internal ipsecd structures via the ipseci
interface. Its a lot better than it was but still needs to be reworked
in a future release.
------------------------------------------------------------------------
r676 | mgrooms | 2006-10-02 11:08:58 +0000 (Mon, 02 Oct 2006) | 1 line
Add the new policy source code file missed in the last commit.
------------------------------------------------------------------------
r675 | mgrooms | 2006-10-02 11:07:54 +0000 (Mon, 02 Oct 2006) | 5 lines
Rewrite the policy management code. After the IP security processing
code has been rewritten, ipsecd will be fully capable of acting as an
ipsec gateway. Exposing write access to the policy db via a named pipe
is not such a good idea. Policies are no longer defined and injected
directly by the client. Instead, a remote id list is either passed by
the client or obtained via modecfg. Client policies are generated
dynamically by ipsecd using the determined client address and the remote
id list after phase1 is completes.
Reorganize some files and their contents. Move the proposal matching
code in with the other proposal functions. Remove the phase1 matching
function and move the logic into the phase1 handler as it was the only
consumer. Make the id match and address conversion member functions
stand alone c functions so they can be used outside of the ipsecd class.
Move all network helper code into a single file.
Fix a problem with ipsec that was trashing the call stack due to using
an uninitialized variable.
------------------------------------------------------------------------
r674 | mgrooms | 2006-10-01 15:10:08 +0000 (Sun, 01 Oct 2006) | 1 line
Review all exchange handler logic and make them more uniform. Some
problems were corrected with phase1 due to late initialization of sa
parameters. The case where a notification is desired due to a problem
decoding a isakmp packet was simplified greatly. The phase2, config and
inform handlers were cleaned up considerably. The notify and delete
handlers grew the ability to log but take action for messages not
protected by a mature phase1 sa.
------------------------------------------------------------------------
r673 | mgrooms | 2006-09-30 23:40:35 +0000 (Sat, 30 Sep 2006) | 1 line
Trash some source files that are no longer used.
------------------------------------------------------------------------
r672 | mgrooms | 2006-09-30 23:38:38 +0000 (Sat, 30 Sep 2006) | 1 line
Reorganize some more filenames and their contents.
------------------------------------------------------------------------
r671 | mgrooms | 2006-09-30 23:23:28 +0000 (Sat, 30 Sep 2006) | 1 line
Reorganize some filenames and their contents.
------------------------------------------------------------------------
r670 | mgrooms | 2006-09-30 23:13:22 +0000 (Sat, 30 Sep 2006) | 1 line
Rename some files.
------------------------------------------------------------------------
r669 | mgrooms | 2006-09-30 21:22:32 +0000 (Sat, 30 Sep 2006) | 5 lines
Resolve a few issues related to NATT discovery. When in main mode, make
sure we send NAT discovery payloads even when we have already detected a
translation. When in aggressive mode using RSA or RSA+XAUTH, make sure
we check perform translation detection.
Modify ipsect to only update the log output window after a batch of text
has been inserted as opposed to after every line. Also increase the read
buffer size from 8 to 32 kb. This speeds things up considerably.
Cleanup some code that was causing the tunnel to not be remove properly
because of dangling refrences caused by failures during phase2 and
config exchange processing.
------------------------------------------------------------------------
r668 | mgrooms | 2006-09-30 20:02:29 +0000 (Sat, 30 Sep 2006) | 1 line
Include changes to files missed in last commit.
------------------------------------------------------------------------
r667 | mgrooms | 2006-09-30 20:02:01 +0000 (Sat, 30 Sep 2006) | 11 lines
Rewrite the generation and verification code to handle multiple
proposals and transforms. Bundles are not currently supported will be
added later when we sort out compression. Rewrite the sa, proposal and
transform handlers to support the new functionality. Add some decent
debug output for the proposal failure case.
Split out the sa setup code to postpone dh group generation until after
a proposal has been accepted where possible.
Add support for auto negotiating the phase1 dh group, the cipher
algorithm, cipher key length and the hash algorithm in main mode. All
options except for the dh group can also be auto negotiated in
aggressive mode. Add support for auto negotiating the phase2 transform
algoritim, transform key length and hmac algorithm.
Rewrite the asn1dn input string parser to be more resilient when white
spaces and commas exist for a given key value pair.
Only allow the ASN.1 DN ID type to be selected for a local ID when a
peer will be validating our credentials using RSA. In other words, don't
allow this type for Hybrid or PSK modes.
When ASN.1 DN is selected as the remote ID type, re-instate the option
to bypass the initial ID verification but still perform consistency
checks using the received value. This option is enabled using the check
box below the remote ID value in the Site Configuration.
------------------------------------------------------------------------
r662 | mgrooms | 2006-09-22 19:40:55 +0000 (Fri, 22 Sep 2006) | 1 line
Bring zlib into the tree as are about to add support for IPCOMP. Also
add rfc 2393, 2394 and 2395 to our private document directory.
------------------------------------------------------------------------
r661 | mgrooms | 2006-09-22 16:51:29 +0000 (Fri, 22 Sep 2006) | 5 lines
Modify ipsecd, vflt and libvflt to be resilient when the interface
device is destroyed. This is necessary to work around an imposed
limitation when using an NDIS Intermediate driver.
An IM driver must register a userland interface device as a miniport
device interface. NDIS won't call the driver cleanup function until all
open descriptors for the device are closed. If you want to be able to
unload your driver at some point, these devices must be created and
destroyed based on a reference count of how many adapter bindings are in
use. When the first binding arrives you create the device. When the last
binding goes away, you destroy the device. This causes problems for
services that would prefer to have persistent communication with their
associated driver. The only way to deal with this is to connect to the
device interface when you can and error out any communications in your
driver dispatch routine to force the consumer to close its descriptors
when appropriate.
This situation would only occur when a computer only has one transient
adapter available for the filter driver to bind to. An example would be
a computer that does not have dialup networking installed but does have
a wireless device that they toggle on and off.
------------------------------------------------------------------------
r660 | mgrooms | 2006-09-21 17:14:04 +0000 (Thu, 21 Sep 2006) | 3 lines
When defining divert rules for IKE communications in ipsecd, only
specify the destination port. The source port could easily be translated
by a NAT device in between the two peers which will cause communication
failures.
Modify ipsecd to send a disable message instead of an enable message
where appropriate.
------------------------------------------------------------------------
r659 | mgrooms | 2006-09-21 16:20:52 +0000 (Thu, 21 Sep 2006) | 1 line
Modify the method libvflt uses to build an ethernet header before
sending an IP packet. Don't keep a running list of active adapters, this
is unnecessary with the new vflt driver. Simply use ARP data to complete
the header info just like any other IP stack would. Not only does this
simplify the code immensely, it also allows the library to be more
portable.
------------------------------------------------------------------------
r658 | mgrooms | 2006-09-21 13:44:47 +0000 (Thu, 21 Sep 2006) | 1 line
When using main mode with RSA authentication, the id type options should
not be restricted to address. The restriction should only apply to PSK
modes. Bug reported by Massimo Uliana.
------------------------------------------------------------------------
r656 | mgrooms | 2006-09-21 02:47:14 +0000 (Thu, 21 Sep 2006) | 5 lines
Modify vflt and libvflt to support rule negative rule element modifiers.
This saves us at least one rule entry at present.
Cleanup the Transparent DNS Proxy code a bit and split the receive and
cleanup code into two functions. The cleanup functions, which cleans
stale state entries, is called once per second.
Correct a logic bug when the Site Configuration is using direct mode,
has a private DNS sith Split DNS configured. All requests were being
proxied instead of just requests that matched Split DNS rules.
------------------------------------------------------------------------
r655 | mgrooms | 2006-09-20 23:29:56 +0000 (Wed, 20 Sep 2006) | 7 lines
Modify vflt and libvflt rule processing to boost driver performance. All
rules are now stored in a central list instead of in per driver io
object lists. Strong affinity is still maintained between rules and the
driver io objects that create them. This is to increase efficiency for
divert / mirror rule processing and prevent unused rules from lingering
when a consumer disconnects unexpectedly. For example, if the ipsecd
service crashed then all rules added via an open file descriptor would
be removed automatically when the os cleans up the process.
Modify vflt and libvflt to support rule priority levels. When a consumer
requests that a rule is added, it will be inserted immediately after all
other rules that hold the same or higher priority. Rules are evaluated
from highest to lowest priority. Priority level 0, the highest priority
level, is reserved for the future addition of rule state entries.
Priority 1 is used for public ipsec traffic rules and priority level 2
for private ipsec traffic. Once a client side firewall is implemented,
these rules will be added using priority level 3.
Correct some locking issues in vflt and libvflt where certain operations
were not being protected adequately.
Correct an issue in ipsecd where two lock wrapper functions were using
the wrong mutex to protect Transparent DNS Proxy state information.
------------------------------------------------------------------------
r651 | mgrooms | 2006-09-19 18:27:44 +0000 (Tue, 19 Sep 2006) | 13 lines
Modify the Transparent DNS Proxy code to work in either direct or
virtual adapter mode. The site configurations selected will dictate one
of three distinct modes of operation.
1) Direct or virtual adapter mode with no private DNS configured
2) Direct or virtual adapter mode with private/split DNS configured
3) Virtual adpater mode with private DNS configured
In mode (1), no private DNS server or proxying is performed as it is not
required. In mode (2), all DNS requests will be directed to to the
Transparent DNS proxy. A desicion will be made to either allow the
request to be forwarded to its original destination or to be proxied to
the private DNS server specified in the config. In mode (3), the private
DNS server is configured for the virtual adapter and all DNS requests
will be addressed to the private DNS server by the OS.
There is limited support for name service settings in direct adapter
mode. The reason for this is that the operating system does not offer
any facility that I am aware of to configure the per-adapter setting
after it has been enabled. This is possible with virtual adapter mode
because the VNET adapter is in a disabled state when not in use. The
per-adapter options can be written to the registry before the adapter is
enabled and the setting take effect immediately. If I find a way to
handle dynamic configuration of an enabled adapter, I will revisit this
code.
Potentially add a vflt rule to route DNS requests and responses through
our Transparent DNS proxy. If the local configuration dictates that the
request should be proxied, add a state entry to match the return request
and rewrite the IP header with the new source and destination
address/port values. After which, inject the packet back into our kernel
filter so it ends up at the correct destination. This step is not
absolutely necessary now but will be when ESP processing is moved into
the kernel. When a response is received that matches a state entry, pass
it back through the proxy to reverse the IP address/port values and
forward the packet to the original requester. A proxied DNS request is
always sourced from port 8053 after the header is re-written.
Modify vflt and libvflt to allow packets to be injected into the kernel
filter. This allows them to be processed as if they were passed down
from an NDIS protocol driver or passed up by an NDIS miniport driver.
------------------------------------------------------------------------
r649 | mgrooms | 2006-09-18 19:03:32 +0000 (Mon, 18 Sep 2006) | 3 lines
Modify the VNET adapter config interface to accept a bitmask describing
which parameters to set. If a parameter should be set but a null value
is passed, unset the value so stale data in the registry is not used.
Modify the client parameters passed to the VNET config interface so when
split networking is used, we unset the DNS server address. This is in
preparation for the coming Transparent DNS proxy changes that will allow
redirection for connections that work in direct adapter mode.
------------------------------------------------------------------------
r648 | mgrooms | 2006-09-18 18:05:21 +0000 (Mon, 18 Sep 2006) | 1 line
When performing a divert or mirror action in the vflt driver, make sure
we only deliver one copy of the packet per attached Driver IO interface.
Previously, there was a chance that multiple copies would be delivered
if it matched multiple divert or mirror rules.
------------------------------------------------------------------------
r647 | mgrooms | 2006-09-18 17:56:06 +0000 (Mon, 18 Sep 2006) | 1 line
Update the Site Configuration interface to disable WINS and DNS Suffix
support when direct interface mode is selected. These setting are
configured per adapter when it is first enabled and bound to TCP/IP.
There is no way to modify them dynamically. If a way is found to support
these options in the future, they will be re-enabled.
------------------------------------------------------------------------
r646 | mgrooms | 2006-09-18 16:24:47 +0000 (Mon, 18 Sep 2006) | 5 lines
Modify install scripts driver install order to make Win2K happy.
Modify our NDIS IM filter driver. Handle some previously unhanded PNP
events. Rework our device creation and deletion routines to not block
other adapter bind processes.
Modify a flag in our NDIS miniport driver inf that was incorrect.
------------------------------------------------------------------------
r645 | mgrooms | 2006-09-17 22:16:56 +0000 (Sun, 17 Sep 2006) | 3 lines
Add some missing changes related to the Site Manager configuration
updates in the last commit.
Rework finalization of a phase2 SA. Make sure the life time value is
stamped right and don't flag as mature until we have transmitted our
final packet.
------------------------------------------------------------------------
r643 | mgrooms | 2006-09-17 20:21:20 +0000 (Sun, 17 Sep 2006) | 10 lines
Rewrite the site configuration manager id handling functions. When the
user selects a new authentication or exchange type, only reset the ID
type and associated data if it is no longer valid.
Allow all id types
for RSA authentication modes instead of only asn1dn.While this offers
more flexibility for configuration, its not usually a good idea.
Typically when a gateway has id checking enabled, it will reject any ID
except for a valid asn1dn because the value wont match the subject name
in the certificate payload later offered by the peer being identified.
Allow for asn1dn IDs to be manually entered in the Site Configuration.
The DN must be an exact match for peer authentication to complete
successfully. The delimiter used for the manually entered DNs may be
forward slashes or commas.
Conitnue to allow the asn1dn subject to be pulled from the local
certificate for use as the local ID when a mutual RSA mode is selected.
Remove the option for pulling the asn1dn subject from the remote
certificate as it could not be used for ID comparison. The peer would
offer its certificate subject ID and not the CA subject id which is what
we have a copy of. If a peer asn1dn value is not manually entered for a
site configuration, the remote id offered by the peer with not be
verified with a specific ID value but will be used to compare against
any future cert payload subjects that are offered in the future. This is
the same behavior as ipsec-tools.
Add two new functions to ipsecd to convert from text to asn1dn and back
to text. Add a new function for creating a peerid from the site
configuration parameters for either the initiator or the responder. Add
another function to compare two arbitrary id types. Use these functions
instead of in-lining the logic in other places where it does not belong.
------------------------------------------------------------------------
r642 | mgrooms | 2006-09-17 19:51:34 +0000 (Sun, 17 Sep 2006) | 1 line
Update the todo list and restore stuff that got lost.
------------------------------------------------------------------------
r641 | mgrooms | 2006-09-17 16:12:25 +0000 (Sun, 17 Sep 2006) | 1 line
Import a few definitions from cfg.h and cfgmgr.h to a private header
file so we don't have to include header files from the DDK. The required
function is exported from the setupapi.lib which is included in the SDK
but is defined.
------------------------------------------------------------------------
r638 | mgrooms | 2006-09-16 21:34:38 +0000 (Sat, 16 Sep 2006) | 3 lines
Split the SA state flags into life stat and transmit state flags. We ran
out of bit flags.
Rework the peer identity check code. Match the ID values and optionally
send a notification when a failure occurs.
------------------------------------------------------------------------
r634 | mgrooms | 2006-09-15 00:16:44 +0000 (Fri, 15 Sep 2006) | 1 line
Complete transactional ipseci message changes.
------------------------------------------------------------------------
r633 | mgrooms | 2006-09-14 23:41:47 +0000 (Thu, 14 Sep 2006) | 5 lines
Fix version numbers in ipseca about dialog.
Report the correct id types allowed for main mode in the site config
interface.
Initial support for transactional messaging in ipseci.
------------------------------------------------------------------------
r627 | mgrooms | 2006-09-12 09:04:52 +0000 (Tue, 12 Sep 2006) | 9 lines
Add generic isakmp attribute payload read and write handlers. Right now
they are only used in the notify and modecfg handlers as the sa payload
handlers will be reworked in the near future.
Add support for processing RESPONDER-LIFETIME notifications. These are
sent by a responder that allows an SA to be negotiated but insists on
using a lifetime other than the proposal value. We simply adjust our
lifetime to match the responders to prevent communications issues.
Modify the ike cleanup code to only send phase2 delete notifications if
the sa has deleted before its expire time.
Don't compare arp request addresses to our policy list if the tunnel is
in default route mode. Thank again to Peter Eisch for the bug report.
Correct a potential packet descriptor leak in the vflt driver and
cleanup some code comments.
------------------------------------------------------------------------
r624 | mgrooms | 2006-09-11 15:15:47 +0000 (Mon, 11 Sep 2006) | 5 lines
Fix some debug output related to client interface type selection.
Modify dns proxy handlers to not reference the vnet mac address when
redirecting responses.
Basic support is now complete for direct adapter mode. Since there are
issues related to reconfiguring the DNS and WINS settings for an adapter
that is currently enabled, these options are ignored. Hopefully support
can be added in the future.
------------------------------------------------------------------------
r623 | mgrooms | 2006-09-11 13:27:54 +0000 (Mon, 11 Sep 2006) | 7 lines
Add support to libip to flus the arp table for a given interface. This
is necessary when direct interface mode is used to prevent traffic that
was previously routed across a tunnel from being spat out on the local
interface. This would only effect hosts that accessed via the tunnel and
then accessed directly which is an unlikely scenario to begin with.
Unfortunately, even after being flushed, it still takes a few seconds
for these arp entries to be reinstated. I can only guess that MS uses
two layers of arp cache with the lower layer not being effected by a
iphelper api request to flush all entries. What this means is that if a
host was accessed via the tunnel which is also reachable directly, it
may take a few seconds for the invisible arp entries to die.
Modify the arp spoofing code to not reference the vnet mac address. Use
the info in the ethernet header instead.
Tweak some timeout values to decrease latency with tunnel
communications.
------------------------------------------------------------------------
r622 | mgrooms | 2006-09-11 12:07:48 +0000 (Mon, 11 Sep 2006) | 5 lines
Correct an issue in ipsecc that was preventing the virtual adapter mode
from working properly. Begin to add support in ipsecd for direct adapter
mode. Most of this work related to filter rule and route management.
Modify libip iproute class to hide the MS specific route index
information. The member functions now accept a local address instead of
the interface index to denote the route interface. Provide internal
functions to lookup an interface address by index or interface index by
address. This also simplifies route handling code in ipsecd.
Make the interface index lookup code for libvnet private now as it is no
longer used externally.
------------------------------------------------------------------------
r621 | mgrooms | 2006-09-11 09:29:50 +0000 (Mon, 11 Sep 2006) | 11 lines
Modify ipseca and ipsecc to handle configuring the interface type for
private communications. More work needs to be done in ipsecd to handle
the new "direct" interface type which was added to support
communications via a non VNET adapter.
Modify the vflt driver to handle address/subnet pairs in the filter rule
system correctly. This filtering system in now used extensively by
ipsecd to facilitate packet re-direction and inspection for IPSEC public
and private traffic.
Modify the ARP spoofing code so that we only respond to requests for
addresses that match an entry in our policy list.
Add some locking to the libvflt interface so it can be used more
effectively by multilple threads. While there, clean up the vflt rule
interface handlers to be more sane.
Remove the now unused portions of the VNET driver that deal with reading
and writing packets via libvnet. This was all replaced by functionality
provided by libvflt and the vflt driver.
Modify the vflt driver to be more intelligent when it comes to
inspecting packet headers for filtering. On the transmit path, NDIS
drivers tend to use a chain of buffers similar to the BSD mbuf system.
Only flatten as much data as we need if the first buffer chain does not
contain the estimated amount required. If more is required, never copy
the same data twice or more than once per packet.
------------------------------------------------------------------------
r620 | mgrooms | 2006-09-09 01:05:24 +0000 (Sat, 09 Sep 2006) | 1 line
Modify libvflt to allow the caller to pass raw frames as well as ip
packet data. This allows it to easily replace libvnet packet handling in
the private transmit and receive path.
------------------------------------------------------------------------
r619 | mgrooms | 2006-09-08 22:33:57 +0000 (Fri, 08 Sep 2006) | 5 lines
Modify vflt and libvflt to allow dynamic rules to be created via out
private interface. Modify IPSECD to use this interface to dynamically
add and remove rules pertaining to IPSEC public traffic. Also allow for
rule grouping so that all rules pertaining to a particular tunnel can be
removed via a single interface call.
Modify vflt and libvflt to allow sending packets up the ndis chain to
the protocol layer via our private interface.
Modify vflt to use the correct buffer pools for private traffic
handling.
------------------------------------------------------------------------
r618 | mgrooms | 2006-09-08 13:10:17 +0000 (Fri, 08 Sep 2006) | 1 line
Flubbed a change that requires a commit.
------------------------------------------------------------------------
r617 | mgrooms | 2006-09-08 12:39:04 +0000 (Fri, 08 Sep 2006) | 7 lines
Correct issues associated with selecting the phase1 exchange type,
authentication type and identity types. Main can be used with PSK
authentication but only the Address identity type is valid. This is
outlined in the RFC.
Correct TAB order issues in IPSECC and print command line options when
none are specified.
Bump the internal version number to 2.0.0.
Move the vflt packet filter and rule proccessing code into a separate
file. Add support for filter processing of packets in the receive path.
------------------------------------------------------------------------
r615 | mgrooms | 2006-09-07 15:22:59 +0000 (Thu, 07 Sep 2006) | 3 lines
Overhaul portions of the new NDIS filter driver. Modify the legacy
Protocol Receive handler to assemble a complete packet before indicating
up to the upper layer protocols. Implement a rule based filtering system
with support for ACCEPT / REJECT and per userland io device DIVERT /
MIRROR rules. Apply the rule based filtering system to the receive path.
Application to the send path is forthcoming.
Modify the NSIS install build scripts to not cause the protocol portion
of the IM driver to be flagged for deletion after the driver is
unloaded. This is how the MS Passthru sample driver operates. This was
causing failed reinstalls during a single OS boot cycle.
------------------------------------------------------------------------
r614 | mgrooms | 2006-09-06 17:11:00 +0000 (Wed, 06 Sep 2006) | 1 line
Modify install scripts and filter driver to not hang during unload.
Also, cleanup the service entry which does not seem to get handled by
windows very well.
------------------------------------------------------------------------
r613 | mgrooms | 2006-09-05 16:10:03 +0000 (Tue, 05 Sep 2006) | 3 lines
Correct some issues with the installer scripts and project files.
Modify the method of creating our user land accessible device. The old
method was causing problems.
------------------------------------------------------------------------
r612 | mgrooms | 2006-09-05 13:31:42 +0000 (Tue, 05 Sep 2006) | 1 line
Modify installer to handle the new requirements. Update build
environment to copy files to the correct build directory.
------------------------------------------------------------------------
r611 | mgrooms | 2006-09-05 11:16:00 +0000 (Tue, 05 Sep 2006) | 1 line
Update all projects in the workspace to reference the new filter driver.
------------------------------------------------------------------------
r610 | mgrooms | 2006-09-05 10:47:02 +0000 (Tue, 05 Sep 2006) | 1 line
Remove protocol driver from the tree and rename the libvprot source
directory to libvflt. The project space and filenames still need to be
updated but this must happen in a separate step.
------------------------------------------------------------------------
r609 | mgrooms | 2006-09-05 10:41:01 +0000 (Tue, 05 Sep 2006) | 1 line
Bring the new kernel driver into the tree. Replace all ddk makefile
build projects with sudo dll projects.
------------------------------------------------------------------------