------------------------------------------------------------------------
r557 | mgrooms | 2008-10-16 23:19:45 -0500 (Thu, 16 Oct 2008) | 1 line
Revert the change that re-transmits a configuration packet after the
configuration has become mature. This can cause problems when
communicating with a Cisco device if the virtual network adapter is
taking an unusually long time to initialize. A ping-pong packet war will
commence which quickly leads to premature tunnel termination. A more
appropriate long term fix will be committed after pre-requisite work is
completed.
------------------------------------------------------------------------
r556 | mgrooms | 2008-10-16 04:17:18 -0500 (Thu, 16 Oct 2008) | 3 lines
Add overloaded equality comparison operators for the basic data class.
Use the comparison operators where possible instead of calls to memcmp.
Modify iked to process multiple NAT discovery payloads in accordance
with RFC 3947. Previously we assumed a single remote address hash
payload would be received. We now accept multiple hash values and
compare them properly. While here, remove two NAT related bool values
from the phase1 handle which were no longer in use.
------------------------------------------------------------------------
r555 | mgrooms | 2008-10-15 19:19:03 -0500 (Wed, 15 Oct 2008) | 5 lines
Modify the idb policy class to use bitflags instead of the route and
nailed boolean values. Introduce a new flag that forces a single phase2
SA to be negotiated after a policy is created. Use this option to ensure
phase2 negotiation occurs immediately after a connection has been
established with a Cisco gateway. These devices will disconnect a client
shortly after initial contact if an IPsec SA is not established.
Modify iked to use an adaptive event timer for DHCP over IPsec. This
significantly reduces the tunnel setup time when communicating with
Fortinet gateways. While here, fix a bug that caused disconnects to be
erroneously identified as a DHCP over IPsec configuration problem.
Modify the public version.h file to reflect a new client configuration
version. Add a new definition that specifies if a build will be a stable
release.
------------------------------------------------------------------------
r553 | mgrooms | 2008-10-13 18:46:29 -0500 (Mon, 13 Oct 2008) | 1 line
Correct some minor issues in iked. Ensure the isakmp payload reserved
values are null during packet validation. Always note the reason we
refuse to process a packet due to a validation failure. Remove the
phase1 duplicate payload checks as they are no longer required. Make
sure we re-transmit the phase1 and phase2 packet queue when a decrypt
error is detected. Safe guard against a thread state issue that caused
an outbound phase2 packet to be processed simultaneously by the recv and
pfkey threads. This problem was reported by Mark Jenks as a phase2
negotiation failure.
------------------------------------------------------------------------
r552 | mgrooms | 2008-10-12 17:12:50 -0500 (Sun, 12 Oct 2008) | 4 lines
Modify the unix Access Manager and VPN Connect applications to allow the
DNS suffix automatic setting from being specified separately from the
DNS server options. Also verify address input values when the save
button is pressed.
Modify the iked unix resolve.conf writer to be more intelligent. When a
resolve.conf option does not exist, inherit the option from the current
system resolv.conf file.
------------------------------------------------------------------------
r551 | mgrooms | 2008-10-12 15:09:49 -0500 (Sun, 12 Oct 2008) | 6 lines
Add support for up to four DNS server and two WINS server addresses to
the unix Access Manager application. Support multiple name server
addresses has existed in iked for quite some time so no changes are
required.
Add a new virtual adapter option to the unix Access Manager and VPN
Connect applications. This allows a randomized virtual address to be
selected from a specified subnet. Using this option has some serious
drawbacks. Without the ability to send ARP packets over an IPsec
connection, it is impossible to detect and resolve address selection
conflicts. However, when a large address pool is used, the odds of
multiple clients selecting an identical virtual adapter address is
considerably lower than the possibility of multiple clients having
identical public address when behind a SOHO router performing NAT. Most
of these routers tend to use the same private network definitions by
default and are never changed.
Update the unix VPN Connect application to only set the xconf request
flag when an option is to be negotiated. Setting the option flag
directly denotes that an option is statically configured.
------------------------------------------------------------------------
r550 | mgrooms | 2008-10-12 12:24:27 -0500 (Sun, 12 Oct 2008) | 2 lines
Work around a regression in iked where we attempt to acquire the idb
lock mutex when it is already owned.
------------------------------------------------------------------------
r545 | mgrooms | 2008-10-11 11:36:05 -0500 (Sat, 11 Oct 2008) | 2 lines
Correct a bug in the VPN Connect application where a host name is
treated as an IP address if the leading character is a numeric digit.
Issue reported by Daniel P.
------------------------------------------------------------------------
r543 | mgrooms | 2008-10-10 02:28:27 -0500 (Fri, 10 Oct 2008) | 2 lines
Correct some issues with the unix build related. This is related to the
keyfile changes which now use BDATA instead of an openssl EVP_PKEY
structure for storage of private and public key data.
------------------------------------------------------------------------
r542 | mgrooms | 2008-10-09 13:54:43 -0500 (Thu, 09 Oct 2008) | 5 lines
Rewrite portions of the IPC server code to address some security flaws.
Up until now, this code relied on a well behaved client to ensure that
certain operations worked correctly. These changes are intended to
prevent out of order operations or faulty configurations from triggering
invalid pointer references. While addressing the major concerns, more
work will be required to validate all configuration options to ensure
proper operation in all cases.
Modify iked objects and keyfile code to use BDATA for storage of public
and private key information. This removes the openssl key structure
pointer from the object and associates functions. Further testing of
this change is still required. Also remove the keyfile helper functions
from the global iked object. The are only used locally.
Modify the configuration exchange client push and pull functions to copy
negotiated option flags to the supported option flags. This allows iked
to more accurately track which options were negotiated and which options
were statically enabled. The client connect applications need to be
updated to reflect this change.
------------------------------------------------------------------------
r540 | mgrooms | 2008-10-06 23:45:02 -0500 (Mon, 06 Oct 2008) | 1 line
Update the todo list.
------------------------------------------------------------------------
r539 | mgrooms | 2008-10-06 22:01:04 -0500 (Mon, 06 Oct 2008) | 1 line
Comment out an assertion that was used while debugging the libith
generic IPC class.
------------------------------------------------------------------------
r537 | mgrooms | 2008-10-06 15:08:41 -0500 (Mon, 06 Oct 2008) | 1 line
Update todo list.
------------------------------------------------------------------------
r535 | mgrooms | 2008-10-06 14:37:41 -0500 (Mon, 06 Oct 2008) | 1 line
Cleanup some log output in iked. Instead of using the XX: sequence to
denote a warning, use ww: instead.
------------------------------------------------------------------------
r534 | mgrooms | 2008-10-06 13:57:44 -0500 (Mon, 06 Oct 2008) | 1 line
Initialize the iked generic exchange msgid data member in the class
constructor and not in the derived class constructors. Be sure to clear
the resend attempt counter when clearing the resend schedule. Compare
the resend attempt count properly.
------------------------------------------------------------------------
r533 | mgrooms | 2008-10-06 11:02:32 -0500 (Mon, 06 Oct 2008) | 1 line
Create a generic exchange message id and iv generation function. Retire
the phase2 specific iv generation function. Update all exchange classes
to use these functions.
------------------------------------------------------------------------
r532 | mgrooms | 2008-10-06 01:01:00 -0500 (Mon, 06 Oct 2008) | 1 line
Modify iked phase1 and phase2 exchanges to not use the resend on final
exchange messages only to clear the resend immediately afterward. Also
cleanup and improve some log output.
------------------------------------------------------------------------
r531 | mgrooms | 2008-10-05 12:05:29 -0500 (Sun, 05 Oct 2008) | 1 line
Modify the exchange packet resend member functions to optionally purge
the packet queue when the schedule is cleared. The resend event has also
been modified to allow non-scheduled resends of a packet queue. Exchange
classes now retain the final packet queue contents after reaching
maturity. If an exchange packet is received afterwards, we assume a
message was lost in transit and resend the queue contents.
------------------------------------------------------------------------
r530 | mgrooms | 2008-10-04 15:31:02 -0500 (Sat, 04 Oct 2008) | 1 line
Introduce a new intermediate exchange class in iked. The Diffie Hellman
and proposal members have been moved from the generic exchange class
into the generic security association exchange subclass. The subclass is
used as a base class for phase1 and phase2 classes. As a result, the
informational and configuration classes are now considerably more
lightweight.
------------------------------------------------------------------------
r529 | mgrooms | 2008-10-04 14:58:27 -0500 (Sat, 04 Oct 2008) | 3 lines
Re-write portions of the configuration exchange code in iked. The
complex send and recv functions have been spit into several smaller
functions. These are responsible for client and server operations for
xauth, modecfg push or modecfg pull. The client side functions have been
tested thoroughly but the server side functions need further review and
bug fixing. Additionally, the config state flags have been moved from
the tunnel handle to the config handle where they belong.
The major goal of this re-write was to prevent multiple config handles
from being used for xauth and modecfg negotiations. Previously, new
config handles were created for each unique packet message id.
Re-transmitting lost packets was impossible under certain circumstances
as the packet queue was destroyed along with the config handle. To avoid
this situation, a config handle is now associated with a phase1 handle.
The config handle is used to process all config packets for the given
phase1 ISAKMP cookie pair. This makes the packet re-transmit queue
persistent regardless of the message id. The config handle is destroyed
along with the phase1 handle.
------------------------------------------------------------------------
r527 | mgrooms | 2008-10-02 16:49:15 -0500 (Thu, 02 Oct 2008) | 1 line
Fix a another DH exchange related bug in iked. The OpenSSL
DH_generate_key function can occasionally write a public value that is
shorter than the prime value length. When we convert this BIGNUM value
to a BDATA value, we need to ensure the value is written to the buffer
properly and insert null padding at the front of the buffer when
appropriate. This also corrects seemingly random failures during phase1
and phase2+PFS negotiations.
------------------------------------------------------------------------
r525 | mgrooms | 2008-10-01 04:54:51 -0500 (Wed, 01 Oct 2008) | 1 line
Fix a very elusive and long standing bug in iked. The OpenSSL
DH_compute_key function can occasionally write a shared secret that is
shorter than the DH public / private key lengths. When this happens, a
null character exist at the trailing end of the buffer that signifies
the least significant byte for the value. Fix this by trimming the
buffer to the length returned by DH_compute_key and inserting the
required null bytes at the front of the buffer where they belong. This
corrects seemingly random failures during phase1 and phase2+PFS
negotiations.
------------------------------------------------------------------------
r523 | mgrooms | 2008-09-30 02:10:30 -0500 (Tue, 30 Sep 2008) | 2 lines
Correct a build breakage on platforms that use gcc.
------------------------------------------------------------------------
r521 | mgrooms | 2008-09-29 01:19:03 -0500 (Mon, 29 Sep 2008) | 5 lines
Cleanup our Diffie Hellman group setup functions in iked. Don't attempt
to generate a public key by hand. The OpenSSL DH_generate_key function
will handle this for us. While here, improve error handling for setup
failure.
Move the hash_size handler from the ike generic exchange class into the
phase1 subclass. It was not being used by any other exchange subclasses.
Modify the idb member function that sets a value for a range of bytes.
Specify the value parameter as an int and not a char.
------------------------------------------------------------------------
r519 | mgrooms | 2008-09-26 12:00:45 -0500 (Fri, 26 Sep 2008) | 1 line
Correct a few places where raw text ID values were not being null
terminated before evaluation. This was reported by Philipp Matthias via
the Debian bug ticketing system.
------------------------------------------------------------------------
r514 | mgrooms | 2008-09-09 04:49:40 -0500 (Tue, 09 Sep 2008) | 1 line
Add RFC 3526 to our public docs directory. It describes additional MODP
Diffie-Hellman groups for use with IKE.
------------------------------------------------------------------------
r512 | mgrooms | 2008-09-01 21:17:42 -0500 (Mon, 01 Sep 2008) | 2 lines
Perform some minor cleanup of the unix route code. Make the BSD and
Linux code more clean and consistent.
------------------------------------------------------------------------
r511 | mgrooms | 2008-09-01 20:18:21 -0500 (Mon, 01 Sep 2008) | 1 line
Modify the public libip header to support some new vista related windows
SDK functions. In particular, we need the definitions required for
GetIpInterfaceEntry which can be used to obtain interface route metrics.
------------------------------------------------------------------------
r510 | mgrooms | 2008-08-30 23:26:38 -0500 (Sat, 30 Aug 2008) | 2 lines
Attempt to improve the Linux iproute class. The netlink message parsing
code was barely working before. There may still be bugs lingering but
its difficult to say with the documention being so impressively vague.
------------------------------------------------------------------------
r509 | mgrooms | 2008-08-30 15:23:24 -0500 (Sat, 30 Aug 2008) | 2 lines
Modify the BSD IPROUTE class to use the IPROUTE_ENTRY struct as a
parameter instead of many individual parameters.
------------------------------------------------------------------------
r508 | mgrooms | 2008-08-30 14:52:28 -0500 (Sat, 30 Aug 2008) | 1 line
Modify all IPROUTE consumers to pass the IPROUTE_ENTRY structure as a
parameter instead of passing many individual parameters. This has been
changed in the windows IPROUTE class but unix variants still need to be
updated. This will happen in a follow up commit.
------------------------------------------------------------------------
r506 | mgrooms | 2008-08-30 13:49:55 -0500 (Sat, 30 Aug 2008) | 1 line
Modify libith to honor the const char changes on windows platforms.
------------------------------------------------------------------------
r504 | mgrooms | 2008-08-30 12:45:28 -0500 (Sat, 30 Aug 2008) | 1 line
Correct an issue in the unix vpn connect application. Check that a local
ID exists before blindly sending the value to iked. Without this patch,
the local ID would be transmitted as the remote ID if no remote ID
existed.
------------------------------------------------------------------------
r503 | mgrooms | 2008-08-28 23:52:07 -0500 (Thu, 28 Aug 2008) | 2 lines
Remove some debug printf statements from the unix libip route code.
------------------------------------------------------------------------
r502 | mgrooms | 2008-08-28 23:04:00 -0500 (Thu, 28 Aug 2008) | 2 lines
Make the route metric increment and decrement function a no-op on Linux.
It appears to be giving preference to newer routes which should be
sufficient for our purposes.
------------------------------------------------------------------------
r501 | mgrooms | 2008-08-28 16:10:36 -0500 (Thu, 28 Aug 2008) | 2 lines
Improve the libip route class for unix platforms. The route increment
and decrement functions were previously unimplemented. Since some unix
platforms don't support multiple concurrent routes to the same
destination network, we now replace and restore conflicting routes when
neccessary using cached information. This has only been tested on
FreeBSD and may need to be tweaked for Linux.
------------------------------------------------------------------------
r499 | mgrooms | 2008-08-23 14:05:25 -0500 (Sat, 23 Aug 2008) | 1 line
Correct an issue in iked where NAT-T keep-alive packets were not being
identified correctly. Also correctly handle packets with malformed
ISAKMP headers.
------------------------------------------------------------------------
r497 | mgrooms | 2008-08-23 11:07:23 -0500 (Sat, 23 Aug 2008) | 2 lines
Use const char declarations where appropriate to silence gcc 4.2 compile
time warnings.
------------------------------------------------------------------------
r495 | mgrooms | 2008-08-23 01:34:15 -0500 (Sat, 23 Aug 2008) | 2 lines
Make sure we set the version number for new site configurations in the
unix access manager.
------------------------------------------------------------------------
r493 | mgrooms | 2008-08-23 01:13:28 -0500 (Sat, 23 Aug 2008) | 2 lines
Correct a problem with tap address configuration on FreeBSD 7.x and
later. Use SIOCAIFADDR instead of SIOCSIFADDR on BSD platforms to avoid
an issue where the local link route is irreversibly set to a 8 bit
netmask.
------------------------------------------------------------------------
r490 | mgrooms | 2008-08-22 16:49:55 -0500 (Fri, 22 Aug 2008) | 1 line
Improve iked phase1 identifier matching log output.
------------------------------------------------------------------------
r488 | mgrooms | 2008-08-21 11:02:11 -0500 (Thu, 21 Aug 2008) | 4 lines
Correct some issues with the unix access manager application. A bug was
preventing the use direct adapter mode from being selected. Thanks to
Prakash for reporting the problem and testing the patches.
Correct a buffer overflow issue with the unix connect application.
Submitted by Tai-hwa Liang.
------------------------------------------------------------------------
r487 | mgrooms | 2008-08-19 16:27:15 -0500 (Tue, 19 Aug 2008) | 1 line
Update the todo list.
------------------------------------------------------------------------
r486 | mgrooms | 2008-07-17 23:12:19 -0500 (Thu, 17 Jul 2008) | 2 lines
Correct an issue with iked where the unix NAT-T socket option was not
being set correctly for v00-01 protocol versions. Also set the broadcast
address on tap adapters for platforms that don't set this correctly when
the netmask is applied.
------------------------------------------------------------------------
r485 | mgrooms | 2008-07-01 09:50:22 -0500 (Tue, 01 Jul 2008) | 1 line
Restructure our todo list.
------------------------------------------------------------------------