r548 | mgrooms | 2008-10-11 16:43:41 -0500 (Sat, 11 Oct 2008) | 4 lines

Update the version number in CMakeLists and the version.h header.

Work around a regression in iked where we attempt to acquire the idb
lock mutex when it is already owned.

r547 | mgrooms | 2008-10-11 14:25:41 -0500 (Sat, 11 Oct 2008) | 1 line

Branch for 2.1.3 release.
r541 | mgrooms | 2008-10-06 23:45:13 -0500 (Mon, 06 Oct 2008) | 1 line

Update the todo list.
r538 | mgrooms | 2008-10-06 15:08:45 -0500 (Mon, 06 Oct 2008) | 1 line

Update todo list.
r536 | mgrooms | 2008-10-06 14:43:41 -0500 (Mon, 06 Oct 2008) | 15 lines

Re-write portions of the configuration exchange code in iked. The
complex send and recv functions have been spit into several smaller
functions. These are responsible for client and server operations for
xauth, modecfg push or modecfg pull. The client side functions have been
tested thoroughly but the server side functions need further review and
bug fixing. Additionally, the config state flags have been moved from
the tunnel handle to the config handle where they belong.

The major goal of this re-write was to prevent multiple config handles
from being used for xauth and modecfg negotiations. Previously, new
config handles were created for each unique packet message id.
Re-transmitting lost packets was impossible under certain circumstances
as the packet queue was destroyed along with the config handle. To avoid
this situation, a config handle is now associated with a phase1 handle.
The config handle is used to process all config packets for the given
phase1 ISAKMP cookie pair. This makes the packet re-transmit queue
persistent regardless of the message id. The config handle is destroyed
along with the phase1 handle.

Introduce a new intermediate exchange class in iked. The Diffie Hellman
and proposal members have been moved from the generic exchange class
into the generic security association exchange subclass. The subclass is
used as a base class for phase1 and phase2 classes. As a result, the
informational and configuration classes are now considerably more

Modify the exchange packet resend member functions to optionally purge
the packet queue when the schedule is cleared. The resend event has also
been modified to allow non-scheduled resends of a packet queue. Exchange
classes now retain the final packet queue contents after reaching
maturity. If an exchange packet is received afterwards, we assume a
message was lost in transit and resend the queue contents.

Modify iked phase1 and phase2 exchanges to not use the resend on final
exchange messages only to clear the resend immediately afterward. Also
cleanup and improve some log output.

Create a generic exchange message id and iv generation function. Retire
the phase2 specific iv generation function. Update all exchange classes
to use these functions.

Initialize the iked generic exchange msgid data member in the class
constructor and not in the derived class constructors. Be sure to clear
the resend attempt counter when clearing the resend schedule. Compare
the resend attempt count properly.

Cleanup some log output in iked. Instead of using the XX: sequence to
denote a warning, use ww: instead.
r528 | mgrooms | 2008-10-02 16:49:50 -0500 (Thu, 02 Oct 2008) | 1 line

Fix a another DH exchange related bug in iked. The OpenSSL
DH_generate_key function can occasionally write a public value that is
shorter than the prime value length. When we convert this BIGNUM value
to a BDATA value, we need to ensure the value is written to the buffer
properly and insert null padding at the front of the buffer when
appropriate. This also corrects seemingly random failures during phase1
and phase2+PFS negotiations.
r526 | mgrooms | 2008-10-01 04:55:12 -0500 (Wed, 01 Oct 2008) | 1 line

Fix a very elusive and long standing bug in iked. The OpenSSL
DH_compute_key function can occasionally write a shared secret that is
shorter than the DH public / private key lengths. When this happens, a
null character exist at the trailing end of the buffer that signifies
the least significant byte for the value. Fix this by trimming the
buffer to the length returned by DH_compute_key and inserting the
required null bytes at the front of the buffer where they belong. This
corrects seemingly random failures during phase1 and phase2+PFS
r524 | mgrooms | 2008-09-30 02:10:44 -0500 (Tue, 30 Sep 2008) | 2 lines

Correct a build breakage on platforms that use gcc.

r522 | mgrooms | 2008-09-29 01:19:17 -0500 (Mon, 29 Sep 2008) | 5 lines

Cleanup our Diffie Hellman group setup functions in iked. Don't attempt
to generate a public key by hand. The OpenSSL DH_generate_key function
will handle this for us. While here, improve error handling for setup

Move the hash_size handler from the ike generic exchange class into the
phase1 subclass. It was not being used by any other exchange subclasses.

Modify the idb member function that sets a value for a range of bytes.
Specify the value parameter as an int and not a char.
r520 | mgrooms | 2008-09-26 12:01:47 -0500 (Fri, 26 Sep 2008) | 1 line

Correct a few places where raw text ID values were not being null
terminated before evaluation. This was reported by Philipp Matthias via
the Debian bug ticketing system.