r879 | mgrooms | 2013-04-18 23:15:05 -0500 (Thu, 18 Apr 2013) | 2 lines

Correct a bug in iked that caused the parent pid, before the fork, to be
writtent to the pid file instead of the daemonized child pid. Patch
submitted by Philippe Vouters.

r876 | mgrooms | 2013-04-16 18:57:34 -0500 (Tue, 16 Apr 2013) | 2 lines

Correct some whitespace and spelling errors.

r873 | mgrooms | 2013-04-16 01:04:25 -0500 (Tue, 16 Apr 2013) | 1 line

Update the global version.h file to bump the build version, copyright
year and build type.
r871 | mgrooms | 2013-04-11 02:00:09 -0500 (Thu, 11 Apr 2013) | 1 line

Branch for 2.2.0 release.
r870 | mgrooms | 2013-04-07 11:28:06 -0500 (Sun, 07 Apr 2013) | 2 lines

Correct two typos and add a gitignore file for those tracking
development throught git-svn. Submitted by Alexis Lagoutte.

r868 | mgrooms | 2013-04-07 11:15:59 -0500 (Sun, 07 Apr 2013) | 2 lines

Correct the build for test_ith. Thanks to Philippe Vouters for pointing
this out.

r866 | mgrooms | 2013-04-06 23:23:05 -0500 (Sat, 06 Apr 2013) | 2 lines

Modify iked to exit with an error when an unknown command line option is

r864 | mgrooms | 2013-04-06 15:11:46 -0500 (Sat, 06 Apr 2013) | 1 line

Modify iked to use a windows form of a string copy function to silence
compiler warnings. The compatibility for this is handled on linux and
bsd by a macro.
r862 | mgrooms | 2013-04-06 14:57:27 -0500 (Sat, 06 Apr 2013) | 2 lines

Modify qikec to correct a file password null termination issue.

r861 | mgrooms | 2013-04-06 14:55:32 -0500 (Sat, 06 Apr 2013) | 2 lines

Modify the public config.h file to use the public license. This should
have been the case from the beginning.

r860 | mgrooms | 2013-04-03 02:10:43 -0500 (Wed, 03 Apr 2013) | 2 lines

Modify iked to handle all documented command line options. This is a
modified version of patch submitted by Philippe Vouters.

r857 | mgrooms | 2012-12-17 22:31:26 -0600 (Mon, 17 Dec 2012) | 2 lines

Modify two cases where a BDATA instance was being set to a new value
without being cleared first. Patch submitted by Philippe Vouters.

r854 | mgrooms | 2012-12-15 16:58:07 -0600 (Sat, 15 Dec 2012) | 2 lines

Modify ike clients to handle passowrd protected file names correctly.
The base client class will pass a file name without null termination to
a client when a password is required. Make sure we null terminate the
file name before displaying it to the user.

r852 | mgrooms | 2012-12-15 16:14:32 -0600 (Sat, 15 Dec 2012) | 2 lines

Modify iked and libike to uniformly handle file password data. The
client now passes all user and keyfile passwords without null
termination. The iked daemon passes the raw password into pem related
functions and will pass a null terminated version of passwords to PKCS12
functions. This is required by openssl as pkcs12 functions do not accept
a password callback function as a parameter.

r850 | mgrooms | 2012-12-15 16:08:51 -0600 (Sat, 15 Dec 2012) | 2 lines

Modify qikea to correctly configure certificate and key data. This fixes
a regression where the cert/key path length was being verified to
determine if the required data was available in a site configuration.
However, the path was only set when new cert/key data was being
configured. This caused an error message to be displayed even though
site data had been previously configured.

r848 | mgrooms | 2012-12-14 18:37:52 -0600 (Fri, 14 Dec 2012) | 1 line

r846 | mgrooms | 2012-12-14 00:07:26 -0600 (Fri, 14 Dec 2012) | 2 lines

Split the unix specific adapter and dns configuration code into two
separate procedures.

r844 | mgrooms | 2012-12-13 20:13:20 -0600 (Thu, 13 Dec 2012) | 1 line

Modify iked to correct psk12 and pem password handling. Make sure we
skip the null terminating character when processing the password in the
pem_password_cb function. Also make sure we are passing a BDATA pointer
and not the raw string to the callback function. While here, log the
openssl error output when the level is set to loud or higher.
r842 | mgrooms | 2012-12-11 01:12:15 -0600 (Tue, 11 Dec 2012) | 1 line

Modify iked to load password protected p12 files correctly. Make sure we
always pass an EVP_PKEY pointer to PKCS12_parse when an X509 Stack
pointer is not provided. Without it, newer versions of openssl will fail
to extract the x509 client certificate.
r840 | mgrooms | 2012-12-11 01:07:57 -0600 (Tue, 11 Dec 2012) | 1 line

Correct a build error with gcc/llvm.
r838 | mgrooms | 2012-12-11 00:56:33 -0600 (Tue, 11 Dec 2012) | 1 line

Modify iked to load the ssl error strings on startup. These are useful
for printing libeay error messages.
r836 | mgrooms | 2012-12-11 00:55:23 -0600 (Tue, 11 Dec 2012) | 1 line

Modify the iked dhcp packet creation code. Make sure we append a
DHCP_OPT_END to denote the end of a list of options for each packet we
send to the DHCP server.
r834 | mgrooms | 2012-12-10 23:26:01 -0600 (Mon, 10 Dec 2012) | 1 line

Correct a windows specific bug in the libidb file functions. Make sure
we specify the binary flag in fopen calls so that non-ascii file data
can be read or written.
r832 | mgrooms | 2012-12-10 23:22:14 -0600 (Mon, 10 Dec 2012) | 1 line

Correct a problem with the shared client class. Make sure we null
terminate the file name buffer before passing it to the client front
r830 | mgrooms | 2012-12-09 21:04:20 -0600 (Sun, 09 Dec 2012) | 1 line

Modify the iked name server structure to hold a maximum of 8 DNS server
addresses and 4 NetBIOS name server addresses. This should alleviate the
issue where an unusually large number of name server addresses were
statically configured on a host and were not restored correctly after a
tunnel was torn down.
r828 | mgrooms | 2012-12-05 23:08:31 -0600 (Wed, 05 Dec 2012) | 1 line

Modify iked to split the network adapter configuration procedure from
the DNS configuration procedure. This change allows the virtual adapter
configuration and policy routes manipulation to occur before configuring
DNS settings. Some platforms such as OSX may require this as it stores
the adapter index of the interface used to perform domain name
r826 | mgrooms | 2012-12-05 22:03:26 -0600 (Wed, 05 Dec 2012) | 2 lines

Correct a bug in the libip route_entry assignment operator. This was
causing route delete issues during tunnel tear-down.

r824 | mgrooms | 2012-12-04 13:58:16 -0600 (Tue, 04 Dec 2012) | 2 lines

Modify the libip route class. Force message alignment to 32bit on Apple
OSX platforms. Make sure we only read address types returned in the
route message and that we don't read past the message buffer contents.

r822 | mgrooms | 2012-11-28 00:22:00 -0600 (Wed, 28 Nov 2012) | 2 lines

Add some Apple OSX specific notes to the README.TXT file.

r820 | mgrooms | 2012-11-27 23:53:09 -0600 (Tue, 27 Nov 2012) | 2 lines

Modify CMakeLists.txt files to allow for installation to specifically
defined bin and sbin directories. Introduce a new libqt directory that
allows for a private Qt installation on OSX platforms.

r818 | mgrooms | 2012-11-19 17:28:52 -0600 (Mon, 19 Nov 2012) | 2 lines

Correct some minor issues which were discovered using the llvm/clang
compiler toolset on OSX. Treat IPROUTE_ENTRY as a class instead of a
struct. Fix an 1 byte buffer overflow in the DHCP code.

r815 | mgrooms | 2012-11-18 16:52:36 -0600 (Sun, 18 Nov 2012) | 2 lines

Correct a few typos in the Qt Gui and update some copyright information.

r813 | mgrooms | 2012-11-18 16:25:23 -0600 (Sun, 18 Nov 2012) | 2 lines

Update the CMakeLists.txt file to work on newer OSX builds. We also
silence some warnings due to depreciated call usage on this platform.

r811 | mgrooms | 2012-11-05 01:50:56 -0600 (Mon, 05 Nov 2012) | 1 line

Create 2.2 maintenance branch.
r810 | mgrooms | 2012-05-18 01:25:41 -0500 (Fri, 18 May 2012) | 1 line

Update the copyright year to 2012.
r809 | mgrooms | 2012-02-10 01:34:50 -0600 (Fri, 10 Feb 2012) | 2 lines

Correct a spelling mistake in the iked log output and comments.

r808 | mgrooms | 2012-02-10 01:05:36 -0600 (Fri, 10 Feb 2012) | 2 lines

Modify iked and libith to silence a few harmless warnings when running
iked under valgrind.

r807 | mgrooms | 2012-02-07 23:09:35 -0600 (Tue, 07 Feb 2012) | 3 lines

When generating an phase1 keys, make sure we process the return code
correctly. Otherwise the client can attempt to encrypt a packet even
though it has not setup the key material properly.

Add a few more memory allocation sanity checks to the BDATA and IPC
message handling system.
r806 | mgrooms | 2011-08-06 13:38:14 -0500 (Sat, 06 Aug 2011) | 1 line

Modify iked to handle policy management correctly. When removing
policies, ensure that we process them in the exact order we created
them. Otherwise the removal process can fail.
r805 | mgrooms | 2011-06-30 17:50:09 -0500 (Thu, 30 Jun 2011) | 1 line

Modify iked to avoid problems associated with suspend/resume operations.
We now use the Ex version of the service handler and request to be
notified of power state change events. When the system is transitioning
to a low power state, we gracefully shut down all active tunnels.
r803 | mgrooms | 2011-02-06 17:45:12 -0600 (Sun, 06 Feb 2011) | 2 lines

Add a note to the README.TXT file Linux section that mentions the
-LIBDIR option. This is useful for 64bit builds that install libraries
to the /usr/lib64 path.

r802 | mgrooms | 2011-02-06 10:40:00 -0600 (Sun, 06 Feb 2011) | 2 lines

Modify the libike config file save function to use a long format
modifier when writing numeric values. This corrects build issues with
newer versions of gcc.

r801 | mgrooms | 2011-02-06 10:26:31 -0600 (Sun, 06 Feb 2011) | 2 lines

Fix the build on Linux platforms. I failed to convert one block of
adapter configuration code that was Linux conditional in a previous

r800 | mgrooms | 2011-02-01 02:51:04 -0600 (Tue, 01 Feb 2011) | 1 line

Synchronize the todo list with the public website version.
r799 | mgrooms | 2011-02-01 02:21:25 -0600 (Tue, 01 Feb 2011) | 2 lines

Modify the the iked and libike source for Linux/BSD/OSX systems to catch
up with recent changes made to support Secure Domain Login on Windows
platforms. There should be no functional difference.

r798 | mgrooms | 2011-02-01 02:13:05 -0600 (Tue, 01 Feb 2011) | 1 line

Correct a regression in iked where the client cleanup function was not
being called correctly.
r797 | mgrooms | 2011-02-01 01:21:32 -0600 (Tue, 01 Feb 2011) | 1 line

Correct a few regressions in iked related to the suspend resume changes.
Make sure we release our tunnel reference when suspending the tunnel so
it can be destroyed properly after resuming control. Also correct a
problem with phase1 negotiation errors not properly waking the client
thread so the issue can be reported to the user.
r796 | mgrooms | 2011-01-29 13:13:20 -0600 (Sat, 29 Jan 2011) | 3 lines

Modify iked to allow client to suspend and resume tunnel control. This
is necessary for Secure Domain Login support. The virtual adapter and
DNS proxy client interface instance pointers are now stored in the
tunnel class instance. This allows the client control interface to be
fully suspended and resumed without losing the ability to manage these
subordinate interfaces. Other code paths were modified to prevent access
to the client control interface pointer after a tunnel has been
established. The interface pointer will be set to NULL when a client
suspends tunnel control. The code that manages adapter and DNS proxy
settings have been pushed into the platform specific client setup and
cleanup functions. The Linux/BSD/OSX platform code will need to be
updated to reflect these changes.

Modify the generic client interface to support tunnel control suspend
and resume operations. These are Windows specific. The command line
options parser code path was modified to not display the usage help.
This was moved into its own function and should be called by clients
when the option parser returns a syntax error value. The site name read
by the parser is now stored internally and the load and save functions
now use this instead of accepting a name value as a parameter. The
Linux/BSD/OSX platform code will need to be update to reflect these
r795 | mgrooms | 2011-01-17 15:20:02 -0600 (Mon, 17 Jan 2011) | 1 line

Modify the libike generic CLIENT class to more easily support non
threaded clients. This involved splitting the thread handler into
separate functions named run_init() and run_loop() that can be called
directly by a subclass. A few code paths were also made optional for
lightweight clients.
r794 | mgrooms | 2011-01-15 17:40:55 -0600 (Sat, 15 Jan 2011) | 2 lines

Modify the libike CMakeLists.txt file to include openssl libcrypto. This
is required for OSX platforms.

r793 | mgrooms | 2011-01-15 17:33:25 -0600 (Sat, 15 Jan 2011) | 2 lines

Modify some Linux/BSD include directives now that liblog and libith has
been untangled from libidb.

r792 | mgrooms | 2011-01-15 17:04:12 -0600 (Sat, 15 Jan 2011) | 1 line

Remove our copy of pfkeyv2.h file. It now lives with the private Windows
project source.
r791 | mgrooms | 2011-01-15 16:09:32 -0600 (Sat, 15 Jan 2011) | 1 line

Move the reference counted list class from libidb to iked. This is the
only place the class was being used. Doing so removes several
undesirable dependencies from the other utility libraries.
r790 | mgrooms | 2011-01-12 00:16:29 -0600 (Wed, 12 Jan 2011) | 1 line

Modify libike to correct a problem with static address settings on
virtual adapters. This issues was reported by Kevin on the vpn-help
mailing list.
r789 | mgrooms | 2011-01-11 19:12:55 -0600 (Tue, 11 Jan 2011) | 2 lines

Correct a build problem on Linux platforms. Apparently BSD/OSX and Linux
disagree on the sadb spelling of the SHA2 authentication algorithms.
BSD/OSX uses SADB_X_AALG_SHA2_xxx and Linux uses
SADB_X_AALG_SHA2_xxxHMAC. Since the Linux versions are more consistent
with the rest of the algorithm spellings, we the HMAC suffixed versions
and provide ifdef's for compatibility with BSD/OSX.

r788 | mgrooms | 2011-01-10 00:06:37 -0600 (Mon, 10 Jan 2011) | 2 lines

Modify the Linux/BSD/OSX VPN Access manager to correctly mangle
duplicate site names. This was broken in a previous commit.

r787 | mgrooms | 2011-01-09 23:53:46 -0600 (Sun, 09 Jan 2011) | 1 line

Add support for public site configurations on Windows platforms. This
allows sites to be designated as public which are accessible by all
users on the system. Only a user with administrative access can create
or remove a public profile.
r786 | mgrooms | 2011-01-05 22:51:46 -0600 (Wed, 05 Jan 2011) | 2 lines

Modify the Linux/BSD/OSX VPN Access manager to not request updated site
configurations to be saved to the original file during import

r785 | mgrooms | 2011-01-05 22:47:44 -0600 (Wed, 05 Jan 2011) | 1 line

Modify libike to correct a few issues. Include the site configuration
manager in the CLIENT class so it is initialized when the client starts.
Add an option to the file based site configuration load function to
avoid writing version update configuration changes to a file when
loaded. Lastly, modify the latest configuation version update to not
clobber certificate information when reading a previously exported file
with an older configuration version.
r784 | mgrooms | 2011-01-05 02:45:09 -0600 (Wed, 05 Jan 2011) | 2 lines

Modify the Linux/BSD/OSX VPN Access Manager to store certificate and key
data directly in the site configuration. A user selects the file
location for the contents to be embedded instead of using a reference to
the file location.

r783 | mgrooms | 2011-01-05 00:28:30 -0600 (Wed, 05 Jan 2011) | 1 line

Modify libike to support migration of sites from the registry to files.
This only occurs once when the users 'AppData\Shrew Soft VPN' folder is
created. Site configurations are not currently deleted from the registry
for backward compatibility. The final 2.2.0 release version will remove
registry data.
r782 | mgrooms | 2011-01-04 01:59:54 -0600 (Tue, 04 Jan 2011) | 5 lines

Modify libike to allow a client to send the actual certificate and key
data instead of a path to a file containing the data when passing a site
configuration to the ike daemon. The site configuration manager now
imports all certificate files into the related configuration files
during startup for legacy configs. This means all certificate data for a
given configuration will always be embedded in the site configuration

Modify iked to support reading password protected pem and pkcs12 from
OpenSSL BIO memory buffers. While here, correct a few problems with
certificate password handling. More testing is needed. The list of DH
groups and message auth algorithms used for automatic proposal
negotiation were also trimmed to avoid very large packet fragments.
These will need to be selected manually.

Modify the libidb BDATA class to support loading and saving data
directly from a file or an open file handle.
r781 | mgrooms | 2010-12-31 00:56:31 -0600 (Fri, 31 Dec 2010) | 2 lines

Modify the Linux/BSD/OSX UI components to support dh groups 16, 17 and

r780 | mgrooms | 2010-12-31 00:47:19 -0600 (Fri, 31 Dec 2010) | 1 line

Modify iked to support dh groups 16, 17 and 18. These primes are also
known as modp-4096, modp-6144 and modp-8192. Requested by Serge on the
vpn-devel mailing list.
r779 | mgrooms | 2010-12-30 21:34:09 -0600 (Thu, 30 Dec 2010) | 2 lines

Remove the site configuration upgrade functionality from the Windows VPN
Access Manager application. This is now handled by the cross platform
configuration manager class. Make sure the configuration manager uses a
null terminated value when storing path information on Linux/BSD/OSX

r778 | mgrooms | 2010-12-30 21:17:33 -0600 (Thu, 30 Dec 2010) | 1 line

Make sure the configuration manager uses a null terminated value when
storing path information on windows platforms.
r777 | mgrooms | 2010-12-30 20:40:29 -0600 (Thu, 30 Dec 2010) | 1 line

Modify the cross platform configuration manager class to handle site
configuration upgrades automatically at load time. This allows us to
remove the upgrade functions from the platform specific VPN Access
manager applications.
r776 | mgrooms | 2010-12-30 17:51:13 -0600 (Thu, 30 Dec 2010) | 2 lines

Modify the Linux/BSD libike and user interface components to track
recent modification to the client interface.

r775 | mgrooms | 2010-12-30 15:44:42 -0600 (Thu, 30 Dec 2010) | 1 line

Modify the site configuration and manager classes to push file path
handling into the manager class for normal load and save operations. The
generic client class has also been updated to follow suit.
r774 | mgrooms | 2010-12-25 00:12:29 -0600 (Sat, 25 Dec 2010) | 1 line

Modify libike to cast a value used in an OpenSSL function to avoid a
compiler warning on x64 Windows builds.
r773 | mgrooms | 2010-12-24 23:27:31 -0600 (Fri, 24 Dec 2010) | 2 lines

Correct the build on Linux/BSD systems. Correct reading vpn files that
contain the Windows CR/LF end of line markers.

r772 | mgrooms | 2010-12-24 22:40:57 -0600 (Fri, 24 Dec 2010) | 1 line

Modify the generic libike CLIENT class to be compatible with windows.
With any luck, we will convert the Windows VPN Connect application to
use this so that Linux/BSD, OSX and Windows all use the same code path.
r771 | mgrooms | 2010-12-24 22:20:32 -0600 (Fri, 24 Dec 2010) | 2 lines

Add the two new files that contain the generic CLIENT class
functionality. They were missed in a previous commit.

r770 | mgrooms | 2010-12-24 22:06:54 -0600 (Fri, 24 Dec 2010) | 2 lines

Now that the generic client class is now named CLIENT and not IKEC,
rename the command line version files to ikec.cpp and ikec.h and rename
the command line class to IKEC.

r769 | mgrooms | 2010-12-24 22:00:48 -0600 (Fri, 24 Dec 2010) | 2 lines

Really remove the files that contain the generic IKEC class. This has
been moved to libike.

r768 | mgrooms | 2010-12-24 21:58:10 -0600 (Fri, 24 Dec 2010) | 2 lines

Move the generic IKEC class into libike and rename it to the CLIENT
class. Modify the ikec and qikec projects to use the generic CLIENT
class that now lives in libike.

r767 | mgrooms | 2010-12-24 21:29:25 -0600 (Fri, 24 Dec 2010) | 1 line

Modify the site configuration class functions to fix a few more const
char issues.
r766 | mgrooms | 2010-12-24 21:18:16 -0600 (Fri, 24 Dec 2010) | 2 lines

Update the unified site configuration hanler classes recently added to
libike to work on Linux/BSD. Update ikec, qikec and qikea programs to
use these classes and remove the Linux/BSD specific version from the
ikec folder.

r765 | mgrooms | 2010-12-24 21:15:17 -0600 (Fri, 24 Dec 2010) | 2 lines

Update the Linux/BSD iked file configuration parser to support the new
SHA2 options.

r764 | mgrooms | 2010-12-24 19:56:16 -0600 (Fri, 24 Dec 2010) | 1 line

Merge the site configuration management functions into libike. This is
the first step in merging the Linux/BSD configuration functions with the
Windows versions.
r763 | mgrooms | 2010-12-22 15:35:36 -0600 (Wed, 22 Dec 2010) | 1 line

Modify iked and libpfk to ensure key buffer lengths are long enough to
support the new sha2 512 bit option. This was causing a buffer overflow
when 384 or 512 bit sha2 was selected.
r762 | mgrooms | 2010-12-22 13:55:16 -0600 (Wed, 22 Dec 2010) | 1 line

Modify libpfk and the IKE daemon to support SHA2 algorithms. We now
include hash and hmac options for the 256, 384 and 512 bit variants.
r761 | mgrooms | 2010-12-22 12:47:52 -0600 (Wed, 22 Dec 2010) | 2 lines

Correct a regression in the Linux/BSD VPN Access manager. The phase2
transforms were missing the 'esp-' prefixes which made importing from a
windows vpn file problematic.

r760 | mgrooms | 2010-12-19 22:38:20 -0600 (Sun, 19 Dec 2010) | 1 line

Correct a problem with DHCP over IPsec. Some time ago we changed the way
the xconf flags were used so that rqst values only specified the options
to be requested and opts values specified the options actually
negotiated. The DHCP code was never updated to reflect this. This
problem was reported by Noach Summer. Also, change some parameter names
in the modecfg get and set functions to more accurately reflect what
they are used for.
r759 | mgrooms | 2010-12-17 02:22:55 -0600 (Fri, 17 Dec 2010) | 1 line

Refine the libith generic overlapped send and receive operations a bit.
When an overlapped operation is aborted, we react as if the file
descriptor is no longer usable. This should not have any adverse effect
on callers. It does solve an issue with the libvflt and libvnet
interfaces where the descriptor should be closed if the kernel aborts an
operation. This allows both drivers to shutdown properly while services
are still running.
r758 | mgrooms | 2010-12-13 01:32:04 -0600 (Mon, 13 Dec 2010) | 1 line

Modify liblog to not pass the raw log input as the formatted string.
This can cause a crash when the log level is turned up to debug and the
input contains chars that would be incorrectly interpreted as expansion
r757 | mgrooms | 2010-12-10 02:09:19 -0600 (Fri, 10 Dec 2010) | 1 line

Make sure we test for the IPC_WAKEUP value when evaluating libith io
read results. Otherwise we could loop endlessly trying to re-open the
file handles during shutdown.
r756 | mgrooms | 2010-12-09 23:11:16 -0600 (Thu, 09 Dec 2010) | 1 line

Fix some indentation that was performed using spaces instead of tab
r755 | mgrooms | 2010-12-04 01:39:43 -0600 (Sat, 04 Dec 2010) | 1 line

Modify iked to fix an instance where we force a long to a bool value for
no reason.
r754 | mgrooms | 2010-12-03 23:58:16 -0600 (Fri, 03 Dec 2010) | 2 lines

Modify two instances in the libidb list class where memmove should have
been called instead of memcpy.

r753 | mgrooms | 2010-12-03 23:49:51 -0600 (Fri, 03 Dec 2010) | 2 lines

Modify iked sources to fix a few memory leaks. Call the appropriate
openssl cleanup routines when a thread exits. Add two functions that
wrap openssl initialization and cleanup and make sure they are called at
daemon startup and shutdown.

r752 | mgrooms | 2010-12-02 13:10:04 -0600 (Thu, 02 Dec 2010) | 2 lines

Modify the libith event processing class to not leak memory when
scheduling recurring events.

r751 | mgrooms | 2010-12-02 13:08:28 -0600 (Thu, 02 Dec 2010) | 2 lines

Modify the iked certificate handling functions to avoid a few memory
leaks when using certificate stacks.

r750 | mgrooms | 2010-12-02 10:07:52 -0600 (Thu, 02 Dec 2010) | 2 lines

Modify the libith Linux/BSD thread create function to call
pthread_detatch. Otherwise, we leaked a small ammount of memory each
time a thread was created and destroyed.

r749 | mgrooms | 2010-12-02 10:06:10 -0600 (Thu, 02 Dec 2010) | 2 lines

Modify iked to use non-depreciated versions of the openssl HMAC
functions. In particular, the HMAC_Init function caused a memory when
used to re-initialize an HMAC context.

r748 | mgrooms | 2010-12-01 19:34:50 -0600 (Wed, 01 Dec 2010) | 1 line

Modify the Windows version of the libith IPC done function to guard
against double free calls when cleaning up resources.
r747 | mgrooms | 2010-11-30 23:10:29 -0600 (Tue, 30 Nov 2010) | 2 lines

Fix a few memory leaks in iked. This is mostly due to missing class

r746 | mgrooms | 2010-11-30 21:54:37 -0600 (Tue, 30 Nov 2010) | 2 lines

Modify the iked socket wrapper functions on Linux/BSD platforms to avoid
returning from select during read unless the daemon is shutting down.

r745 | mgrooms | 2010-11-30 19:45:41 -0600 (Tue, 30 Nov 2010) | 1 line

Modify the ike, ipsec and dtp daemons to use asynchronous vflt read
operations. This avoids calls to select which woke up every 500ms to
check for an exit status. As a result, all daemons remain in an
efficient wait state at all times until an action needs to be performed.
The vflt interface library was modified to use asynchronous versions of
the ReadFileEx and WriteFileEx windows methods and daemon specific io
loops were modified to take advantage of this. Modifications to the
Linux/BSD versions of the iked socket wrapper functions will be included
in a follow up commit.
r744 | mgrooms | 2010-11-29 01:53:14 -0600 (Mon, 29 Nov 2010) | 1 line

Work around an issue on Windows platforms that causes daemons to crash
at shutdown due to a close call on pcap file handles. I'm not sure why
this happens ( CRT error ), but there should be no ill effect from this
change due to handles being flushed and closed automatically when the
process is terminates. I'm worried that this may be a symptom of a
larger problem, but the root cause can be identified and resolved in the
r743 | mgrooms | 2010-11-21 14:13:52 -0600 (Sun, 21 Nov 2010) | 2 lines

Correct some issues with the OSX DMG package build script.

r739 | mgrooms | 2010-10-01 12:04:24 -0500 (Fri, 01 Oct 2010) | 2 lines

Correct an issue with the VPN Access Manager related to pcf import. When
a non encrypted password is present, don't try to hex-decode it. Just
import it as plain text.

r736 | mgrooms | 2010-09-26 17:23:01 -0500 (Sun, 26 Sep 2010) | 2 lines

Make sure we don't try to set the initial flag to true on a non-ipsec
policy. Wait for the first ipsec policy instead. Thanks to Michael Kenny
for diagnosing this issue and submitting the patch.

r735 | mgrooms | 2010-09-26 16:52:27 -0500 (Sun, 26 Sep 2010) | 2 lines

Modify the location of dialog update helper routine calls in the site
configuration load member function. The must be called in the correct
order or problems will occur. Thanks to Michael Kenney for reporting
this issue.

r725 | mgrooms | 2010-09-01 00:46:53 -0500 (Wed, 01 Sep 2010) | 1 line

Modify iked to only create a NONE policy for the next-hop address when
the vpn gateway is not on a network locally attached to the client. This
caused communication failures as the route was being installed as -> next-hop which is obviously incorrect.
r723 | mgrooms | 2010-08-21 13:46:58 -0500 (Sat, 21 Aug 2010) | 2 lines

Fix a bug with the shared policy level support. When a IPsec SA expires,
the peer may attempt to initiate a new phase2 negotation as a
replacement. This will cause negotiation to fail as the source ID will
always be which won't match a policy. Correct this by only
matching policies the destination ID since the source ID will always be

r720 | mgrooms | 2010-08-11 01:03:19 -0500 (Wed, 11 Aug 2010) | 2 lines

Modify the BSD libip route management class to be smarter about
replacing routes. On Windows and linux, we utilize route metrics. On
BSD, we replace routes to duplicate networks and later restore them.
Don't replace routes if they are are locally reachable.

r717 | mgrooms | 2010-08-11 00:27:29 -0500 (Wed, 11 Aug 2010) | 1 line

Correct a bug in iked policy generation. Only set the ipsec policy
request id value when the UNIQUE level is specified. Other levels don't
require this value since it is only used to pair outbound SAs to unique
policies. Setting this value at require level breaks SA negotiation on
Linux systems.
r714 | mgrooms | 2010-08-10 13:55:28 -0500 (Tue, 10 Aug 2010) | 2 lines

Modify iked to create a DHCP seed value in a file. A new configuration
file parameter allows the path of this file to be specified. If the file
doesn't exist, a new file is created and a new seed value is written

r711 | mgrooms | 2010-08-10 00:22:07 -0500 (Tue, 10 Aug 2010) | 1 line

Modify iked use the DHCP MAC address seed value. This is mutated using
the peer IP address value to create the value sent to the peer during
DHCP over IPsec negotiation. This value is consistent across connections
so that a new IP address won't be assigned by the DHCP server. This
helps avoid DHCP address pool exhaustion. Thanks to Uwe Weber for
reporting this issue.
r708 | mgrooms | 2010-08-05 01:43:49 -0500 (Thu, 05 Aug 2010) | 1 line

Modify iked to detect when a next-hop is used to reach the VPN gateway.
If so, install a NONE policy to ensure that packets destined to the
next-hop won't match an IPsec policy. This is used by the IPsec daemon
on Windows avoid responding to ARP requests for the next-hop on the
virtual adapter when the local network overlaps with a tunneled network.
r705 | mgrooms | 2010-08-05 01:25:04 -0500 (Thu, 05 Aug 2010) | 2 lines

Modify the Fortigate DHCP over IPsec support to act like a BOOTP relay
agent. This allows us to use the feature when VPN client host has a
public interface that is also DHCP configured by avoiding the bind
conflict with system DHCP.

r696 | mgrooms | 2010-07-17 11:45:32 -0500 (Sat, 17 Jul 2010) | 1 line

Modify iked to be smarter about selecting the generated policy level
when set to auto. Previously, we always selected shared when the client
received a CISCO-UNITY ID. Now we select shared when the client receives
a CISCO-UNITY ID but not a KAME / ipsec-tools vendor ID.
r692 | mgrooms | 2010-07-05 16:23:57 -0500 (Mon, 05 Jul 2010) | 2 lines

Add the ability to utilize a pid file on Linux/BSD/OSX platforms.
Another mechanism is used on Windows platforms to ensure only one iked
process is running.

r690 | mgrooms | 2010-07-02 13:44:34 -0500 (Fri, 02 Jul 2010) | 1 line

Correct a bug in iked that caused an infinite loop when walking the IKE
fragment cache. Also log more debug level detail when parsing IKE
fragment payloads.
r688 | mgrooms | 2010-06-30 21:26:43 -0500 (Wed, 30 Jun 2010) | 1 line

Correct a bug in iked related to the IKE fragmentation extension. When
IKE fragments were being evaluated, the list index was not being reset
when a fragment ID match was found. This caused the next match to fail
if the fragments were received out of order.
r686 | mgrooms | 2010-06-29 00:05:35 -0500 (Tue, 29 Jun 2010) | 1 line

Cosmetic change in iked. Use a more descriptive member variable name in
the name service information structure.
r684 | mgrooms | 2010-06-28 22:47:14 -0500 (Mon, 28 Jun 2010) | 2 lines

Modify the cmake configure scripts to allow a library install directory
to be specified. This is useful for platforms that use /usr/lib64
instead of /usr/lib on 64bit platforms. While here, fix some typos and
make some minor updates to the README.TXT fike.

r683 | mgrooms | 2010-06-27 23:17:03 -0500 (Sun, 27 Jun 2010) | 2 lines

Modify the Qt VPN Connect application to hide the user credential input
dialog items when xauth is not required.

r682 | mgrooms | 2010-06-27 22:57:24 -0500 (Sun, 27 Jun 2010) | 2 lines

Add several modifications that were missed in the last commit.

r681 | mgrooms | 2010-06-27 22:56:28 -0500 (Sun, 27 Jun 2010) | 8 lines

Modify iked, libike and Linux/BSD client front end applications to
simplify the client message interaction. Enable message are now only
sent from the client to iked. Status messages now uniformly indicate
disconnnected, connecting, connected and disconnected tunnel status. The
set_state virtual member is now obsolete and has been removed.

Modify the base ikec class and front end applications to support auto
connect correctly. Also report a site configuration load failure
correctly in the command line front end.

Modify the Qt VPN Connect application to use the ikec base class. This
removes a good deal of code and leaves a single code path for connection
management. While here, correct an issue that occurred when the
dns-suffix attribute was absent.

Correct a typo that prevented the server identity type from being set
correctly when the 'any' option was selected.

r680 | mgrooms | 2010-06-27 16:02:52 -0500 (Sun, 27 Jun 2010) | 2 lines

Complete rename of ikea-qt to qikea. This includes renaming classes and
files withing the project.

r679 | mgrooms | 2010-06-27 12:36:25 -0500 (Sun, 27 Jun 2010) | 4 lines

Modify the Qt UI components to support the new IPSEC policy level
option. Correct an issue reported by Peter Schauer that caused the local
identity properties to be clobbered by the UI when a site configuration
using RSA authentication was loaded.

Update the CMakeLists release version to match the version.h value.

r677 | mgrooms | 2010-06-27 11:46:25 -0500 (Sun, 27 Jun 2010) | 3 lines

Correct an issue that caused SA aquire to not work correctly when the
NAILED policy flag was set. Thanks to Zephaniah E. Loss-Cutler-Hull from
Jetpay for the problem report and bug diagnosis.

r675 | mgrooms | 2010-06-26 15:19:12 -0500 (Sat, 26 Jun 2010) | 3 lines

Add a new option that allows a user to specify the IPsec policy level
for generated policies. These map to the REQUIRE and UNIQUE security
policy levels as implemented via PK_KEY on Linux/BSD systems. We do not
implement the USE level as it has little utility for a VPN client. The
exposed configuration options are 'auto', 'require', 'unique' and
'shared'. The 'unique' option is the exact behavior the Shrew Soft VPN
client has always used. It will negotiate unique SAs as needed for each
policy generated. The 'require' option negotiates SAs as needed using
the policy source and destination network IDs. However, instead of
negotiating unique SAs for each policy, it uses any SA already
established with the peer to protect traffic that matches any generate
policy for that peer. The 'shared' option is a non-standard mode of
operation designed to mimic the way Cisco VPN clients manage security
associations. Policies are generated using the 'require' level. However,
when negotiating SAs with the remote peer, a remote network ID of is used instead of the policy defined value. This allows a
single SA to be shared amongst multiple policies using unique
source/destination network IDs while maintaining compatibility with the
standard Linux/BSD conventions. The 'auto' option defaults to 'shared'
level when a Cisco compatible vendor ID is received during phase1
negotiation. Otherwise, the 'unique' level is used.

Correct a bug in iked that caused a memory allocation to be freed twice
under some circumstances.
r673 | mgrooms | 2010-05-11 19:20:16 -0500 (Tue, 11 May 2010) | 1 line

Modify the libup IPROUTE iface_2_addr member function to pass a gateway
address value. This allow us to use fuzzy matching to select the correct
address when multiple addresses exist for a single interface.
r672 | mgrooms | 2010-05-11 19:16:51 -0500 (Tue, 11 May 2010) | 1 line

Make sure the admin thread always sets the tunnel contact type as
IPSEC_CONTACT_CLIENT. Otherwise the wrong code paths may be executed
during tunnel cleanup.
r671 | mgrooms | 2010-04-27 19:13:33 -0500 (Tue, 27 Apr 2010) | 2 lines

Unbreak the build on platforms that are not Apple OSX or that do not
support NAT-T.

r670 | mgrooms | 2010-04-18 16:02:44 -0500 (Sun, 18 Apr 2010) | 2 lines

Ditch the PackageMaker based install. I found it to be totally
worthless. Instead, use the excellent freeware tool named Iceberg to
package our install.

r669 | mgrooms | 2010-04-13 06:26:49 -0500 (Tue, 13 Apr 2010) | 2 lines

Fix some problems with the package definitions on OSX.

r668 | mgrooms | 2010-04-13 06:15:33 -0500 (Tue, 13 Apr 2010) | 2 lines

Update the package definition to correct an issue during install. The
ike daemon wasn't being started correctly.

r667 | mgrooms | 2010-04-13 05:12:52 -0500 (Tue, 13 Apr 2010) | 2 lines

Add a script for building the package on the command line and an OSX
disk image file for software distribution.

r666 | mgrooms | 2010-04-13 00:44:41 -0500 (Tue, 13 Apr 2010) | 2 lines

Add a macosx package definition.

r665 | mgrooms | 2010-04-12 21:42:46 -0500 (Mon, 12 Apr 2010) | 2 lines

Use descriptive names for the framwork bundles on OSX. This looks more

r664 | mgrooms | 2010-04-12 21:10:01 -0500 (Mon, 12 Apr 2010) | 2 lines

Correct some build issues on OSX and some qt resource issues. Modify the
launchd script to start iked with the system.

r663 | mgrooms | 2010-04-12 19:08:28 -0500 (Mon, 12 Apr 2010) | 2 lines

Modify the cmake build process to use descriptive application names on
OSX. Add Apple icns files and associate them with the applications.

r662 | mgrooms | 2010-04-12 17:32:05 -0500 (Mon, 12 Apr 2010) | 2 lines

Add the BSD licensed header file from Mattias Nissler's OSX TUN/TAP

r661 | mgrooms | 2010-04-12 17:28:43 -0500 (Mon, 12 Apr 2010) | 2 lines

Rename the qikec resource file to match the qikea convention.

r660 | mgrooms | 2010-04-12 17:20:50 -0500 (Mon, 12 Apr 2010) | 2 lines

Rename the qt based ikea and ikec application to qikea and qikec.

r659 | mgrooms | 2010-04-12 16:45:04 -0500 (Mon, 12 Apr 2010) | 2 lines

Package the ikea-qt and ikec-qt programs as application bundles on OSX.
Package all libraries as framework bundles on OSX. Re-organize the
scripts directory to contain platform sub-directories that hold script
files. Add an OSX Launchd script to control iked.

r658 | mgrooms | 2010-04-12 02:57:16 -0500 (Mon, 12 Apr 2010) | 2 lines

Add initial support for Apple OSX. This was tested with OS version
10.6.3 and still requires some testing and re-organization before it can
be packaged and distributed.

r656 | mgrooms | 2010-03-05 00:08:11 -0600 (Fri, 05 Mar 2010) | 3 lines

Correct a bug in the ith ipc interface library that did not classify an
error return code properly.

Push down the select ioctl error handling into the select function call
on windows.
r654 | mgrooms | 2010-02-01 22:06:03 -0600 (Mon, 01 Feb 2010) | 1 line

Fix a bug in the config exchange that caused the pull mode receive
handler to be called when it should call the push handler. This has been
reported to fix interoperability with strongswan and probably fixes
issues when communicating with other push based implementations. Also
fix a bug that caused RSA negotiations using self signed certificates to
fail. This bug was introduced when support for verifying a certificate
stack received "out of order".
r652 | mgrooms | 2010-02-01 21:46:01 -0600 (Mon, 01 Feb 2010) | 2 lines

Modify the unix access manager application to allow for routes
to be added as an include network. This will allow clients to force all
traffic across the tunnel even if a split network list is received by
the gateway. Fix a bug that caused pcf imports to be incomplete when a
group name was not specified. We now set a default local identity type
value of address for PSK authentication modes and asn1dn for RSA modes.
Fix a bug that caused pcf imports to fail when a key name was specified
with no value.

r650 | mgrooms | 2009-12-20 00:52:42 -0600 (Sun, 20 Dec 2009) | 2 lines

Correct a bug in the iked *nix build related to stricter const void type
checking in newer versions of gcc. Also correct an application crash
related to the BDATA class not properly handling assignment when being
instantiated. For now, just instantiate the object and then assign.

r648 | mgrooms | 2009-12-17 00:54:16 -0600 (Thu, 17 Dec 2009) | 2 lines

Modify iked to output the received Cisco Unity application string when
debug level output is enabled. This should allow users to identify the
remote Cisco device more easily. Change the application string that we
report on *nix platforms to match the Cisco format. Re-order some
attribute handling code to match the definition order. This last change
is purely cosmetic.

r646 | mgrooms | 2009-12-15 02:11:14 -0600 (Tue, 15 Dec 2009) | 4 lines

Modify iked to send an application version string and firewall type when
communicating with Cisco gateways. This should offer improved
compatibility in some cases. Thanks to Nick Maio who provided the bug
report and testing.

Modify iked to always create NONE policies to ensure to ensure we will
still communicate with our peer for
the case where IPSEC policies exist that encrypt traffic between client
and gateway endpoint addresses. Thanks to Evan Kinney who provided the
bug report and testing.
r642 | mgrooms | 2009-11-15 12:13:41 -0600 (Sun, 15 Nov 2009) | 2 lines

Update the version year to 2009.

r640 | mgrooms | 2009-11-15 12:11:04 -0600 (Sun, 15 Nov 2009) | 2 lines

Modify some iked state flag definitions. Some 32bit values were being
defined using 9 hex digits instead of 8.

r638 | mgrooms | 2009-10-01 00:26:07 -0500 (Thu, 01 Oct 2009) | 1 line

Add support to iked for the XAuth Passcode attribute. This change has
been reported to fix external user authentication with Juniper gateways.
r636 | mgrooms | 2009-09-03 00:05:20 -0500 (Thu, 03 Sep 2009) | 1 line

Modify iked to only send the Xauth status attribute in the result
response when our gateway identifies itself as checkpoint compatible.
This corrects a regression that prevented negotiations from succeeding
with Adtran devices.
r634 | mgrooms | 2009-08-19 01:14:34 -0500 (Wed, 19 Aug 2009) | 1 line

Correct an issue in iked that caused the remote identity value to be
compared to nothing when it should have been ignored. This was causing
many imported PCF site configurations to fail negotiations.
r632 | mgrooms | 2009-08-19 01:08:16 -0500 (Wed, 19 Aug 2009) | 2 lines

Fix a few bugs related to pcf import on unix platforms. Ignore any
leading exclamation marks for pcf file lines. This is intended to denote
the data should be read-only after import but we currently have no way
to enforce this. Use a default value of auto for phase2 PFS.

r630 | mgrooms | 2009-07-12 23:24:12 -0500 (Sun, 12 Jul 2009) | 9 lines

Correct a regression in iked that caused negotiations with Checkpoint
VPN-1 gateways to fail. While here, clean up a bit of checkpoint xauth
handling related to CHAP based authentication.

Rework a few functions that are used to support RSA based certificate
authentication. When a gateway sends more than one certificate during
phase1, we need to determine which certificate is the leaf certificate
being used to generate the signature for authentication. It would be
good if we could just match the remote ID to the subject name in the
certificate, but many gateways support non ASN1 DN based identities with
certificate authentication. Instead, we attempt to build a certificate
chain by examining the certificate list sent. We search for a
certificate that was not used to sign any other received certificate and
use its public key to perform authentication. This method was tested
with several Cisco, Checkpoint and ipsec-tools gateways. Many thanks to
Daniel Sabanes Bove who identified and reported this and other issues.

Correct a potential buffer overflow issue related to extracting a human
readable RSA key subject used in debug level output.

Increase the maximum packet length from 4k to 8k. This is neccessary to
support large certificate chains.

Perform some cleanup related to libip fragment handling and re-assembly.
This should cause no change in functionality.
r625 | mgrooms | 2009-06-28 20:12:12 -0500 (Sun, 28 Jun 2009) | 6 lines

Add support to unix gui components for importing cisco PCF files. For
PSK based modes, this is a one step process. For RSA based modes, the
certificate info must be assigned manually in a second step. Cisco PCF
files don't contain certificate data so this cannot be automated.

Modify unix gui to support a new option that allows any remote id and
value to be accepted. Although this option should generally be avoided,
it was added to help the Cisco PCF import process as they rarely contain
remote ID information.

Modify unix gui to support non-address identity types in main mode.
Although this option has been requested several times, it technically
violates RFCs so I have been reluctant to add it. Now that it is an
option, we warn the user when appropriate.

r624 | mgrooms | 2009-06-28 18:07:19 -0500 (Sun, 28 Jun 2009) | 4 lines

Add support for encoding and decoding hex values to the libidb BDATA
class. This was required to support cisco PCF import.

Modify iked to optionally bypass remote id checking. This was added to
support the 'Any' remote ID site configuration option.

r621 | mgrooms | 2009-05-02 03:16:10 -0500 (Sat, 02 May 2009) | 2 lines

Cleanup the include statements and forward definitions for files related
to bison generated configuration parser. We now compile cleanly using
bison version 2.4.x.

r619 | mgrooms | 2009-04-29 00:42:47 -0500 (Wed, 29 Apr 2009) | 2 lines

Add the Unix UI support for Cisco Hybrid Authentication.

r617 | mgrooms | 2009-04-29 00:18:03 -0500 (Wed, 29 Apr 2009) | 1 line

Add support for the Cisco Hybrid authentication mode. This is a variant
of the draft standard Hybrid authentication mode but augments it by
sending the group name as a key identifier identity and an additional
password hash notification payload. Support for this would have taken
much longer if this had not already been worked out by the good folks
over at the vpnc project.
r616 | mgrooms | 2009-04-28 23:14:12 -0500 (Tue, 28 Apr 2009) | 1 line

Work around an issue with Adtran gateways. They request RADIUS-CHAP
during Xauth when they want generic credentials. To denote this, they do
not send a challenge attribute. We work around this by treating the
RADIUS-CHAP more or less like a generic request when the challenge
attribute is absent.
r614 | mgrooms | 2009-04-26 14:54:05 -0500 (Sun, 26 Apr 2009) | 2 lines

Fix a build issue that caused some RSA conversion function to fail due
to const issues. We fix this by checking the openssl version and
defining our variable with the correct const type.

r612 | mgrooms | 2009-04-11 14:02:07 -0500 (Sat, 11 Apr 2009) | 1 line

Revert the Cisco unity version number sent in our vendor ID. The
ipsec-tools racoon daemon only understands a single version so using
another version breaks compatibility. This problem was reported by
Tai-hwa Liang.
r611 | mgrooms | 2009-02-11 20:35:43 -0600 (Wed, 11 Feb 2009) | 1 line

Modify iked to detect packet send errors earlier. This could be improved
more but would require intrusive changes.
r609 | mgrooms | 2009-02-11 19:59:05 -0600 (Wed, 11 Feb 2009) | 1 line

Correct a bug in iked where the generic exchange handle resend event was
not being initialized properly. This caused the tunnel to hang under a
failure condition under some rare circumstances.
r608 | mgrooms | 2009-02-05 23:45:49 -0600 (Thu, 05 Feb 2009) | 1 line

Modify the iked NAT-T keep alive packet code to also work with Cisco UDP
encapsulation of ESP packets.
r607 | mgrooms | 2009-02-04 21:13:13 -0600 (Wed, 04 Feb 2009) | 2 lines

Add support to iked for negotiating Cisco UDP encapsulation of ESP
packets. The current modifcations have been tested on unix builds but
more work is required to enable support on Windows platforms. Submitted
by Robert Nelson.

r605 | mgrooms | 2009-02-03 23:10:00 -0600 (Tue, 03 Feb 2009) | 2 lines

Cleanup some faulty NAT-T port value handling in iked. Instead of
blindly assigning the remote NAT-T port value to the local socket
address, lookup the value instead. This should avoid issues when the
remote NAT-T port does not match the local NAT-T port.

r603 | mgrooms | 2009-01-28 22:18:58 -0600 (Wed, 28 Jan 2009) | 2 lines

Update the libip route code for Linux to not include the RTM_TABLE
definition. This was only for debugging purposes and it appears to not
be defined in newer versions of the Linux netlink headers.

r602 | mgrooms | 2009-01-27 19:55:24 -0600 (Tue, 27 Jan 2009) | 2 lines

Update some outdated information contained in the unix README.TXT file.

r601 | mgrooms | 2009-01-27 19:21:30 -0600 (Tue, 27 Jan 2009) | 3 lines

Modify the main CMakeLists file to include a check for libedit. This is
now a requirement for building the command line VPN Connect application.

r600 | mgrooms | 2009-01-17 16:16:46 -0600 (Sat, 17 Jan 2009) | 2 lines

Correct a build issue on Linux systems. Don't include the compat path
when building the command line ikec program.

r599 | mgrooms | 2009-01-13 23:07:55 -0600 (Tue, 13 Jan 2009) | 2 lines

Fix some build issues on unix and add the command line VPN Connect
application to the build.

r598 | mgrooms | 2009-01-13 22:25:51 -0600 (Tue, 13 Jan 2009) | 2 lines

Commit initial version of the command line ikec application for unix.

r596 | mgrooms | 2008-11-27 23:17:47 -0600 (Thu, 27 Nov 2008) | 1 line

Use the localtime_s instead of the localtime function in liblog on
windows platforms. This is mostly just to silence the compiler warning.
r594 | mgrooms | 2008-11-27 22:42:49 -0600 (Thu, 27 Nov 2008) | 6 lines

Silence some build warnings that occur with newer versions of gcc. These
changes are mostly related to formated print functions that specified an
input buffer that contained no formatting sequences.

Add some statements to the main CMakeLists file. These are required by
newer versions of cmake or build warnings are displayed.

Fix a minor problem with the Qt4 topology user interface definition
file. The dialog icon was invalid.

r592 | mgrooms | 2008-11-27 22:18:36 -0600 (Thu, 27 Nov 2008) | 1 line

Add support to iked for multiple certificate request payloads. Right now
we can only deal with X.509 certificate types but a peer may send
multiple certificate requests that specify unique certificate types. We
now store these requests in a list for inspection. Thanks to Mark
Seamans and Jay Pfeifer for identifying the problem and testing these
changes with StrongSWAN.
r591 | mgrooms | 2008-11-24 10:02:04 -0600 (Mon, 24 Nov 2008) | 2 lines

Modify the unix shared object library naming to use an underscore
instead of a period as a separator. Suggested by David Santinoli.

r590 | mgrooms | 2008-11-23 16:15:34 -0600 (Sun, 23 Nov 2008) | 2 lines

Rename the unix GUI applications from ikea and ikec to ikea-qt and
ikec-qt respectively. A command line version of VPN Connect application
named ikec will be added in the future.

r589 | mgrooms | 2008-11-23 15:01:15 -0600 (Sun, 23 Nov 2008) | 4 lines

Modify all Shrew Soft libraries to build as shared objects on unix
platforms. To avoid name space conflicts, we now use a prefix for each
library target. For example, the idb library is now named libss.idb.so
and is dynamically loaded by all applications at run time.

Rename the ikea and ikec source directory paths to qikea and qikec. This
is in preperation of renaming the applications to qikea and qikec but
must be handled as a seperate commit.

r588 | mgrooms | 2008-11-22 17:33:43 -0600 (Sat, 22 Nov 2008) | 2 lines

Various minor cleanups for the Qt4 VPN Access Manager and VPN Connect

r587 | mgrooms | 2008-11-22 13:56:52 -0600 (Sat, 22 Nov 2008) | 2 lines

Remove some now unused files for the old Qt3 *unix VPN Access and VPN
Connect directories. Add two missing files for the new Qt4 VPN Connect

r586 | mgrooms | 2008-11-21 00:48:18 -0600 (Fri, 21 Nov 2008) | 2 lines

Finish initial port of unix GUI components to Qt4. The VPN Access
Manager and VPN Connection applications are now complete but require
more testing.

r585 | mgrooms | 2008-11-20 21:21:50 -0600 (Thu, 20 Nov 2008) | 2 lines

Initial port of the unix VPN Access Manager to Qt4. The VPN Connect
application still needs to be ported.

r582 | mgrooms | 2008-11-11 01:00:37 -0600 (Tue, 11 Nov 2008) | 1 line

Correct an issue with IPsec over DHCP communications. Ensure that
responses are read when the event wakeup timer expires but requests are
only sent once per second. Also increase the DHCP retry count to 8.
r580 | mgrooms | 2008-11-10 14:55:31 -0600 (Mon, 10 Nov 2008) | 2 lines

Modify the unix VPN connect application to report which peer iked has
established a tunnel with. This is useful when communicating with Cisco
gateways that perform load balancing.

r578 | mgrooms | 2008-11-10 13:13:45 -0600 (Mon, 10 Nov 2008) | 1 line

Correct handling of Cisco Unity LOAD-BALANCE notifications in iked.
Reset some tunnel statistics before we attempt to re-negotiate with the
specified peer. Pass the peer address along with the statistics so we
can report which gateway address the user is connected to.
r576 | mgrooms | 2008-11-09 12:57:14 -0600 (Sun, 09 Nov 2008) | 1 line

Correct handling of Cisco Unity LOAD-BALANCE notifications in iked.
Increment and decrement the phase1 handle when flagging it for deletion
to ensure the delete notification is sent before we modify the peer
endpoint addresses. Also remove any event timer entries so duplicates
are not queued by the timer class when the tunnel re-initializes.
r574 | mgrooms | 2008-11-06 12:58:02 -0600 (Thu, 06 Nov 2008) | 1 line

Correct a bug in the iked pfkey io thread that could lead to a hang when
the service control manager attempts to stop the process. This could
lead to issues especially during uninstall.
r572 | mgrooms | 2008-11-05 13:56:00 -0600 (Wed, 05 Nov 2008) | 1 line

Add a safeguard to prevent iked from migrating in response to a Cisco
Unity LOAD-BALANCE notification if the tunnel is already mature.
r571 | mgrooms | 2008-11-05 13:42:56 -0600 (Wed, 05 Nov 2008) | 1 line

Add support for Cisco Unity LOAD-BALANCE notifications. A device working
in a high availability group can send this notification message which
contains the IP address of a new gateway. The client migrates to the new
gateway immediately on receipt of this request.
r569 | mgrooms | 2008-11-05 11:25:21 -0600 (Wed, 05 Nov 2008) | 2 lines

Add a new option to the unix Access Manager and VPN Connect applications
that allows the Checkpoint vendor ID option to be enabled during phase1

r567 | mgrooms | 2008-11-05 10:37:41 -0600 (Wed, 05 Nov 2008) | 1 line

Modify iked to be more selective when handling vendor IDs during phase1
negotiations. Both Checkpoint and Cisco PIX routers require that the
last vendor ID in a packet be the vendor specific ID. By default, iked
now sends the Cisco Unity ID as the last ID in the packet. If requested
by the client, the Checkpoint ID is sent as the last vendor ID in the
r566 | mgrooms | 2008-11-03 15:32:48 -0600 (Mon, 03 Nov 2008) | 3 lines

I omitted the message in the last commit log so I am adding it here. Add
support to iked for the XAuth Radius CHAP authentication method. The use
of CHAP vs generic authentication is determined automatically by
examining the XAuth authentication type.

Update todo list.
r565 | mgrooms | 2008-11-03 15:19:14 -0600 (Mon, 03 Nov 2008) | 1 line

r561 | mgrooms | 2008-11-02 12:46:24 -0600 (Sun, 02 Nov 2008) | 1 line

Modify iked to ignore any split network definitions that use a null
address or subnet value. The client will generate a single
include policy if no specific remote network definitions are received.
This avoids any problems that may occur when the gateway sends
configuration data that would prevent the client from operating
r560 | mgrooms | 2008-10-28 23:23:01 -0500 (Tue, 28 Oct 2008) | 3 lines

Add initial support for Netgear routers to iked. These routers use a md5
hash of "DPD" instead of the RFC specified vendor ID to negotiate
support of this feature. Additionally, when sending a DPD notification
message, they specify the ISAKMP protocol with a zero length protocol
SPI, add a 16 byte null ISAKMP cookie pair followed by a DPD sequence
number. This is interpreted by compliant implementations as 20 bytes of
notification data. We work around this by skipping any leading bytes in
the notification data before reading the DPD sequence number.

Modify our vendor ID handling to send an updated version of the Cisco
Unity vendor ID. When reading a Unity vendor ID, only intemperate the
constant value bytes and ignore the version. This should make our
implementation more versatile when attempting to detect Cisco compatible
r559 | mgrooms | 2008-10-28 13:18:54 -0500 (Tue, 28 Oct 2008) | 3 lines

Correct a few bugs in iked that were preventing the RSA authentication
methods from working. While here, free the temporary configuration data
cached in the admin thread loop at connect time instead of allowing to
persist until the connection is closed. The RSA authentication problems
were reported by Tai-hwa Liang.

Update the todo list.
r557 | mgrooms | 2008-10-16 23:19:45 -0500 (Thu, 16 Oct 2008) | 1 line

Revert the change that re-transmits a configuration packet after the
configuration has become mature. This can cause problems when
communicating with a Cisco device if the virtual network adapter is
taking an unusually long time to initialize. A ping-pong packet war will
commence which quickly leads to premature tunnel termination. A more
appropriate long term fix will be committed after pre-requisite work is
r556 | mgrooms | 2008-10-16 04:17:18 -0500 (Thu, 16 Oct 2008) | 3 lines

Add overloaded equality comparison operators for the basic data class.
Use the comparison operators where possible instead of calls to memcmp.

Modify iked to process multiple NAT discovery payloads in accordance
with RFC 3947. Previously we assumed a single remote address hash
payload would be received. We now accept multiple hash values and
compare them properly. While here, remove two NAT related bool values
from the phase1 handle which were no longer in use.
r555 | mgrooms | 2008-10-15 19:19:03 -0500 (Wed, 15 Oct 2008) | 5 lines

Modify the idb policy class to use bitflags instead of the route and
nailed boolean values. Introduce a new flag that forces a single phase2
SA to be negotiated after a policy is created. Use this option to ensure
phase2 negotiation occurs immediately after a connection has been
established with a Cisco gateway. These devices will disconnect a client
shortly after initial contact if an IPsec SA is not established.

Modify iked to use an adaptive event timer for DHCP over IPsec. This
significantly reduces the tunnel setup time when communicating with
Fortinet gateways. While here, fix a bug that caused disconnects to be
erroneously identified as a DHCP over IPsec configuration problem.

Modify the public version.h file to reflect a new client configuration
version. Add a new definition that specifies if a build will be a stable
r553 | mgrooms | 2008-10-13 18:46:29 -0500 (Mon, 13 Oct 2008) | 1 line

Correct some minor issues in iked. Ensure the isakmp payload reserved
values are null during packet validation. Always note the reason we
refuse to process a packet due to a validation failure. Remove the
phase1 duplicate payload checks as they are no longer required. Make
sure we re-transmit the phase1 and phase2 packet queue when a decrypt
error is detected. Safe guard against a thread state issue that caused
an outbound phase2 packet to be processed simultaneously by the recv and
pfkey threads. This problem was reported by Mark Jenks as a phase2
negotiation failure.
r552 | mgrooms | 2008-10-12 17:12:50 -0500 (Sun, 12 Oct 2008) | 4 lines

Modify the unix Access Manager and VPN Connect applications to allow the
DNS suffix automatic setting from being specified separately from the
DNS server options. Also verify address input values when the save
button is pressed.

Modify the iked unix resolve.conf writer to be more intelligent. When a
resolve.conf option does not exist, inherit the option from the current
system resolv.conf file.

r551 | mgrooms | 2008-10-12 15:09:49 -0500 (Sun, 12 Oct 2008) | 6 lines

Add support for up to four DNS server and two WINS server addresses to
the unix Access Manager application. Support multiple name server
addresses has existed in iked for quite some time so no changes are

Add a new virtual adapter option to the unix Access Manager and VPN
Connect applications. This allows a randomized virtual address to be
selected from a specified subnet. Using this option has some serious
drawbacks. Without the ability to send ARP packets over an IPsec
connection, it is impossible to detect and resolve address selection
conflicts. However, when a large address pool is used, the odds of
multiple clients selecting an identical virtual adapter address is
considerably lower than the possibility of multiple clients having
identical public address when behind a SOHO router performing NAT. Most
of these routers tend to use the same private network definitions by
default and are never changed.

Update the unix VPN Connect application to only set the xconf request
flag when an option is to be negotiated. Setting the option flag
directly denotes that an option is statically configured.

r550 | mgrooms | 2008-10-12 12:24:27 -0500 (Sun, 12 Oct 2008) | 2 lines

Work around a regression in iked where we attempt to acquire the idb
lock mutex when it is already owned.

r545 | mgrooms | 2008-10-11 11:36:05 -0500 (Sat, 11 Oct 2008) | 2 lines

Correct a bug in the VPN Connect application where a host name is
treated as an IP address if the leading character is a numeric digit.
Issue reported by Daniel P.

r543 | mgrooms | 2008-10-10 02:28:27 -0500 (Fri, 10 Oct 2008) | 2 lines

Correct some issues with the unix build related. This is related to the
keyfile changes which now use BDATA instead of an openssl EVP_PKEY
structure for storage of private and public key data.

r542 | mgrooms | 2008-10-09 13:54:43 -0500 (Thu, 09 Oct 2008) | 5 lines

Rewrite portions of the IPC server code to address some security flaws.
Up until now, this code relied on a well behaved client to ensure that
certain operations worked correctly. These changes are intended to
prevent out of order operations or faulty configurations from triggering
invalid pointer references. While addressing the major concerns, more
work will be required to validate all configuration options to ensure
proper operation in all cases.

Modify iked objects and keyfile code to use BDATA for storage of public
and private key information. This removes the openssl key structure
pointer from the object and associates functions. Further testing of
this change is still required. Also remove the keyfile helper functions
from the global iked object. The are only used locally.

Modify the configuration exchange client push and pull functions to copy
negotiated option flags to the supported option flags. This allows iked
to more accurately track which options were negotiated and which options
were statically enabled. The client connect applications need to be
updated to reflect this change.
r540 | mgrooms | 2008-10-06 23:45:02 -0500 (Mon, 06 Oct 2008) | 1 line

Update the todo list.
r539 | mgrooms | 2008-10-06 22:01:04 -0500 (Mon, 06 Oct 2008) | 1 line

Comment out an assertion that was used while debugging the libith
generic IPC class.
r537 | mgrooms | 2008-10-06 15:08:41 -0500 (Mon, 06 Oct 2008) | 1 line

Update todo list.
r535 | mgrooms | 2008-10-06 14:37:41 -0500 (Mon, 06 Oct 2008) | 1 line

Cleanup some log output in iked. Instead of using the XX: sequence to
denote a warning, use ww: instead.
r534 | mgrooms | 2008-10-06 13:57:44 -0500 (Mon, 06 Oct 2008) | 1 line

Initialize the iked generic exchange msgid data member in the class
constructor and not in the derived class constructors. Be sure to clear
the resend attempt counter when clearing the resend schedule. Compare
the resend attempt count properly.
r533 | mgrooms | 2008-10-06 11:02:32 -0500 (Mon, 06 Oct 2008) | 1 line

Create a generic exchange message id and iv generation function. Retire
the phase2 specific iv generation function. Update all exchange classes
to use these functions.
r532 | mgrooms | 2008-10-06 01:01:00 -0500 (Mon, 06 Oct 2008) | 1 line

Modify iked phase1 and phase2 exchanges to not use the resend on final
exchange messages only to clear the resend immediately afterward. Also
cleanup and improve some log output.
r531 | mgrooms | 2008-10-05 12:05:29 -0500 (Sun, 05 Oct 2008) | 1 line

Modify the exchange packet resend member functions to optionally purge
the packet queue when the schedule is cleared. The resend event has also
been modified to allow non-scheduled resends of a packet queue. Exchange
classes now retain the final packet queue contents after reaching
maturity. If an exchange packet is received afterwards, we assume a
message was lost in transit and resend the queue contents.
r530 | mgrooms | 2008-10-04 15:31:02 -0500 (Sat, 04 Oct 2008) | 1 line

Introduce a new intermediate exchange class in iked. The Diffie Hellman
and proposal members have been moved from the generic exchange class
into the generic security association exchange subclass. The subclass is
used as a base class for phase1 and phase2 classes. As a result, the
informational and configuration classes are now considerably more
r529 | mgrooms | 2008-10-04 14:58:27 -0500 (Sat, 04 Oct 2008) | 3 lines

Re-write portions of the configuration exchange code in iked. The
complex send and recv functions have been spit into several smaller
functions. These are responsible for client and server operations for
xauth, modecfg push or modecfg pull. The client side functions have been
tested thoroughly but the server side functions need further review and
bug fixing. Additionally, the config state flags have been moved from
the tunnel handle to the config handle where they belong.

The major goal of this re-write was to prevent multiple config handles
from being used for xauth and modecfg negotiations. Previously, new
config handles were created for each unique packet message id.
Re-transmitting lost packets was impossible under certain circumstances
as the packet queue was destroyed along with the config handle. To avoid
this situation, a config handle is now associated with a phase1 handle.
The config handle is used to process all config packets for the given
phase1 ISAKMP cookie pair. This makes the packet re-transmit queue
persistent regardless of the message id. The config handle is destroyed
along with the phase1 handle.
r527 | mgrooms | 2008-10-02 16:49:15 -0500 (Thu, 02 Oct 2008) | 1 line

Fix a another DH exchange related bug in iked. The OpenSSL
DH_generate_key function can occasionally write a public value that is
shorter than the prime value length. When we convert this BIGNUM value
to a BDATA value, we need to ensure the value is written to the buffer
properly and insert null padding at the front of the buffer when
appropriate. This also corrects seemingly random failures during phase1
and phase2+PFS negotiations.
r525 | mgrooms | 2008-10-01 04:54:51 -0500 (Wed, 01 Oct 2008) | 1 line

Fix a very elusive and long standing bug in iked. The OpenSSL
DH_compute_key function can occasionally write a shared secret that is
shorter than the DH public / private key lengths. When this happens, a
null character exist at the trailing end of the buffer that signifies
the least significant byte for the value. Fix this by trimming the
buffer to the length returned by DH_compute_key and inserting the
required null bytes at the front of the buffer where they belong. This
corrects seemingly random failures during phase1 and phase2+PFS
r523 | mgrooms | 2008-09-30 02:10:30 -0500 (Tue, 30 Sep 2008) | 2 lines

Correct a build breakage on platforms that use gcc.

r521 | mgrooms | 2008-09-29 01:19:03 -0500 (Mon, 29 Sep 2008) | 5 lines

Cleanup our Diffie Hellman group setup functions in iked. Don't attempt
to generate a public key by hand. The OpenSSL DH_generate_key function
will handle this for us. While here, improve error handling for setup

Move the hash_size handler from the ike generic exchange class into the
phase1 subclass. It was not being used by any other exchange subclasses.

Modify the idb member function that sets a value for a range of bytes.
Specify the value parameter as an int and not a char.
r519 | mgrooms | 2008-09-26 12:00:45 -0500 (Fri, 26 Sep 2008) | 1 line

Correct a few places where raw text ID values were not being null
terminated before evaluation. This was reported by Philipp Matthias via
the Debian bug ticketing system.
r514 | mgrooms | 2008-09-09 04:49:40 -0500 (Tue, 09 Sep 2008) | 1 line

Add RFC 3526 to our public docs directory. It describes additional MODP
Diffie-Hellman groups for use with IKE.
r512 | mgrooms | 2008-09-01 21:17:42 -0500 (Mon, 01 Sep 2008) | 2 lines

Perform some minor cleanup of the unix route code. Make the BSD and
Linux code more clean and consistent.

r511 | mgrooms | 2008-09-01 20:18:21 -0500 (Mon, 01 Sep 2008) | 1 line

Modify the public libip header to support some new vista related windows
SDK functions. In particular, we need the definitions required for
GetIpInterfaceEntry which can be used to obtain interface route metrics.
r510 | mgrooms | 2008-08-30 23:26:38 -0500 (Sat, 30 Aug 2008) | 2 lines

Attempt to improve the Linux iproute class. The netlink message parsing
code was barely working before. There may still be bugs lingering but
its difficult to say with the documention being so impressively vague.

r509 | mgrooms | 2008-08-30 15:23:24 -0500 (Sat, 30 Aug 2008) | 2 lines

Modify the BSD IPROUTE class to use the IPROUTE_ENTRY struct as a
parameter instead of many individual parameters.

r508 | mgrooms | 2008-08-30 14:52:28 -0500 (Sat, 30 Aug 2008) | 1 line

Modify all IPROUTE consumers to pass the IPROUTE_ENTRY structure as a
parameter instead of passing many individual parameters. This has been
changed in the windows IPROUTE class but unix variants still need to be
updated. This will happen in a follow up commit.
r506 | mgrooms | 2008-08-30 13:49:55 -0500 (Sat, 30 Aug 2008) | 1 line

Modify libith to honor the const char changes on windows platforms.
r504 | mgrooms | 2008-08-30 12:45:28 -0500 (Sat, 30 Aug 2008) | 1 line

Correct an issue in the unix vpn connect application. Check that a local
ID exists before blindly sending the value to iked. Without this patch,
the local ID would be transmitted as the remote ID if no remote ID
r503 | mgrooms | 2008-08-28 23:52:07 -0500 (Thu, 28 Aug 2008) | 2 lines

Remove some debug printf statements from the unix libip route code.

r502 | mgrooms | 2008-08-28 23:04:00 -0500 (Thu, 28 Aug 2008) | 2 lines

Make the route metric increment and decrement function a no-op on Linux.
It appears to be giving preference to newer routes which should be
sufficient for our purposes.

r501 | mgrooms | 2008-08-28 16:10:36 -0500 (Thu, 28 Aug 2008) | 2 lines

Improve the libip route class for unix platforms. The route increment
and decrement functions were previously unimplemented. Since some unix
platforms don't support multiple concurrent routes to the same
destination network, we now replace and restore conflicting routes when
neccessary using cached information. This has only been tested on
FreeBSD and may need to be tweaked for Linux.

r499 | mgrooms | 2008-08-23 14:05:25 -0500 (Sat, 23 Aug 2008) | 1 line

Correct an issue in iked where NAT-T keep-alive packets were not being
identified correctly. Also correctly handle packets with malformed
ISAKMP headers.
r497 | mgrooms | 2008-08-23 11:07:23 -0500 (Sat, 23 Aug 2008) | 2 lines

Use const char declarations where appropriate to silence gcc 4.2 compile
time warnings.

r495 | mgrooms | 2008-08-23 01:34:15 -0500 (Sat, 23 Aug 2008) | 2 lines

Make sure we set the version number for new site configurations in the
unix access manager.

r493 | mgrooms | 2008-08-23 01:13:28 -0500 (Sat, 23 Aug 2008) | 2 lines

Correct a problem with tap address configuration on FreeBSD 7.x and
later. Use SIOCAIFADDR instead of SIOCSIFADDR on BSD platforms to avoid
an issue where the local link route is irreversibly set to a 8 bit

r490 | mgrooms | 2008-08-22 16:49:55 -0500 (Fri, 22 Aug 2008) | 1 line

Improve iked phase1 identifier matching log output.
r488 | mgrooms | 2008-08-21 11:02:11 -0500 (Thu, 21 Aug 2008) | 4 lines

Correct some issues with the unix access manager application. A bug was
preventing the use direct adapter mode from being selected. Thanks to
Prakash for reporting the problem and testing the patches.

Correct a buffer overflow issue with the unix connect application.
Submitted by Tai-hwa Liang.

r487 | mgrooms | 2008-08-19 16:27:15 -0500 (Tue, 19 Aug 2008) | 1 line

Update the todo list.
r486 | mgrooms | 2008-07-17 23:12:19 -0500 (Thu, 17 Jul 2008) | 2 lines

Correct an issue with iked where the unix NAT-T socket option was not
being set correctly for v00-01 protocol versions. Also set the broadcast
address on tap adapters for platforms that don't set this correctly when
the netmask is applied.

r485 | mgrooms | 2008-07-01 09:50:22 -0500 (Tue, 01 Jul 2008) | 1 line

Restructure our todo list.