------------------------------------------------------------------------
r580 | mgrooms | 2006-08-23 12:01:29 +0000 (Wed, 23 Aug 2006) | 1 line
Don't reassemble or pre-fragment packets that specify the DF bit in the
IP header.
------------------------------------------------------------------------
r578 | mgrooms | 2006-08-20 11:05:49 +0000 (Sun, 20 Aug 2006) | 1 line
Merge libvprot from head. This is required for dialup adapter support.
------------------------------------------------------------------------
r575 | mgrooms | 2006-08-20 09:20:05 +0000 (Sun, 20 Aug 2006) | 2 lines
Modify VNet read timeout parameter in client receive loop.
------------------------------------------------------------------------
r573 | mgrooms | 2006-08-20 09:16:20 +0000 (Sun, 20 Aug 2006) | 4 lines
Merge head version of the virtual network driver. Changes include misc
cleanup and addition of CheckForHang handler.
Merge head version of the virtual protocol driver. Changes include misc
cleanup and support for DialUp adapters.
------------------------------------------------------------------------
r570 | mgrooms | 2006-08-19 16:10:15 +0000 (Sat, 19 Aug 2006) | 1 line
Modify vnet and vprot kernel drivers to only queue packets on device io
objects that require read access. Modify libvnet and libvprot to only
specify the required access when opening the device. This prevents
kernel resources from being allocated when they are not required.
------------------------------------------------------------------------
r567 | mgrooms | 2006-08-19 10:37:56 +0000 (Sat, 19 Aug 2006) | 3 lines
Add support for private dump to record packets after they have been
fragmented in the outbound path. This gives a more accurate
representation of what should show up on the remote end of the tunnel.
Add a workaround for interoperability. For some reason, Cisco appears to
drop esp packets when the encrypted payload is less than 32 bytes. I
tested the same traffic patterns over FreeBSD and NetBSD without
encountering this issue so I don't think its a detail in the standards
track I overlooked.
------------------------------------------------------------------------
r566 | mgrooms | 2006-08-18 23:41:14 +0000 (Fri, 18 Aug 2006) | 1 line
Correct a send order issue with a queued packet waiting on an IPSEC SA.
This was causing the packet to be dropped by the peer as it had not yet
received the third packet in the quick mode exchange. As a result, the
first traffic that triggered a new quick mode exchange would appear to
stall for a short time.
------------------------------------------------------------------------
r562 | mgrooms | 2006-08-18 12:14:30 +0000 (Fri, 18 Aug 2006) | 3 lines
Modify the IPFRAG API so the caller is not required to have IP header
information to optimize the case where fragment re-assembly is required.
This was a layering violation.
Modify the VProt driver to return fragmented UDP packets for
re-assembly. This was causing fragmented NATT UDP packets to be
discarded as the following fragments were not being seen by IPSECD.
------------------------------------------------------------------------
r560 | mgrooms | 2006-08-17 22:36:04 +0000 (Thu, 17 Aug 2006) | 3 lines
Prevent the Virtual network drivers Maximum Packet size from being
overwritten when the Look Ahead buffer is adjusted by a bound protocol
driver. This was causing the OS to use a bogus MTU for the adapter and
my head to ache.
Simplify the fragmentation code and remove an unused option that I
believe may have been causing problems.
------------------------------------------------------------------------
r558 | mgrooms | 2006-08-16 22:23:14 +0000 (Wed, 16 Aug 2006) | 1 line
Fix for NATT negotiations in main mode.
------------------------------------------------------------------------
r554 | mgrooms | 2006-08-14 22:18:08 +0000 (Mon, 14 Aug 2006) | 1 line
Fix for RFC NATT. When NATT V02 support was added for compatibility, a
bug was introduced that was preventing the NATT RFC version from being
selected properly.
------------------------------------------------------------------------
r545 | mgrooms | 2006-08-12 01:15:07 +0000 (Sat, 12 Aug 2006) | 1 line
Throw an error if we don't have a valid address and netmask for our
virtual adapter.
------------------------------------------------------------------------
r543 | mgrooms | 2006-08-12 00:56:26 +0000 (Sat, 12 Aug 2006) | 1 line
Merge in rewritten route management code from head. Thanks to testing
performed by Peter Eisch and Brian Jones.
------------------------------------------------------------------------
r537 | mgrooms | 2006-08-09 21:26:29 +0000 (Wed, 09 Aug 2006) | 3 lines
Clear the resend queue when the modecfg configuration is complete. This
was causing multiple configuration exchanges to occur after we already
received a response from the server.
This error was noticed while reviewing a log submitted by Peter Eisch.
------------------------------------------------------------------------
r533 | mgrooms | 2006-08-07 20:59:14 +0000 (Mon, 07 Aug 2006) | 1 line
Force a DHCP release before closing the VNET adapter. This dramatically
increases the speed of tunnel shutdown as windows appears to hang with
open adapter network descriptors until this step completes.
------------------------------------------------------------------------
r531 | mgrooms | 2006-08-07 02:25:52 +0000 (Mon, 07 Aug 2006) | 1 line
Branch for 1.0 release.
------------------------------------------------------------------------
r530 | mgrooms | 2006-08-07 02:24:52 +0000 (Mon, 07 Aug 2006) | 1 line
Update NSIS scrips to reflect new directory structure.
------------------------------------------------------------------------
r529 | mgrooms | 2006-08-07 02:06:03 +0000 (Mon, 07 Aug 2006) | 1 line
Add stray file to project.
------------------------------------------------------------------------
r528 | mgrooms | 2006-08-07 02:01:33 +0000 (Mon, 07 Aug 2006) | 1 line
Prepare for a 1.0 branch. Move all files out of the project root into a
head folder.
------------------------------------------------------------------------
r527 | mgrooms | 2006-08-07 01:48:47 +0000 (Mon, 07 Aug 2006) | 1 line
Created folder remotely
------------------------------------------------------------------------
r526 | mgrooms | 2006-08-07 01:40:44 +0000 (Mon, 07 Aug 2006) | 1 line
Minor documentation updates.
------------------------------------------------------------------------
r525 | mgrooms | 2006-08-06 22:12:35 +0000 (Sun, 06 Aug 2006) | 5 lines
When split net configuration is requested from the server but none is
offered, default to splitnet exclude with no exclusions. This enforces a
default behavior of passing all traffic across the tunnel. Log a status
message to the client feedback window.
Don't add and remove the default route my manipulating the global route
table. Simply pass this setting to windows via a DHCP option. When
working with this code, I believe another issue with accidentally
removing the real system default route was corrected permanently.
These two changes were inspired by comments submitted by Peter Eisch who
lingers on the ipsec-tools list.
------------------------------------------------------------------------
r524 | mgrooms | 2006-08-03 22:22:39 +0000 (Thu, 03 Aug 2006) | 1 line
Update help documentation to note that the client only works with
Ethernet adapters at the moment.
------------------------------------------------------------------------
r523 | mgrooms | 2006-08-03 22:17:02 +0000 (Thu, 03 Aug 2006) | 1 line
Modify the installer to make the program group and icons available to
all users after install. Use a security descriptor when creating our
named pipes to allow unprivileged users to communicate with the daemon.
------------------------------------------------------------------------
r522 | mgrooms | 2006-08-02 23:10:18 +0000 (Wed, 02 Aug 2006) | 1 line
Update the documentation and our todo list.
------------------------------------------------------------------------
r521 | mgrooms | 2006-08-02 23:08:04 +0000 (Wed, 02 Aug 2006) | 1 line
Work around for using the enter key to activate the default button (
connect in this case ) for IPSECC. That darn button just wont stay the
default for some reason.
------------------------------------------------------------------------
r520 | mgrooms | 2006-08-02 21:34:41 +0000 (Wed, 02 Aug 2006) | 1 line
Add missing VC project file for IPSECT.
------------------------------------------------------------------------
r519 | mgrooms | 2006-08-02 21:32:33 +0000 (Wed, 02 Aug 2006) | 3 lines
Add a missing file to the repository.
Minor cleanup for IPSECD and IPSECC source code. No user visible
changes.
------------------------------------------------------------------------
r518 | mgrooms | 2006-07-27 23:11:29 +0000 (Thu, 27 Jul 2006) | 1 line
Increase the maximum certificate size allowed in the phase1 exchange.
The previous value was too constrictive and was causing negotiation
failures in some cases. Correct some debug output associated with
certificate payload handling.
------------------------------------------------------------------------
r517 | mgrooms | 2006-07-19 23:28:48 +0000 (Wed, 19 Jul 2006) | 5 lines
Simplify ISAKMP modecfg attribute handling and fix a bug where attribute
evaluation could cause a busy loop.
When DNS settings are obtained from the gateway, request split DNS
configuration info even though we do nothing with it at this point.
Correct a serious bug where IPSECD would delete the host operating
systems default route. This was caused by testing an uninitialized class
member variable.
------------------------------------------------------------------------
r516 | mgrooms | 2006-07-15 16:43:33 +0000 (Sat, 15 Jul 2006) | 1 line
------------------------------------------------------------------------
r515 | mgrooms | 2006-07-15 05:53:11 +0000 (Sat, 15 Jul 2006) | 5 lines
orrect a bug that was effecting communications when both fragmentation
and NAT-T options were enabled. Processing certain fragmented packets
would yield malformed esp transport data. These packets would be dropped
by the remote peer which caused communication failures.
Respect the configuration settings for IKE fragmentation usage during
peer negotitation. Tweak the minimum value for the fragmentation
setting.
------------------------------------------------------------------------
r514 | mgrooms | 2006-07-15 05:50:52 +0000 (Sat, 15 Jul 2006) | 2 lines
Uodate todo ...
------------------------------------------------------------------------
r513 | mgrooms | 2006-07-13 03:57:28 +0000 (Thu, 13 Jul 2006) | 1 line
Use reference counts to determine when it is safe to delete the tunnel
config. This replaces our older behavior of performing a sweep for any
living sa's that may be referencing the tunnel by id. As a side benefit,
sa's now contain a pointer to the tunnel configuration which may prove
useful when refining the internal API.
------------------------------------------------------------------------
r512 | mgrooms | 2006-07-13 01:44:01 +0000 (Thu, 13 Jul 2006) | 1 line
Correct a bug that was preventing the NATT force option from working
correctly. Also, use the NATT port defined in the site configuration
instead of always using the default 4500.
------------------------------------------------------------------------
r511 | mgrooms | 2006-07-13 00:18:11 +0000 (Thu, 13 Jul 2006) | 3 lines
Correct a bug that was causing a tunnel object to be referenced after it
had been deleted. This was only visible in very rare circumstances when
a tunnel was being shut down.
Clean up some reference counting debug output.
------------------------------------------------------------------------
r510 | mgrooms | 2006-07-09 06:29:53 +0000 (Sun, 09 Jul 2006) | 1 line
When adding policies to our security database, ensure that a duplicate
does not already exist. This caused problems when identical networks
were supplied during mode config.
------------------------------------------------------------------------
r509 | mgrooms | 2006-07-08 19:43:59 +0000 (Sat, 08 Jul 2006) | 1 line
Simplify some unnecessarily verbose debug output.
------------------------------------------------------------------------
r508 | mgrooms | 2006-07-08 19:39:04 +0000 (Sat, 08 Jul 2006) | 5 lines
Add support for NAT-T draft version 02. This increases our compatibility
with 3rd party VPN Gateways that do not support the RFC version of
NAT-T.
Fix a bug where the client was using configuration information obtained
via mode config that was not requested. This was causing problems when
certain parameters of a site config were set manually.
Correct problems with mode config message ids and make sure we send an
acknowledgment message after receiving the XAUTH set message.
------------------------------------------------------------------------
r506 | mgrooms | 2006-06-30 00:48:44 +0000 (Fri, 30 Jun 2006) | 1 line
Minor site config limit fixes and a slight change to hash debug output.
------------------------------------------------------------------------
r505 | mgrooms | 2006-03-31 22:31:21 +0000 (Fri, 31 Mar 2006) | 3 lines
Stop calling the 'Topology Entry Dialog' the 'Policy Entry Dialog'. This
was confusing. Update the documentation to reflect this.
Add a documentation image file that was previously omitted.
------------------------------------------------------------------------
r504 | mgrooms | 2006-03-31 21:51:14 +0000 (Fri, 31 Mar 2006) | 1 line
Update for project file changes. These were missed in the last commit.
------------------------------------------------------------------------
r503 | mgrooms | 2006-03-30 00:00:02 +0000 (Thu, 30 Mar 2006) | 3 lines
Update the installer scripts to include the new online help system.
Modify the applications to launch the help system when the 'F1' key is
pressed.
------------------------------------------------------------------------
r502 | mgrooms | 2006-03-28 20:34:29 +0000 (Tue, 28 Mar 2006) | 2 lines
Complete first draft of the help documentation.
------------------------------------------------------------------------
r501 | mgrooms | 2006-03-28 01:41:02 +0000 (Tue, 28 Mar 2006) | 2 lines
Continue work on the help documentation.
------------------------------------------------------------------------
r500 | mgrooms | 2006-03-27 09:30:13 +0000 (Mon, 27 Mar 2006) | 2 lines
Continue work on the help documentation and add a directory that
contains all images used.
------------------------------------------------------------------------
r499 | mgrooms | 2006-03-27 04:48:09 +0000 (Mon, 27 Mar 2006) | 2 lines
Continue work on the help documentation and update the todo list.
------------------------------------------------------------------------
r498 | mgrooms | 2006-03-26 07:39:25 +0000 (Sun, 26 Mar 2006) | 1 line
Continue work on the help documentation and add the AH RFC to our
internal documentation directory.
------------------------------------------------------------------------
r497 | mgrooms | 2006-03-24 22:14:11 +0000 (Fri, 24 Mar 2006) | 1 line
Add a new help project file created using 'Help Maker'. It will output a
MS help file, MS html help file or plain html all from the same document
source.
------------------------------------------------------------------------
r496 | mgrooms | 2006-03-24 03:43:49 +0000 (Fri, 24 Mar 2006) | 3 lines
A very minor bug was discovered in the virtual network kernel driver.
Unique adapter id's were not being generated correctly which was
preventing multiple simultaneous instances from being created. This was
actually the bug that was preventing multiple simultaneous tunnels from
being created.
Prevent multiple tunnels from being created that force all traffic
across their connection. Log an error message in the client window and
disconnect.
------------------------------------------------------------------------
r494 | mgrooms | 2006-03-24 03:02:48 +0000 (Fri, 24 Mar 2006) | 1 line
Update the installer script for the debug install. This has no impact on
the release install package.
------------------------------------------------------------------------
r491 | mgrooms | 2006-03-23 04:54:15 +0000 (Thu, 23 Mar 2006) | 1 line
Update the installer scripts to import site configuration and
certificates that have been bundled with the executable. Document this
behavior in the readme.txt file. This allows an administrator to create
a pre-configured VPN Client package for distribution.
------------------------------------------------------------------------
r490 | mgrooms | 2006-03-23 03:57:43 +0000 (Thu, 23 Mar 2006) | 1 line
Add support for site configuration file import and export via the ipseca
application. These new options can be selected from the main file menu.
The application also accepts a command line switch <-import dir
path> which will attempt to import all files which have a ".vpn"
extension.
------------------------------------------------------------------------
r489 | mgrooms | 2006-03-22 20:33:09 +0000 (Wed, 22 Mar 2006) | 3 lines
Rename the howto.txt to readme.txt as it contains more general
information now.
Correct an issue where a peer message structure was not being
initialized properly. This was causing problems on WinXP boxes when
users were attempting to disconnect and then reconnect.
------------------------------------------------------------------------
r488 | mgrooms | 2006-03-22 03:46:24 +0000 (Wed, 22 Mar 2006) | 1 line
Correct the default route metric issue with the split net exclude
option. When an existing default route is detected on tunnel startup,
demote the route by increasing the metric by one. When the tunnel is
shut down, re-promote the route by increasing the metric by one. This
allows us to temporarily insert our default route with higher precedence
and then revert the route table to its former state.
------------------------------------------------------------------------
r487 | mgrooms | 2006-03-21 00:46:29 +0000 (Tue, 21 Mar 2006) | 11 lines
Update the NSIS installer build scripts to include the ipsect program
and start menu shortcut. Also configure the default file compression
scheme.
Update the howto document to reflect the current state of things.
Add support for a split network exclude option. This option passes all
traffic across the tunnel by default and uses an exclusion list for
local LAN traffic. To accomplish this, a single SA is negotiated with
the remote peer that uses the client IP address as the local id and a
0.0.0.0/0 subnet as the remote id. Since the exclusion list is managed
in the route table, any route already installed that is more specific
than the default ( like the interface local network ) is still routed
localy. The complementary option in racoon is the split_network
local_lan option.
I should note there is still a bug in this implementation. The default
route added does not take precedence over a system added default route.
We either need to re-cost the default route when detected, or play with
the different route protocol types to see if it will offer the
precedence we need.
Move the route management functions from libvnet into libip as they are
not specific to the virtual adapter.
------------------------------------------------------------------------
r486 | mgrooms | 2006-03-19 20:57:20 +0000 (Sun, 19 Mar 2006) | 3 lines
Prevent multiple simultaneous tunnels from being negotiated that
communicate with the same peer gateway. This is mostly just
anti-foot-shooting.
Add support for the PFS modecfg attribute. To use this feature, select
Auto for the PFS group value in the site configuration. In the event
that the server does not respond with the group description value,
assume PFS is disabled.
------------------------------------------------------------------------
r485 | mgrooms | 2006-03-19 19:20:50 +0000 (Sun, 19 Mar 2006) | 9 lines
Take another pass at the SA expire and delete functionality and attempt
to mimic our reference server platform ( ipsec-tools CVS running on
FreeBSD 6.x ) where possible.
When an SA is established, we use an expire time which is one fifth of
the negotiated lifetime. If a packet matches an SA in an expired state,
re-negotiate a replacement SA to avoid packet loss when the mature SA is
deleted.
FreeBSD apparently prefers older SAs by default which can cause problems
for packets that have been processed using an SA that expires while the
packet is still in flight or there is time drift between the peers. To
work around this, we hold SAs up to thirty seconds after the scheduled
delete time and honor them for inbound packet processing. We also use a
doomed time which is one tenth of the negotiated lifetime. If a packet
matches an SAs in a doomed state, we prefer using a newer mature SA for
outbound packet processing.
Don't use code internal to SDB to determine if a delete message is
required. This muddied up the locking code as it violated layering
logic. Review all the daemon locking and correct any issues that were
identified.
Extend ipsecd and libvnet to cleanup the route table before the virtual
adapter is deleted. There is really not much difference here except that
packet processing is halted earlier to prevent unnecessary side work.
------------------------------------------------------------------------
r484 | mgrooms | 2006-03-17 08:47:48 +0000 (Fri, 17 Mar 2006) | 1 line
Correct a critical bug where reference counts were not being handled
properly in the security db. This was causing tunnel and sa objects to
linger which led to communication failures. This was particularly
noticeable after a login failure.
------------------------------------------------------------------------
r483 | mgrooms | 2006-03-17 07:05:01 +0000 (Fri, 17 Mar 2006) | 1 line
Enhance the VPN Trace program. It is now able to start, stop and restart
the ipsecd service as well and configure all debug parameters via an
option dialog.
------------------------------------------------------------------------
r482 | mgrooms | 2006-03-17 01:34:17 +0000 (Fri, 17 Mar 2006) | 1 line
Add a new application named VPN Trace. This application will offer a
better user interface to the VPN Client debug functionality. At the
moment, it only allows you to tail the ipsec daemon log file.
------------------------------------------------------------------------
r481 | mgrooms | 2006-03-16 21:30:09 +0000 (Thu, 16 Mar 2006) | 1 line
Update the howto document.
------------------------------------------------------------------------
r480 | mgrooms | 2006-03-16 18:46:09 +0000 (Thu, 16 Mar 2006) | 1 line
Update the sa timeout and renegotiation to mimic the racoon behavior.
Also fix a few bugs in the new on-demand sa negotiation code.
Apparently, newer immature sas were being favored in some instances and
packets could be queued on a replacement sa even when there was a mature
sa available.
------------------------------------------------------------------------
r479 | mgrooms | 2006-03-16 03:06:40 +0000 (Thu, 16 Mar 2006) | 7 lines
Add support for on demand sa negotiation. This does not change the
behavior for phase1 sas in client mode as they are required for tunnel
setup. Phase two sa behavior is noticeably different as they are only
negotiated when a packet matches a policy for which no sa exists.
An sa is now considered doomed a short time before it expires and is
held for a short time before deletion. If a packet matches an sa when it
is in a doomed state, another sa is immediatly negotiated to take its
place. This is intended to prevent delays in communications for a
security policy that is actively being used. The short hold time is to
compensate for any drift in time keeping or for any packets that get
processed by a peer using an sa that expires while packets are still in
flight.
A single packet per-sa queuing mechanism has also been added so that the
packet that triggered the sa negotiation has a chance to be transmitted
once the sa reaches a mature state. Unfortunately, the packet often
reaches the remote host before the the remote peer has installed the sa
in its sdb. If this happens, the user may encounter a very short delay
in communication.
The user feedback mechanism has been extended to notify the user when a
phase1 sa has been deleted as opposed to only when it expires. This
works nicely with peers like racoon that send delete notifications in
the event that they delete an sa before its expire time. If this
happens, a warning message is logged in the client output window and
then the client disconnects.
------------------------------------------------------------------------
r478 | mgrooms | 2006-03-15 19:30:20 +0000 (Wed, 15 Mar 2006) | 1 line
Correct a copy-n-paste-o that broke ARP spoofing.
------------------------------------------------------------------------
r477 | mgrooms | 2006-03-15 19:21:55 +0000 (Wed, 15 Mar 2006) | 5 lines
Minor fixes for the ip and udp packet handler classes.
Overhaul the DHCP spoofing code to not violate network layering. Since
DHCP is based on UDP, the spoof member function should accept PACKET_UDP
as input and provide PACKET_UDP as well as a broadcast value as output.
Also, provide full text decode when the decode log level is specified.
Rework some of the ike/ipsec matching code in preparation of the
on-demand sa negotiation modificaions which will be landing shortly.
------------------------------------------------------------------------
r476 | mgrooms | 2006-03-14 21:18:28 +0000 (Tue, 14 Mar 2006) | 1 line
The user login session expire time, which is determined by the phase1
sa, is now tracked in the client loop. When it expires, the connection
will now terminate automatically and log a warning message in the client
screen.
------------------------------------------------------------------------
r475 | mgrooms | 2006-03-14 20:36:45 +0000 (Tue, 14 Mar 2006) | 1 line
Update the generic IPFRAG class to be more sensible. It now has a
maximum fragment limit and purges any fragments that are not
re-assembled within a given time frame.
------------------------------------------------------------------------
r474 | mgrooms | 2006-03-14 20:00:02 +0000 (Tue, 14 Mar 2006) | 1 line
Add support for the modecfg banner attribute. A new dialog has been
added to ipcecc to support this. If the banner-used registry value is
set to > 0 in the site config key, the banner will be displayed. I'm not
sure how I will handle this in the config dialog so I'm leaving this to
deal with later.
------------------------------------------------------------------------
r473 | mgrooms | 2006-03-14 10:01:04 +0000 (Tue, 14 Mar 2006) | 1 line
Send all informational notifications suggested in RFC 2408. Handle all
notifications outlined in 2408 that are protected by isakmp phase1. In
other words, we only honor encrypted notifications from a peer we have
already established phase1 with.
------------------------------------------------------------------------
r472 | mgrooms | 2006-03-13 21:16:20 +0000 (Mon, 13 Mar 2006) | 1 line
Correct a few regressions. Some manual client configuration options not
being honored.
------------------------------------------------------------------------
r471 | mgrooms | 2006-03-12 20:00:10 +0000 (Sun, 12 Mar 2006) | 3 lines
Rewrite portions of the notify and delete payload handling routines.
Delete messages and now interpreted when received and sent when an sa
has been deleted before expiring. Very soon, I will be making a sweep to
properly interpret and generate the common notification messages as
well. Right not we only understand NO-PROPOSAL-CHOSEN and send
INITIAL-CONTACT.
Fix a major flaw in the IP packet re-assembly code that was masked by a
misconfigured test gateway. This probably inhibited most tunnel
configurations ( gateways and clients with transport pre-fragmentation
disabled ) from working properly. This may also have been causing the
odd case where windows was unexpectedly dropping the MTU size for
virtual adapters. Anyway, sorry for any head scratching caused by this
bug.
------------------------------------------------------------------------
r470 | mgrooms | 2006-03-12 08:31:51 +0000 (Sun, 12 Mar 2006) | 1 line
Correct a few nasty bugs related to the ike fragment code that only
appear when fragmentation is disabled.
------------------------------------------------------------------------
r469 | mgrooms | 2006-03-12 07:29:06 +0000 (Sun, 12 Mar 2006) | 1 line
Update howto with a new "known issues" section.
------------------------------------------------------------------------
r468 | mgrooms | 2006-03-12 06:42:48 +0000 (Sun, 12 Mar 2006) | 3 lines
Teach the information exchange handlers how to deal with delete
messages. This works well inside the ike deamon, but there is no
feedback for the client application when the phase1 sa gets deleted out
from under it. Not sure how to handle this yet.
Consolidate all phase1 and phase2 lookup functions into one for each.
Use pointers instead of references for the parameter list. This way a
caller can choose which criteria they would like to match against by
specifying the interesting parameters and passing NULL for the
non-interesting ones.
------------------------------------------------------------------------
r467 | mgrooms | 2006-03-12 04:36:37 +0000 (Sun, 12 Mar 2006) | 1 line
Update todo list.
------------------------------------------------------------------------
r466 | mgrooms | 2006-03-12 04:33:27 +0000 (Sun, 12 Mar 2006) | 1 line
Provide support for resending multiple packets. Normally this would not
be necessary but is required for fragmented ike packets that will end up
being multiple ip packets.
------------------------------------------------------------------------
r465 | mgrooms | 2006-03-12 04:20:26 +0000 (Sun, 12 Mar 2006) | 1 line
Fix a bug where packets were being resent even after the associated sdb
db object had been deleted.
------------------------------------------------------------------------
r464 | mgrooms | 2006-03-10 23:45:04 +0000 (Fri, 10 Mar 2006) | 1 line
Implement IKE fragmentation.
------------------------------------------------------------------------
r463 | mgrooms | 2006-03-07 09:54:19 +0000 (Tue, 07 Mar 2006) | 1 line
Correct a bug that was hiding the username/password entry boxes even
when an XAuth mode was being used.
------------------------------------------------------------------------
r462 | mgrooms | 2006-03-07 09:47:58 +0000 (Tue, 07 Mar 2006) | 1 line
Allow for the client wins and dns settings to be disabled.
------------------------------------------------------------------------
r461 | mgrooms | 2006-03-07 07:38:55 +0000 (Tue, 07 Mar 2006) | 15 lines
Fix some compatibility issues with SPIs in the phase1 proposal.
Provide more detail in the debug output for unhandled payload types.
Re-organize the way notification and delete payloads are handled for
both send and receive. Notifications are now handled correctly when
included in either phase1 or phase2 packets.
Rework phase2 and notification message parsing to always parse the hash
payloads before reading all other payloads. This increases our ability
to detect malformed packets.
Rework phase2 payload processing with respect to building the hash
verification blob. We now omit notificaiton payloads from the blob. I am
hoping this will prevent a compatablility issue reported by a user.
Work around a problem where we were not fully reading a certificate
request payload. Now we read the entire payload but ignore the
certificate authority portion. This should be corrected in the future.
Add support for loading certificates and private keys from pkcs12 files.
The ipsec daemon will first try the pem handler and then the pkcs12
handler. If both fail then it reports an error case.
------------------------------------------------------------------------
r459 | mgrooms | 2006-02-26 22:58:19 +0000 (Sun, 26 Feb 2006) | 3 lines
Attempt to correct some dialog layout issues with ipsecc and ipseca.
Disable the use of inf file when creating vnet devices as it was causing
post install issues with ipsecd.
------------------------------------------------------------------------
r458 | mgrooms | 2006-02-25 23:15:19 +0000 (Sat, 25 Feb 2006) | 3 lines
Revamp ipsecc application to use a centralized class. Update the
interface to hide the user name and password interface when traditional
road-warrior methods are used.
Correct a bug in the ipseca load and save code for identity values.
------------------------------------------------------------------------
r457 | mgrooms | 2006-02-25 18:10:01 +0000 (Sat, 25 Feb 2006) | 1 line
More updates to the howto doc.
------------------------------------------------------------------------
r456 | mgrooms | 2006-02-25 18:01:35 +0000 (Sat, 25 Feb 2006) | 1 line
Update the howto document.
------------------------------------------------------------------------
r455 | mgrooms | 2006-02-25 07:19:00 +0000 (Sat, 25 Feb 2006) | 1 line
Update the howto.
------------------------------------------------------------------------
r454 | mgrooms | 2006-02-25 05:54:59 +0000 (Sat, 25 Feb 2006) | 1 line
Support NAT-T keep-alive packets.
------------------------------------------------------------------------
r453 | mgrooms | 2006-02-25 04:26:21 +0000 (Sat, 25 Feb 2006) | 1 line
Implement IPSEC packet retries.
------------------------------------------------------------------------
r452 | mgrooms | 2006-02-25 02:20:52 +0000 (Sat, 25 Feb 2006) | 1 line
Introduce a new class named IPSEC_DB which all db objects are derived
from. This will mostly help us with packet re-transmission but may be
useful in other areas as well.
------------------------------------------------------------------------
r451 | mgrooms | 2006-02-25 01:48:32 +0000 (Sat, 25 Feb 2006) | 3 lines
Fix phase2 negotiation breakage.
Delete sa's when they expire. We don't send delete notifications yet.
------------------------------------------------------------------------
r450 | mgrooms | 2006-02-25 00:44:16 +0000 (Sat, 25 Feb 2006) | 1 line
Allow all sdb member functions to operate in a lock or lockless mode.
This allows us to grab the lock and perform mass operations without
worrying about recursion or incurring lock overhead.
------------------------------------------------------------------------
r449 | mgrooms | 2006-02-24 23:22:54 +0000 (Fri, 24 Feb 2006) | 5 lines
Quite a bit of churn due to my OCD. Changed the IKE_CONFIG class to
IKE_CFG which makes it use a three letter designator just like the other
exchange storage classes.
Relocate to setup routines to be part of the exchange storage classes as
opposed to being part of the IPSECD class. This makes sense as there are
no external dependencies.
Create clean routines as part of the exchange storage classes. They are
used to clean used resources after an SA has matured or has been
declared dead. In the mature case, this allows us to free quite a bit of
lingering resources that would otherwise of stuck around until the
storage class was deleted.
------------------------------------------------------------------------
r448 | mgrooms | 2006-02-24 21:29:40 +0000 (Fri, 24 Feb 2006) | 1 line
Change around some dialog config options to make it easier to disable
keyid type which is not implemented. Remove this as an option for now.
------------------------------------------------------------------------
r447 | mgrooms | 2006-02-24 18:32:29 +0000 (Fri, 24 Feb 2006) | 5 lines
Update ipsecd to include support for dns suffix and dynamic policy lists
in mode cfg.
Update ipseca user interface to reflect current feature set.
Update howto.txt and todo.txt to reflect current feature set.
------------------------------------------------------------------------
r446 | mgrooms | 2006-02-24 03:55:26 +0000 (Fri, 24 Feb 2006) | 1 line
Get all the mutual authentication modes working with the exception of
PSK w/ digital signatures. I will complete this next.
------------------------------------------------------------------------
r445 | mgrooms | 2006-02-24 00:39:07 +0000 (Fri, 24 Feb 2006) | 1 line
Modify ipsecc and ipseci to honor all new configuration parameters. Next
is ipsecd.
------------------------------------------------------------------------
r444 | mgrooms | 2006-02-23 21:39:18 +0000 (Thu, 23 Feb 2006) | 1 line
Modify the ipseca site configuration dialog to support all IPSEC
authentication methods, id types and credentials supported by ipsecd.
The configuration has been extended to handle the modified to handle the
extended attribute set, but the ipsecc program has not. I will be fixing
this in the next commit.
------------------------------------------------------------------------
r443 | mgrooms | 2006-02-21 20:55:24 +0000 (Tue, 21 Feb 2006) | 1 line
Re-organize the install directory to be a bit more sane.
------------------------------------------------------------------------
r442 | mgrooms | 2006-02-21 20:47:06 +0000 (Tue, 21 Feb 2006) | 1 line
Update the release installer build script and add a debug version.
------------------------------------------------------------------------
r441 | mgrooms | 2006-02-21 20:43:15 +0000 (Tue, 21 Feb 2006) | 1 line
Update the ipseca program to display the distributed license text.
------------------------------------------------------------------------
r440 | mgrooms | 2006-02-21 20:15:10 +0000 (Tue, 21 Feb 2006) | 10 lines
Remove the separate process_
generating responses in the exchange processes recv path. Three new
member functions have been created to perform initial contact for their
respective exchange types.
This allows us to accomplish three things ..
1) Packet resend scheduling.
2) Lowered overhead as there is much reduced locking and sadb churn in
the send path.
3) Simplified concurrency as a single thread pool can be used to handle
incoming message processing and resend scheduling. Before this commit,
separate thread pools would have been neccessary for both send and recv.
------------------------------------------------------------------------
r439 | mgrooms | 2006-02-21 07:08:06 +0000 (Tue, 21 Feb 2006) | 12 lines
Add stats interface to ipseci and issue stat messages from ipsecd to
ipsecc once a second. This provides statistics for the tunnel.
Add spiffy looking real-time network tunnel statistics and connection
info to the ipsecc network tab.
Add a workaround in vprot to compensate for the windows ip helper api
returning null addresses for the ethernet adapter we are communicating
through.
Add some error checking and feedback in ipsecd for the vnet create
failure case.
Make sure ipsecd doesn't busy loop when no packets are available to read
or vprot returns RAWNET_NO_SOCK.
------------------------------------------------------------------------
r427 | mgrooms | 2006-02-17 20:06:42 +0000 (Fri, 17 Feb 2006) | 7 lines
Update ipsecc to print out orange warning text when STATUS_WARN messages
are received from IPSECD.
Send a warning message to IPSECC when an sa cannot be established.
There is a nasty nasty bug in the VNET driver code that rears its ugly
head when one IPSECD process deletes a VNET node out from under another
IPSECD process. I don't have the patience to track this down at the
moment so prevent more than one IPSECD process from running at a time.
This is really the way it should be anyhow ( not the kernel bug but
preventing multiple instances ).
Move the IPSECI service handler into a new class named IPSECS. This
hides most of the pipe handling from the daemon.
------------------------------------------------------------------------
r426 | mgrooms | 2006-02-17 17:56:24 +0000 (Fri, 17 Feb 2006) | 5 lines
Add the necessary code to support PFS. This is now enabled in the config
interface as well as the daemon.
Begin to move the notification handling code out of the payload read
handler. It does not belong there.
Update some other misc docs and such.
------------------------------------------------------------------------
r425 | mgrooms | 2006-02-17 04:49:26 +0000 (Fri, 17 Feb 2006) | 1 line
Correct broken NAT discovery for NATT_ENABLE mode and add the new
openssl files. We are now at OpenSSL 0.9.8a
------------------------------------------------------------------------
r424 | mgrooms | 2006-02-17 02:53:48 +0000 (Fri, 17 Feb 2006) | 1 line
License and cosmetic output changes.
------------------------------------------------------------------------
r423 | mgrooms | 2006-02-15 08:35:53 +0000 (Wed, 15 Feb 2006) | 1 line
Update for some documentation and installation script tweaks.
------------------------------------------------------------------------
r422 | mgrooms | 2006-02-15 07:25:53 +0000 (Wed, 15 Feb 2006) | 1 line
Minor update to license.txt
------------------------------------------------------------------------
r421 | mgrooms | 2006-02-15 07:17:52 +0000 (Wed, 15 Feb 2006) | 1 line
Update license compliments of Kevin Brown.
------------------------------------------------------------------------
r420 | mgrooms | 2006-02-15 07:15:03 +0000 (Wed, 15 Feb 2006) | 1 line
OMFG!!! All I have to say is OpenSSL_add_all_algorithms() !!!
------------------------------------------------------------------------
r419 | mgrooms | 2006-02-14 23:42:58 +0000 (Tue, 14 Feb 2006) | 3 lines
There was a problem with the way we were handling RSA authentication.
Most of this has been corrected but there is still a bug with
certificate validation.
Dumping an older version of openssl for 0.9.8a
------------------------------------------------------------------------
r418 | mgrooms | 2006-02-13 21:14:41 +0000 (Mon, 13 Feb 2006) | 1 line
Disable the phase2 key data lifetime for now.
------------------------------------------------------------------------
r417 | mgrooms | 2006-02-13 21:02:05 +0000 (Mon, 13 Feb 2006) | 5 lines
This commit is the result of a broad sweep to make sure all the options
listed in the site config dialog were working properly.
I noticed that our variable key size ciphers were not working. This was
corrected in ipsecd.
Some dialogs were corrected to reflect actual features of the software.
------------------------------------------------------------------------
r416 | mgrooms | 2006-02-13 03:56:11 +0000 (Mon, 13 Feb 2006) | 1 line
Just a bit more cleanup in the vnet functions.
------------------------------------------------------------------------
r415 | mgrooms | 2006-02-13 00:08:28 +0000 (Mon, 13 Feb 2006) | 1 line
Do some manual cleanup in the registry. Windows is a silly operating
system.
------------------------------------------------------------------------
r414 | mgrooms | 2006-02-12 22:49:41 +0000 (Sun, 12 Feb 2006) | 1 line
Add support for logging packets on the public interface as well as
unencrypted ike packets. This was not very fun as complete packets
needed to be re-assembled before logging which defies all best practice
layering programming logic.
------------------------------------------------------------------------
r413 | mgrooms | 2006-02-12 19:53:40 +0000 (Sun, 12 Feb 2006) | 1 line
Convert the libvprot to use the PACKET_IP class for send and recv
operations. Update ipsecd to follow suit.
------------------------------------------------------------------------
r412 | mgrooms | 2006-02-12 17:46:06 +0000 (Sun, 12 Feb 2006) | 7 lines
Add a new class to libip that handles packet dumps in pcap format. This
will be primarily used for debugging purposes. Add some knobs to tell
ipsecd what to log in pcap format. Right now there are three options ...
1) public interface traffic ( encrypted )
2) private interface traffic ( un-encrypted )
3) ike traffic ( un-encrypted )
Only the private interface logging is working at the moment.
------------------------------------------------------------------------
r411 | mgrooms | 2006-02-12 01:36:19 +0000 (Sun, 12 Feb 2006) | 1 line
Correct a few bugs. One with the client interface connection closing
unexpectedly. The other with the window activation code not taking into
account minimized windows.
------------------------------------------------------------------------
r410 | mgrooms | 2006-02-12 01:22:22 +0000 (Sun, 12 Feb 2006) | 5 lines
Correct some ugly code in ipsecc that was calling thing where it
shouldn't have been.
Correct a bug in the ipsecd client control loop where it was trying to
reference null pointers.
Build some logic into ipsecc and ipseca so they will not open multiple
windows configuring the same settings. Rather, push the already open
window into the forground and exit quietly.
------------------------------------------------------------------------
r409 | mgrooms | 2006-02-11 22:58:12 +0000 (Sat, 11 Feb 2006) | 1 line
Forgot about this file churn.
------------------------------------------------------------------------
r408 | mgrooms | 2006-02-11 22:56:18 +0000 (Sat, 11 Feb 2006) | 7 lines
Major cleanup of the vnet and vprot kernel driver interface libraries.
Now both libs are exported as cpp classes. The ipsecd log interface was
split out into its own library as well and is now used by both the
kernel interface libs.
A seperate recv thread is now spawned for each client attachment. This
improves out latency as the thread is not polling the client interface
while receiving packets from the virtual adapter.
Did a bit of performance analysis as well. After a bit of tweaking, we
are in between 3 and 3.5 megabytes per second sustained. This isn't too
shabby considering we are a mixed kernel/userland stack.
------------------------------------------------------------------------
r407 | mgrooms | 2006-02-10 19:40:15 +0000 (Fri, 10 Feb 2006) | 1 line
Update the installer script and correct a typo in the libip target
output which was creating the file in the wrong directory.
------------------------------------------------------------------------
r406 | mgrooms | 2006-02-10 19:35:49 +0000 (Fri, 10 Feb 2006) | 5 lines
Split out the general tcpip packet classes into a separate library named
libip. Split out the rawnet class into a separate library named
libvprot. Sort out all the include and library dependencies.
The two kernel driver interface libraries are about to go through a
MAJOR cleanup. The reorganization is to prepare for this.
Dump the winpcap development cruft. We don't use it any more. The only
vestige is the pcap file and packet header structs which were imported
into libip.h
------------------------------------------------------------------------
r405 | mgrooms | 2006-02-10 17:50:51 +0000 (Fri, 10 Feb 2006) | 1 line
Right, actually commit the new source code files as well as a text
document that describes the debug configuration procedure.
------------------------------------------------------------------------
r404 | mgrooms | 2006-02-10 17:33:01 +0000 (Fri, 10 Feb 2006) | 3 lines
Update ipsecd's logging to use a generic logging facility now offered by
a new class aptly named LOG. These looks like a big commit but is mostly
just mechanical changes.
In the near future, loadable classes will use this generic logging
facility instead of the oh-so-sad printf output.
------------------------------------------------------------------------
r403 | mgrooms | 2006-02-10 03:14:37 +0000 (Fri, 10 Feb 2006) | 9 lines
The major feature in this commit is supporting pre-fragmentaion for the
esp transport. Fragmentation for IKE is forthcoming.
The client feedback loop in ipsecc and the work loop counterpart in
ipsecd was modified as well to have better exit semantics. This makes
disconnect-reconnect more reliable.
The outbound ike processing loop in ipsecd was also modified to be
slightly more efficient.
A generic ip packet fragmentaion handler was added to the ipfrag class
and is now used in both the ip output and esp pre-fragmentation paths.
------------------------------------------------------------------------
r402 | mgrooms | 2006-02-08 20:12:03 +0000 (Wed, 08 Feb 2006) | 1 line
Correct loading of private key files in ipsecd. Correct the handling of
natt and exchange mode options in ipsecc.
------------------------------------------------------------------------
r401 | mgrooms | 2006-02-08 06:08:11 +0000 (Wed, 08 Feb 2006) | 25 lines
Monster commit as its been too long since the last. Added todo list to
track future issues and work.
Significant re-work of site configuration parameters. This includes
changes to the ipseci user interface, config format and ipsecc.
Significant re-work of the ipseci library. This fixed a major bug with
multiple messages being passed in our named pipe but only reading the
first out which discarded some messages. Most of the class members were
re-written and a basic message type is now used for almost all config
messages.
Significant re-work of the ipsecc application. The client now resolves
host names where before it barfed non ip address host definitions. The
main server feedback message loop has been simplified as there are only
status messages issued to the client now. Tabbing now works between
child windows but for some reason the default button is not working in
the normal dialog fashion. This is on the todo list.
Fixed a problem in ipsecd with DHCP spoofing where it was not completing
a required field for lease extension. The client network configuration
manual overrides are now honored by the config exchange and DHCP
spoofing code as well.
Fixed a problem in ipsecd where the initial policy installation was
happening every time we sent a DHCP acknowledgment.
Fixed a problem in ipsecd and ipsecc where the nat-t enable policy was
not being honored in the force case.
Client configuration parameters have been moved to a new struct which
now includes the credentials struct parameters. The credentials are now
passed from client to daemon when the tunnel is initialized. This
simplified the client feedback semantics.
Spoofed arp reply packets in ipsecd are now built but not sent by the
member function. This makes the client code a bit easier to follow as
all packets are sent from one segment of code. Before the send was
hidden in the member function.
The ipsecd text_addr function has been rewritten to not use the winsock
library functions. They were not thread safe and they were REALLY
in-efficient ( sometimes taking up to 30% cpu time ).
IP packet fragmentation code has been broken out into its own class and
reworked to make its functionality more generally usable. Before it was
too tightly interwoven with the rawnet functions. I did this because I
plan to reuse this in the virtual adapter send/recv paths as well.
A poor attempt at normalizing the certificate load paths in ipsecd was
made. This needs to be revisited.
A poor attempt at dynamically setting the adapter MTU for the virtual
adapter was made. I dont think this code will stick around as NDIS makes
this very difficult to do well.
------------------------------------------------------------------------
r398 | mgrooms | 2006-02-03 23:11:56 +0000 (Fri, 03 Feb 2006) | 3 lines
Update ipsecc to actually work as a client. It now reads the site config
name off of the command line. It then uses this config to communicate
with the daemon and setup a tunnel.
Updated the daemon code to understand disconnect message.
------------------------------------------------------------------------
r397 | mgrooms | 2006-02-02 07:16:27 +0000 (Thu, 02 Feb 2006) | 1 line
Add a new header file I forgot about.
------------------------------------------------------------------------
r396 | mgrooms | 2006-02-02 07:15:25 +0000 (Thu, 02 Feb 2006) | 1 line
Update some client code to read in site configuration data.
------------------------------------------------------------------------
r392 | mgrooms | 2006-02-02 00:23:05 +0000 (Thu, 02 Feb 2006) | 1 line
A bit of work to tie ipsecc into the application suite.
------------------------------------------------------------------------
r391 | mgrooms | 2006-02-01 22:49:26 +0000 (Wed, 01 Feb 2006) | 1 line
Reorganize some stuff and add a new library called ipsecp.dll that
handles configuring vpn site properties.
------------------------------------------------------------------------
r390 | mgrooms | 2006-02-01 16:31:29 +0000 (Wed, 01 Feb 2006) | 1 line
Update the installer to include the vpn access manager application.
Update the system tray icon support to respond to mouse input and popup
a minimal menu. This will be expanded later.
------------------------------------------------------------------------
r389 | mgrooms | 2006-02-01 03:37:49 +0000 (Wed, 01 Feb 2006) | 1 line
Virgin import of the access manager application. This is essentially our
vpn 'address book'.
------------------------------------------------------------------------
r381 | mgrooms | 2006-01-29 19:17:44 +0000 (Sun, 29 Jan 2006) | 3 lines
Update the NSIS installer script to handle a complete client install. It
depends on three custom install applications named drvcfg, devcfg and
netcfg which handle driver, device and network component installation.
These will be checked in under different branches.
Allow the IPSEC daemon to run as a win32 service. This involved adding
the usual handlers as well as obtaining the install directory from the
registry to make sure it shares the same working directory as the client
application.
------------------------------------------------------------------------
r380 | mgrooms | 2006-01-27 15:35:36 +0000 (Fri, 27 Jan 2006) | 1 line
Add support for multiple outbound SPI's on a single tunnel. I forgot
this was hacked together originally.
------------------------------------------------------------------------
r379 | mgrooms | 2006-01-27 15:04:43 +0000 (Fri, 27 Jan 2006) | 1 line
I meant ike.match.cpp not ike.matchl.cpp
------------------------------------------------------------------------
r378 | mgrooms | 2006-01-27 15:03:40 +0000 (Fri, 27 Jan 2006) | 3 lines
Add files to build a NSIS install package for the client. Right now,
this mostly just copies the files and creates program icons. Support for
installing the drivers, services and such is forthcoming.
Rename the ike.proposal.cpp to ike.match.cpp as it will contain id
matching code as well.
------------------------------------------------------------------------
r370 | mgrooms | 2006-01-23 19:34:39 +0000 (Mon, 23 Jan 2006) | 1 line
Mostly complete support for NAT-T. Also some rework to use the
PACKET(_*) classes where ever possible to avoid static buffer usage.
------------------------------------------------------------------------
r366 | mgrooms | 2006-01-01 02:34:14 +0000 (Sun, 01 Jan 2006) | 1 line
Fix some bugs with vnet input/output, shuffle some files around and
retire an dead one.
------------------------------------------------------------------------
r365 | mgrooms | 2006-01-01 01:37:47 +0000 (Sun, 01 Jan 2006) | 1 line
This is a first round of much needed cleanup. The biggest change being
the vnet_* functions have been moved into their own library aptly named
libvnet. The other substantial change is that rawnet now defines ip and
udp packet classes which encapsulate associated protocol functions. This
allows us to cleanup quite a bit of packet hand rolling. I should also
add that this class will also see some more cleanup in the next commit.
------------------------------------------------------------------------
r364 | mgrooms | 2005-12-28 08:33:26 +0000 (Wed, 28 Dec 2005) | 8 lines
Rewrite isakmp config exchange handlers to act more like the other
exchange handlers. A lot of cleanup happened as well which makes
everything work as it should in all known cases. Support was also added
for netbios and dns server configuration. We are just missing NATT
support and a pretty gui now.
Route additions parameters were changed to allow for improved
compatibility with windows XP. I need to do some more research on this
as the current parameters could spam the local arp cache.
The header files have been juggled around and a new file has been
created simply called ipsec.h that has all the common static definitions
and structures. This helped us clean some ugly #ifdefs in our headers.
------------------------------------------------------------------------
r363 | mgrooms | 2005-12-28 02:21:33 +0000 (Wed, 28 Dec 2005) | 1 line
And I just can't leave shit alone so I had to go rename some stuff.
------------------------------------------------------------------------
r362 | mgrooms | 2005-12-28 02:13:17 +0000 (Wed, 28 Dec 2005) | 10 lines
This commit adds transactional isakmp support ( mode config ) to our
client. We can now obtain a dynamic IP address and subnet mask from the
server. This code will be going through at least one more major rewrite.
I plan to modify its handling to be more similar to the other exchanges.
A few other features snuck in as well as a bit of cleanup.
Move arp and dhcp spoofing code into its own file called ipsed.spoof.cpp
so the main client loop is a bit easier to follow. The dhcp code was
updated considerably and should work with all MS-DHCP clients now.
UDP checksum code is now in the tree and is enabled for IKE
communications. It is not used by the DHCP spoofing code at the moment.
Add packet capture and store facility to the virtual network interface.
We save the captured traffic in libpcap file format. This is mostly
meant for debugging.
The raw IP send and recv functions were modified to accept in_addr
struct instead of sockaddr_in struct as parameters. It only dealt with
the ip header which would never contain port numbers and the address
family is implicit.
------------------------------------------------------------------------
r361 | mgrooms | 2005-12-25 01:40:19 +0000 (Sun, 25 Dec 2005) | 1 line
Add new files missed in last commit.
------------------------------------------------------------------------
r360 | mgrooms | 2005-12-25 01:39:40 +0000 (Sun, 25 Dec 2005) | 11 lines
Another good sized commit. The main features are Hybrid Authentication
using XAUTH for the client user authentication. Only the user name and
password attributes are supported at the moment.
A group of member functions have been introduced to handle the new
ISAKMP configuration exchange. This is what allows us to do XAUTH. It
will also allow us to do auto client network configuration shortly.
The interface library IPSECI has been extended to support status
feedback message system as well as user credential passing. The client
application takes advantage of this by printing out client feedback and
prompting for user authentication when requested.
Policies are now added to the tunnel config so that phase2 intiation can
be postponed until phase1 and mode config have completed. These policies
are also used to generate the local routes instead of browsing through
our sa database for phase2 objects.
The logging system is now much improved but still needs some work to
prevent buffer overflows. A new lock has been introduced to make sure
log messages are not partially written when another arrives from a
separate thread.
------------------------------------------------------------------------
r359 | mgrooms | 2005-12-24 04:02:46 +0000 (Sat, 24 Dec 2005) | 11 lines
This is a monster commit with many improvements. The biggest of which is
RSA peer authentication.
IKE id structs have been split out into two types. IPV4 and PEER. PEER
supports IPV4 types but IPV4 does not support text id types. This was
done to both save a bit of memory and keep a pure struct around for the
client app interface.
A new data class called BDATA has been introduced. It lives in the new
bdata.cpp and bdata.h files. This class replaces almost all of our hand
rolled storage funtions in IPSECD. It also simplifies the payload
interface a great deal. The last benifit is when used as a temp buffer,
it automaticly cleans up after itself when it goes out of scope.
The client configuration interface IPSECI has been extended to support
new message types. These allow for configuration of psk strings and rsa
key files. Also, a bit of rework has been done in the main client loop
to postpone creation and upping the virtual network interface to insure
all configuration info is available first.
Quite a few new member functions have been introduced to handle
key/certificate files and certificate/signature/cert request payloads in
the isakmp exchange.
This commit includes the vnet config code as it was apparently missed in
a previous commit.
------------------------------------------------------------------------
r358 | mgrooms | 2005-12-19 04:23:57 +0000 (Mon, 19 Dec 2005) | 9 lines
Update ipseci interface to support adding policy information.
Move to using DHCP to configure our VirtualNet adapter address as the
local set address method was to time consuming. Routes for all distant
networks are now added based on phase2 sa definitions stored in our
SADB.
Update all internal buffers to use RAWNET_BUFF_SIZE definition.
Add support for sending informational exchanges. Right now we only
support phase1 notifications. Use this mechanism to send an
INITIAL_CONTACT notification so that remote peers will not use stale
sa's when repeated client connections from the same host occur.
Our VirtualNet driver has been updated to support select like
functionality. Utilize this inside our client code so that we have a
select w/timeout before a read operation.
------------------------------------------------------------------------
r357 | mgrooms | 2005-12-17 08:12:06 +0000 (Sat, 17 Dec 2005) | 2 lines
Move base packet class into rawnet.h and rawnet.c files. Implement ip
packet fragment re-assembly. Some work still needs to be done to cleanup
the fragment list in the case that one is orphaned or we get
malformed/spoofed packets.
------------------------------------------------------------------------
r355 | mgrooms | 2005-12-14 08:37:35 +0000 (Wed, 14 Dec 2005) | 1 line
Push ip header into the rawnet class. Also have it handle packet
fragmentation. Re-assembly is forthcoming.
------------------------------------------------------------------------
r353 | mgrooms | 2005-12-12 06:10:19 +0000 (Mon, 12 Dec 2005) | 3 lines
Lots of work on the ipsec daemon. We now pass traffic back and forth in
real tunnel fashion. Here is some of the work that went into this ...
Create packet_esp_send which handles outbound esp packet encapsulation
and encryption. IP checksum code has been moved into rawnet.cpp as it is
used in multiple files now. After adapters are created we now can assign
routes via the new vnet_adapter_route member function. The client
handler thread now reads packets off the vnet read descriptor and passes
them to packet_esp_send. Lots of other little cleanups and bug fixes.
------------------------------------------------------------------------
r352 | mgrooms | 2005-12-11 02:05:25 +0000 (Sun, 11 Dec 2005) | 1 line
Modify the vnet_adapter_* functions to set the address and netmask
manually via the registry. Add arp reply support for our virtual adapter
so that it will attempt to send packets destined to the distant end of
the tunnel.
------------------------------------------------------------------------
r350 | mgrooms | 2005-12-09 07:50:55 +0000 (Fri, 09 Dec 2005) | 1 line
Initial integration of the virtual network driver stuff. When a client
connects we attempt to create a virtual network interface and initialize
it. Since our driver sucks right now, this just seems to lockup the
system but I wanted to get this code checked in.
------------------------------------------------------------------------
r349 | mgrooms | 2005-12-05 08:13:02 +0000 (Mon, 05 Dec 2005) | 1 line
Add inbound esp processing. It works well at the moment but needs to be
reviewed for error handling. As soon as we integrate the virtual
adapter, getting outbound esp support in should be no trouble and we
should actually get to see the tunnel in action. Exciting!!!
------------------------------------------------------------------------
r348 | mgrooms | 2005-12-05 04:09:44 +0000 (Mon, 05 Dec 2005) | 3 lines
Switch to using winpcap as opposed to raw sockets. We now have the
potential to talk ESP. Add some mostly stub functions that will
eventually handle all ESP packets. Split out IKE_PACKET class into base
PACKET class and derived IKE_PACKET class. Derive a second class called
ESP_PACKET for use with ESP protocol. A few files were added and some
functions were juggled around to accomplish this.
Add phase2_setup funtion to initialize the phase2 sa with cipher and
hash objects that will be used for encrypted transport processing. Add
phase2_gen_keys which builds key material for encrypted transport
processing. Now, if I could just figure out how to derive the IV ...
------------------------------------------------------------------------
r347 | mgrooms | 2005-12-03 18:39:02 +0000 (Sat, 03 Dec 2005) | 1 line
Checkin winpcap stuff as we will be temporarily using it for raw udp and
esp communications. This will eventually be replaced by our own custom
protocol driver that supports blocking reads from all adapters with
timeouts.
------------------------------------------------------------------------
r346 | mgrooms | 2005-11-30 03:00:13 +0000 (Wed, 30 Nov 2005) | 1 line
Clear out the ike.network.cpp file and axe it as there are no longer any
ike specific network function. Retire the packet_recv function as it is
replaced by process_recv which will read both IKE and ESP packets. The
data read will then be handed off to the appropriate
process_[ike/esp]_recv function. Rename all packet_* functions to
packet_ike_* as there will soon be packet_esp_* functions.
------------------------------------------------------------------------
r344 | mgrooms | 2005-11-30 00:00:22 +0000 (Wed, 30 Nov 2005) | 1 line
Initial attempt at integrating the RAWNET class into the IPSEC daemon.
This utilizes raw sockets for communication.
------------------------------------------------------------------------
r341 | mgrooms | 2005-11-23 03:56:06 +0000 (Wed, 23 Nov 2005) | 1 line
Commit missing files that were created but not included in the last
update.
------------------------------------------------------------------------
r340 | mgrooms | 2005-11-23 03:49:02 +0000 (Wed, 23 Nov 2005) | 1 line
Our ipsec daemon can now act as an initiator and a responder for quick
mode negotiations. There has also been a lot of cleanup with respect to
logging and the client interface piece. The security database is managed
better with respect to initialization and cleanup as well. I have also
been working to build a raw socket interface that can be used with the
IPSECD class. This will allow us to co-exist with the windows IPSEC
policy service and provide a base for our ESP protocol handlers.
------------------------------------------------------------------------
r339 | mgrooms | 2005-11-20 07:23:15 +0000 (Sun, 20 Nov 2005) | 1 line
Cleanup some logging and move the winsock initialization and cleanup
handling to the ike.network.cpp file.
------------------------------------------------------------------------
r338 | mgrooms | 2005-11-20 07:04:01 +0000 (Sun, 20 Nov 2005) | 1 line
Rework ike processing by splitting the handlers into send and receive
function groups. This paves the way to supporting retransmission of ike
packets, queued processing of immature sa's and easier abstraction of
the network layer for when we move to raw sockets.
------------------------------------------------------------------------
r337 | mgrooms | 2005-11-20 03:57:55 +0000 (Sun, 20 Nov 2005) | 1 line
Correct IKE phase2 handling for the responder case. We can now complete
quick mode negotiations. Some restructuring will be necessary before we
can test acting as an initiator.
------------------------------------------------------------------------
r336 | mgrooms | 2005-11-20 02:01:15 +0000 (Sun, 20 Nov 2005) | 1 line
Integrate the use of IPSEC_TUNNEL into the sa ike processing routines.
Use the select socket function to bypass blocking recv socket calls.
Lots of cleanup to enable ike processing to work again. This is to
correct fallout from all the code re-organization and cleanup I have
been doing in the last week. Phase2 still does not complete correctly.
------------------------------------------------------------------------
r335 | mgrooms | 2005-11-19 16:44:05 +0000 (Sat, 19 Nov 2005) | 1 line
Phase 2 hash helper functions do not need the msgid as a parameter as
this is passed in the ike_sa2 class data.
------------------------------------------------------------------------
r334 | mgrooms | 2005-11-19 07:16:18 +0000 (Sat, 19 Nov 2005) | 1 line
Add a new file to store IPSEC_TUNNEL members. Update the sdb member
funtions to properly initialize the reference counts on the object they
manage.
------------------------------------------------------------------------
r333 | mgrooms | 2005-11-19 07:03:20 +0000 (Sat, 19 Nov 2005) | 1 line
Move the named pipe definition into ipseci.h and add some log output to
the sdb add/del_sa funtions.
------------------------------------------------------------------------
r332 | mgrooms | 2005-11-19 06:47:35 +0000 (Sat, 19 Nov 2005) | 1 line
Create ipseci class and use it in ipsecd and ipsecc for inter process
communications. Right now only the send_msg_peer and recv_msg_peer
functions are implemented.
------------------------------------------------------------------------
r331 | mgrooms | 2005-11-19 03:50:35 +0000 (Sat, 19 Nov 2005) | 1 line
Some transient work on client to service interfacing. Added a new
project that will offer a client interface dynamic link library. Right
now it just holds an empty include file.
------------------------------------------------------------------------
r330 | mgrooms | 2005-11-18 05:15:33 +0000 (Fri, 18 Nov 2005) | 1 line
Add some simple functionality for client application connection via a
named pipe. Build a dummy client application that only contains a log
output window.
------------------------------------------------------------------------
r329 | mgrooms | 2005-11-18 02:11:43 +0000 (Fri, 18 Nov 2005) | 1 line
Forgot to checkin updated project file in last commit.
------------------------------------------------------------------------
r328 | mgrooms | 2005-11-18 02:11:05 +0000 (Fri, 18 Nov 2005) | 1 line
Rename ike.sdb.cpp to ipsec.sdb.cpp. Split out SA funtions from
ipsec.sdb.cpp and place them in ike.cpp file. Add peer get/add/del_peer
functions. Add mutex protected refrence counting to all sdb get/add/del
member funtions.
------------------------------------------------------------------------
r327 | mgrooms | 2005-11-16 06:18:57 +0000 (Wed, 16 Nov 2005) | 1 line
Do a bit of cleanup and commenting. Add a new list for ipsec peers to
the IPSEC class as well as a preliminary definition for the IPSEC_PEER
struct to define a peer.
------------------------------------------------------------------------
r326 | mgrooms | 2005-11-16 04:47:01 +0000 (Wed, 16 Nov 2005) | 1 line
Forgot to include ike.h header file.
------------------------------------------------------------------------
r325 | mgrooms | 2005-11-16 04:46:26 +0000 (Wed, 16 Nov 2005) | 1 line
Rename IKE class to IPSEC and break out IKE specific definitions into
its own header file. Two header files now exist named ike.h and ipsec.h
with ipsec.h being the main include file.
------------------------------------------------------------------------
r324 | mgrooms | 2005-11-15 06:40:43 +0000 (Tue, 15 Nov 2005) | 1 line
Lots of cleanup in the IKE handler routines. Im sure I broke lots of
stuff in the process. Split IKE_SA into IKE_SA ( base class ), IKE_SA1
and IKE_SA2 ( derived classes ) for handling phase1 and phase2
negotiations. Modified the SA member variables to be oriented as local
and remote as opposed to initiator and responder. Looking up phase1 SAs
are done now by passing the cookie values and remote address instead of
filling out a incomplete SA as reference. Also, passing an SA is no
longer required to write or read a packet. Instead we pass a IKE_COOKIES
structure. This should be made optional in the read case.
------------------------------------------------------------------------
r323 | mgrooms | 2005-11-15 01:56:09 +0000 (Tue, 15 Nov 2005) | 1 line
Reorganize the source tree to allow for building our future IPSEC daemon
as well as our future IPSEC client. The IKE daemon will get folded into
the IPSEC daemon source.
------------------------------------------------------------------------
r322 | mgrooms | 2005-11-15 01:43:57 +0000 (Tue, 15 Nov 2005) | 1 line
A bunch of bug fixes to act as a responder and to work in aggressive as
well as main mode. Also moved a few network functions to the
ike.network.cpp file.
------------------------------------------------------------------------
r312 | mgrooms | 2005-11-06 02:47:03 +0000 (Sun, 06 Nov 2005) | 1 line
More work on phase2 support. We now complete phase2 negotiations without
error when acting as a responder. Apart from acting as an initiator in
phase2, we are still missing a configuration interface as well as a IPC
mechanism for communicating with user land. Lots of cleanup was also
done with respect to log output. Preliminary support was also added for
building in visual studio 8.
------------------------------------------------------------------------
r311 | mgrooms | 2005-10-25 05:55:45 +0000 (Tue, 25 Oct 2005) | 1 line
Improve debug output and policy matching parameters.
------------------------------------------------------------------------
r310 | mgrooms | 2005-10-24 00:42:10 +0000 (Mon, 24 Oct 2005) | 1 line
Get phase2 working as a responder. There is still a problem with sending
the IDs as racoon chokes on them when they are received.
------------------------------------------------------------------------
r309 | mgrooms | 2005-10-21 23:07:08 +0000 (Fri, 21 Oct 2005) | 1 line
Update notifiy payload code to read all notify messages types. Correct
handling of SPI decode and printing for both notify and delete payloads.
------------------------------------------------------------------------
r308 | mgrooms | 2005-10-18 04:58:09 +0000 (Tue, 18 Oct 2005) | 3 lines
A bit of work on phase2 negotiations. Create an ike member function to
calculating phase2 initiator hash. Also create member function stubs
that will at some point calculate responder and liveliness hashes.
Remove the packet add/get bignum member functions as they are no longer
used. A bit of other random cleanup.
------------------------------------------------------------------------
r307 | mgrooms | 2005-10-18 02:55:09 +0000 (Tue, 18 Oct 2005) | 3 lines
Modify phase1 hash initiator and responder calculation functions to
accept a target buffer for storing the computed hashes. Update code base
to match.
Initialize local id in new_phase1 member function. This should be
handled better in the future.
------------------------------------------------------------------------
r306 | mgrooms | 2005-09-06 05:42:36 +0000 (Tue, 06 Sep 2005) | 1 line
A bit of work on phase2 handling. Also introduce a new struct to
describe ipv4 identifiers and use them in the add/get id payload
handlers.
------------------------------------------------------------------------
r305 | mgrooms | 2005-09-06 01:00:20 +0000 (Tue, 06 Sep 2005) | 4 lines
Rework the way the payload handlers function so that they are not
specific to phase1. Now the payload data written to or read from a
packet is passed as parameters to the member functions instead of pulled
from the sa class.
Modify the way the sa handler functions to support phase2 sa's. We now
read attributes based on the protocol id ( isakmp or esp ) instead of
assuming phase1 attributes. A portion of this rewrite introduced a new
file called ike.proposal.cpp which is mostly just a placeholder right
now but does contain a new function that checks for proposal matches.
------------------------------------------------------------------------
r304 | mgrooms | 2005-09-03 19:52:02 +0000 (Sat, 03 Sep 2005) | 1 line
Add delete payload handler member functions.
------------------------------------------------------------------------
r303 | mgrooms | 2005-09-01 06:29:48 +0000 (Thu, 01 Sep 2005) | 1 line
Rudimentary support for Informational Exchanges and notification
payloads. To handle this, a new parameter is passed to the encrypt and
decrypt functions which pass the Cipher IV data. The new IV data is then
stored in the buffer before returning to the caller. A process_inform(),
paload_get_notify and payload_add_notify member functions has been
added. More work needs to be done to clean these interfaces up.
------------------------------------------------------------------------
r302 | mgrooms | 2005-09-01 02:13:26 +0000 (Thu, 01 Sep 2005) | 1 line
Yeah, well there is not notify exchange is there, but there is an
informational exchange. Rename ike.ex.notify.cpp to ike.ex.inform.cpp
------------------------------------------------------------------------
r301 | mgrooms | 2005-09-01 02:11:35 +0000 (Thu, 01 Sep 2005) | 1 line
Rename the phase1, phase2 and notify files to ex.
they handle the different exchange types.
------------------------------------------------------------------------
r300 | mgrooms | 2005-09-01 02:08:40 +0000 (Thu, 01 Sep 2005) | 1 line
A bit of re-organization to prepare for informational exchange handling.
Renamed phase1_add & phase1_get functions to payload_add and
payload_get. Break exchange processing out into seperate files and
member functions to be called from the main send_recv functions.
------------------------------------------------------------------------
r299 | mgrooms | 2005-08-30 04:51:08 +0000 (Tue, 30 Aug 2005) | 1 line
Finish up with phase1. Added support for acting as a responder in
aggressive mode as well as main mode. We will need to come back at some
point and add support of other id and authentication types, but for now
we are moving on to phase2.
------------------------------------------------------------------------
r298 | mgrooms | 2005-08-29 07:34:11 +0000 (Mon, 29 Aug 2005) | 1 line
Clean up logging facilities, improve debug output and implement
responder functionality for phase1 main mode negotiations. Aggressive
mode should be easy to implement and will be committed soon.
------------------------------------------------------------------------
r297 | mgrooms | 2005-08-28 01:42:56 +0000 (Sun, 28 Aug 2005) | 1 line
Complete support for phase1 negotiations as an initiator. We now support
Aggressive mode as well as Main Identity Protect mode. To implement
this, the code has been changed to handle encoding and decoding of
messages on a per payload basis as opposed to a per packet basis. The
code jumps around a bit more but this was necessary to avoid massive
code duplication. Responder support is coming shortly after which we
just need to be able to handle phase2, notify and delete messages.
------------------------------------------------------------------------
r296 | mgrooms | 2005-08-26 02:23:56 +0000 (Fri, 26 Aug 2005) | 1 line
Get DH group 5,14,15 & 16 working. Just needed to define the static P
values.
------------------------------------------------------------------------
r295 | mgrooms | 2005-08-25 08:07:42 +0000 (Thu, 25 Aug 2005) | 1 line
Update phase1 handlers to use proposal parameters defined in the sa. We
now support a wide range of ciphers, hash algorithms and oakley key
groups ( although not all groups are defined properly ). However, we
still only understand psk authentication and ipv4 identification.
------------------------------------------------------------------------
r294 | mgrooms | 2005-08-24 07:11:30 +0000 (Wed, 24 Aug 2005) | 1 line
Complete the modularization of the phase1 handlers. We now have complete
initiator routines for phase1 main mode. Also moved phase1 member
funtions into a new file called ike.phase1.cpp and created a place
holder file for the phase2 functions.
------------------------------------------------------------------------
r293 | mgrooms | 2005-08-23 06:37:28 +0000 (Tue, 23 Aug 2005) | 1 line
Modularize the phase1 negotiation process. Store phase1 variables in the
phase1 sa object instead of local variables. This is necessary break up
phase1 negotiations into logical steps. More work in this area is
required.
------------------------------------------------------------------------
r292 | mgrooms | 2005-08-18 06:07:58 +0000 (Thu, 18 Aug 2005) | 1 line
A bit of work to store and retrieve phase1 SA's. Break monolithic phase1
function into multiple functions for reading and writing sa,kx and id
packets. Create a function that receives and dispatches the packet to
the appropriate handler.
------------------------------------------------------------------------
r291 | mgrooms | 2005-08-16 19:28:49 +0000 (Tue, 16 Aug 2005) | 1 line
Update debug output to print the local and remote addresses stored in
the SA.
------------------------------------------------------------------------
r290 | mgrooms | 2005-08-16 06:48:38 +0000 (Tue, 16 Aug 2005) | 1 line
Convert mock-up to use IKE_SA_PHASE1 object type. Seems to be broken at
the moment.
------------------------------------------------------------------------
r289 | mgrooms | 2005-08-16 04:15:05 +0000 (Tue, 16 Aug 2005) | 1 line
Add stub definitions for security database classes.
------------------------------------------------------------------------
r286 | mgrooms | 2005-08-11 05:20:38 +0000 (Thu, 11 Aug 2005) | 1 line
Cleanup debug output a bit.
------------------------------------------------------------------------
r285 | mgrooms | 2005-08-11 05:03:57 +0000 (Thu, 11 Aug 2005) | 1 line
Output the computed and received hash on the command line for debug
reference.
------------------------------------------------------------------------
r284 | mgrooms | 2005-08-11 04:20:10 +0000 (Thu, 11 Aug 2005) | 1 line
Add various IPSEC related RFCs to the docs directory.
------------------------------------------------------------------------
r283 | mgrooms | 2005-08-10 16:21:47 +0000 (Wed, 10 Aug 2005) | 1 line
Create docs directory and add xauth ietf draft.
------------------------------------------------------------------------
r282 | mgrooms | 2005-08-10 05:42:41 +0000 (Wed, 10 Aug 2005) | 1 line
We now have a completely working mock-up of phase1 that does
3des-md5-psk and sucks badly. After we have a mock-up of phase2 working,
we be able to start on a real implementation. Until then, more research.
------------------------------------------------------------------------
r281 | mgrooms | 2005-08-08 06:11:54 +0000 (Mon, 08 Aug 2005) | 1 line
Continued work to understand how the protocol works. There is now
mock-up code for a complete phase1 key exchange but its not working
correctly yet.
------------------------------------------------------------------------
r280 | mgrooms | 2005-07-23 00:22:27 +0000 (Sat, 23 Jul 2005) | 1 line
Add packet read functions. Parse sa and kex response packets.
------------------------------------------------------------------------
r278 | mgrooms | 2005-07-21 23:53:55 +0000 (Thu, 21 Jul 2005) | 1 line
Update of ipsec protocol test environment.
------------------------------------------------------------------------
r277 | mgrooms | 2005-07-20 23:35:02 +0000 (Wed, 20 Jul 2005) | 1 line
Correct an invalid offset issue when rewriting payload sizes in an
isakmp packet.
------------------------------------------------------------------------
r275 | mgrooms | 2005-07-20 14:30:04 +0000 (Wed, 20 Jul 2005) | 1 line
Initial import of IPSEC work in progress ...
------------------------------------------------------------------------