r666 | mgrooms | 2006-09-29 15:29:16 +0000 (Fri, 29 Sep 2006) | 1 line

Rewrite the asn1dn input string parser to be more resilient when white
spaces and commas exist for a given key value pair.
r665 | mgrooms | 2006-09-28 17:35:16 +0000 (Thu, 28 Sep 2006) | 1 line

Update the help documentation to reflect the current state of Peer ID
r664 | mgrooms | 2006-09-28 17:02:57 +0000 (Thu, 28 Sep 2006) | 1 line

Resolve a few issues related to NATT discovery. When in main mode, make
sure we send NAT discovery payloads even when we have already detected a
translation. When in aggressive mode using RSA or RSA+XAUTH, make sure
we check perform translation detection.
r663 | mgrooms | 2006-09-27 14:13:57 +0000 (Wed, 27 Sep 2006) | 5 lines

Only allow the ASN.1 DN ID type to be selected for a local ID when a
peer will be validating our credentials using RSA. In other words, don't
allow this type for Hybrid or PSK modes.

When ASN.1 DN is selected as the remote ID type, re-instate the option
to bypass the initial ID verification but still perform consistency
checks using the received value. This option is enabled using the check
box below the remote ID value in the Site Configuration.

Modify ipsect to only update the log output window after a batch of text
has been inserted as opposed to after every line. This speeds things up
r657 | mgrooms | 2006-09-21 13:31:55 +0000 (Thu, 21 Sep 2006) | 3 lines

When using main mode with RSA authentication, the id type options should
not be restricted to address. The restriction only applies to PSK modes.
Bug reported by Massimo Uliana.

Bring in a fix from head to correct a Transparent DNS Proxy matching
issue. While hear, also bring in an optimization that splits the state
entry cleanup out into a different function that gets called once a
second. I believe this bug was reported by Lou at defx dot org.
r654 | mgrooms | 2006-09-20 14:44:27 +0000 (Wed, 20 Sep 2006) | 1 line

Really correct ipsecp project options for debug build.
r653 | mgrooms | 2006-09-20 13:52:24 +0000 (Wed, 20 Sep 2006) | 1 line

Correct ipsecp project options for debug build.
r652 | mgrooms | 2006-09-20 12:35:21 +0000 (Wed, 20 Sep 2006) | 1 line

Update ID usage in help documentation for 1.1 release.
r650 | mgrooms | 2006-09-19 17:58:00 +0000 (Tue, 19 Sep 2006) | 1 line

Correct and issue with the Transparent DNS Proxy code that was causing
ipsecd to crash. This occurred when a DNS request was being evaluated
that exactly matched the suffix contained in the Split DNS
r644 | mgrooms | 2006-09-17 20:22:24 +0000 (Sun, 17 Sep 2006) | 1 line

Make sure we flag the correct state after verifying the remote id.
r640 | mgrooms | 2006-09-17 16:08:41 +0000 (Sun, 17 Sep 2006) | 1 line

Import a few definitions from cfg.h and cfgmgr.h to a private header
file so we don't have to include header files from the DDK. The required
function is exported from the setupapi.lib which is included in the SDK
but is defined.
r639 | mgrooms | 2006-09-16 21:35:27 +0000 (Sat, 16 Sep 2006) | 1 line

Don't rely on the phase1 sa being mature before entering the client recv
r637 | mgrooms | 2006-09-16 17:00:34 +0000 (Sat, 16 Sep 2006) | 1 line

Be more careful about where we a a null terminating character for
logging purposes. This causes id length comparison failures for pure
text id types such as fqdn and ufqdn.
r636 | mgrooms | 2006-09-16 16:28:46 +0000 (Sat, 16 Sep 2006) | 11 lines

Rewrite the site configuration manager id handling functions. When the
user selects a new authentication or exchange type, only reset the ID
type and associated data if it is no longer valid.

Allow all id types for RSA authentication modes instead of only asn1dn.
While this offers more flexibility for configuration, its not usually a
good idea. Typically when a gateway has id checking enabled, it will
reject any ID except for a valid asn1dn because the value wont match the
subject name in the certificate payload later offered by the peer being

Allow for asn1dn IDs to be manually entered in the Site Configuration.
The DN must be an exact match for peer authentication to complete
successfully. The delimiter used for the manually entered DNs may be
forward slashes or commas.

Conitnue to allow the asn1dn subject to be pulled from the local
certificate for use as the local ID when a mutual RSA mode is selected.
Remove the option for pulling the asn1dn subject from the remote
certificate as it could not be used for ID comparison. The peer would
offer its certificate subject ID and not the CA subject id which is what
we have a copy of. If a peer asn1dn value is not manually entered for a
site configuration, the remote id offered by the peer with not be
verified with a specific ID value but will be used to compare against
any future cert payload subjects that are offered in the future. This is
the same behavior as ipsec-tools.

Add two new functions to ipsecd to convert from text to asn1dn and back
to text. Add a new function for creating a peerid from the site
configuration parameters for either the initiator or the responder. Add
another function to compare two arbitrary id types. Use these functions
instead of in-lining the logic in other places where it does not belong.

r635 | mgrooms | 2006-09-15 16:10:41 +0000 (Fri, 15 Sep 2006) | 3 lines

Split the SA state flags into life stat and transmit state flags. We ran
out of bit flags.

Rework the peer identity check code. Match the ID values and optionally
send a notification when a failure occurs.
r632 | mgrooms | 2006-09-14 23:17:58 +0000 (Thu, 14 Sep 2006) | 1 line

Shuffle the load order of the site config so that the authentication
settings get processed after the phase1 settings.
r631 | mgrooms | 2006-09-14 22:51:02 +0000 (Thu, 14 Sep 2006) | 1 line

Strip the path from the file name reported in the file password window.
It gets too ugly.
r630 | mgrooms | 2006-09-14 19:44:20 +0000 (Thu, 14 Sep 2006) | 3 lines

Add support for using a single p12 file for the Gateway CA, Client CERT
and Client Private Key. At the moment, the single file must be specified
for all three entries in the Site Configuration authentication tab.

Add support for encrypted p12 and pem files. I have only tested support
for p12 as I can't seem to figure out how to produce an encrypted pem
cert. When the client connected, the daemon may return a password
required result during tunnel configuration. In this case, the user is
prompted with a password dialog. In the case where a single file is
used, the user will only be prompted for the password once.
r629 | mgrooms | 2006-09-14 10:46:26 +0000 (Thu, 14 Sep 2006) | 1 line

Correct a typo where ipsecc was not evaluated the ipseci return value
properly when setting a local identifier.
r628 | mgrooms | 2006-09-13 22:09:15 +0000 (Wed, 13 Sep 2006) | 5 lines

Update the ipseci interface to support transactional messaging. This
will be required for encrypted pem and p12 support that will be
integrated next.

Isolate the use of ipseci for client feedback to the the client thread
and phase1 cleanup handler. These should not not have been scattered
about the ipsec daemon.

Add a workaround for gateways that support INTERNAL_IP4_ADDRESS but not
INTERNAL_IP4_NETMASK modecfg attributes. If we are offered an address
but not a netmask, cross our fingers and default to a class c subnet
r626 | mgrooms | 2006-09-12 08:49:22 +0000 (Tue, 12 Sep 2006) | 1 line

Don't compare arp request addresses to our policy list if the tunnel is
in default route mode. Thank again to Peter Eisch for the bug report.
r625 | mgrooms | 2006-09-11 22:35:18 +0000 (Mon, 11 Sep 2006) | 7 lines

Add generic isakmp attribute payload read and write handlers. Right now
they are only used in the notify and modecfg handlers as the sa payload
handlers will be reworked in the near future.

Add support for processing RESPONDER-LIFETIME notifications. These are
sent by a responder that allows an SA to be negotiated but insists on
using a lifetime other than the proposal value. We simply adjust our
lifetime to match the responders to prevent communications issues.

Modify the ike cleanup code to only send phase2 delete notifications if
the sa has deleted before its expire time.

Modify the spoofing code to only respond to arp requests for addresses
that match a policy list entry.
r616 | mgrooms | 2006-09-08 11:16:50 +0000 (Fri, 08 Sep 2006) | 3 lines

Correct issues associated with selecting the phase1 exchange type,
authentication type and identity types. Main can be used with PSK
authentication but only the Address identity type is valid. This is
outlined in the RFC.

Correct TAB order issues in IPSECC and print command line options when
none are specified.
r608 | mgrooms | 2006-09-05 08:23:45 +0000 (Tue, 05 Sep 2006) | 1 line

Branch for 1.1 release.
r607 | mgrooms | 2006-08-31 15:13:28 +0000 (Thu, 31 Aug 2006) | 1 line

Add a new command line option for ipsecc. The option ( -a ) means to
auto-connect. This is useful if a user would like to initiate a
connection immediately when the program is launched. For the XAuth case,
specifying a user name and password is no longer sufficient to auto
initiate a connection. You must specify -a along with the other
parameters to auto-initiate connection.
r606 | mgrooms | 2006-08-31 11:33:49 +0000 (Thu, 31 Aug 2006) | 1 line

Ditch the separate thread used to load the site configuration parameters
as it is causing sync issues. A seperate thread was used because the
name resolution of the site gateway can hang if invalid which blocks the
the user interface message thread. Although annoying, this issue will go
away in 1.2 as the name resolution bits will be pushed down into ipsecd.
r605 | mgrooms | 2006-08-30 22:47:48 +0000 (Wed, 30 Aug 2006) | 1 line

Implement Split DNS reverse lookups. We accomplish this by reading the
query section of a DNS packet and compare the encoded address to our
policy list. If the address matches a policy list entry, we send the
request to a tunnel specific DNS server. Otherwise, the request is
forwarded to a DNS server local to the client.
r604 | mgrooms | 2006-08-30 12:20:12 +0000 (Wed, 30 Aug 2006) | 1 line

Update 1.1 release documentation.
r603 | mgrooms | 2006-08-29 22:18:01 +0000 (Tue, 29 Aug 2006) | 1 line

Correct a bug in the Site Configuration Authentication tab where the
address id information was not being handled properly.
r602 | mgrooms | 2006-08-28 23:42:05 +0000 (Mon, 28 Aug 2006) | 3 lines

Actually add the notify payload to the hash data accumulator. Fixes
phase2 negotiations when notify payload is bundled.

Fix 3 typos in the find_name function that was confusing tunnel
transport method values.
r601 | mgrooms | 2006-08-28 21:35:25 +0000 (Mon, 28 Aug 2006) | 1 line

Include notify payload data when calculating a phase2 hash value. Also,
don't use the wrong state flags to expire an SA when a phase2 hash value
check fails. Both bugs discovered by Peter at boku dot net.
r600 | mgrooms | 2006-08-28 14:53:09 +0000 (Mon, 28 Aug 2006) | 1 line

Improve virtual protocol driver and libvprot dialup adapter support. We
now store Line Up and Down state information internally to track
multiple simultaneous WAN IP Link instances. There still may be a small
race condition which would also effect in the 1.0 release. This issue
will be corrected before 1.1 is branched. Until then, a system crash may
occur if a user tries to unload the virtual protocol driver while a WAN
Link shutdown is in progress.
r599 | mgrooms | 2006-08-28 08:31:34 +0000 (Mon, 28 Aug 2006) | 1 line

Fix a few very minor races in the VProt and VNet drivers where the
system cancel spinlock was not being held while nulling an IRP's cancel
r598 | mgrooms | 2006-08-27 23:47:24 +0000 (Sun, 27 Aug 2006) | 1 line

Fix a copy and past-o that broke user authentication in ipsecc.
r597 | mgrooms | 2006-08-27 19:02:10 +0000 (Sun, 27 Aug 2006) | 1 line

Add the ability to specify a user name and password on the ipsecc
command line. In general, this is a bad idea as the values could
probably be read via the system by another process that has sufficient
r596 | mgrooms | 2006-08-27 17:15:41 +0000 (Sun, 27 Aug 2006) | 5 lines

Make sure we are validating the peer ids returned in phase2
negotiations. Create a new function names text_ipv4id which is used to
log the ids during the phase2 negotiations.

Replace the match_peerid function with a match_ipv4id function. This new
function supports exact matching as well as inclusive matching for
phase2 ids.

Rework the policy matching code to use text_ipv4id and match_ipv4id.
r595 | mgrooms | 2006-08-27 14:14:46 +0000 (Sun, 27 Aug 2006) | 5 lines

Correct a bug in the VNet initialization code. When an adapter is
disabled at ipsecd startup, mark it as not in use.

Correct a bug where ipsecd was proceeding even though it was not yet
able to locate the adapter index.

Cleanup some debug output and add color support to ipsect. This makes it
easier to locate errors in the output.
r594 | mgrooms | 2006-08-27 10:15:51 +0000 (Sun, 27 Aug 2006) | 1 line

Rework packet resend operation. Don't make a separate pass through SDB,
just attach the packet to the SDB object and process using generic
resend handlers during our IKE send pass.
r593 | mgrooms | 2006-08-27 08:52:06 +0000 (Sun, 27 Aug 2006) | 7 lines

Make one more pass at correcting ipsecd status message handling for
client. Not all feedback messages were reaching the client as they were
being generated after the client disconnected from ipsecd. Retire the
STATE_SHUTDOWN flag and replace this with a shutdown exit parameter in
the tunnel object. Generate the client feedback message just before the
client disconnects based on this parameter value.

Remove one more superfluous tunnel reference from an internal API call.

Reorganize SDB objects and move them into a separate header. This was
overdue janitorial churn which made no functional changes to the code.

r592 | mgrooms | 2006-08-25 16:43:19 +0000 (Fri, 25 Aug 2006) | 1 line

Audit random number usage. Make sure we are using strong random
generation for all cryptographic functions and pseudo random number
generation functions for everything else.
r591 | mgrooms | 2006-08-25 16:13:59 +0000 (Fri, 25 Aug 2006) | 1 line

Make sure we validate configuration and informational hashes. Make this
functionality uniform throughout the code.
r590 | mgrooms | 2006-08-25 14:53:17 +0000 (Fri, 25 Aug 2006) | 1 line

A bit more cleanup time for the internal API. Remove tunnel parameters
from the notify payload handlers.
r589 | mgrooms | 2006-08-25 14:35:08 +0000 (Fri, 25 Aug 2006) | 1 line

Cleanup time for the internal API. Now that SA's carry a pointer to the
tunnel object, stop passing a separate copy in API calls that already
pass an SA in their parameter list.
r588 | mgrooms | 2006-08-25 10:23:16 +0000 (Fri, 25 Aug 2006) | 3 lines

Add WINS registry configuration support. This was the only setting that
was missing after moving away from DHCP config. While here, fix a
registry handle leak.

Correct the client feedback output with respect to a peer disconnect vs
user disconnect.
r587 | mgrooms | 2006-08-25 09:17:23 +0000 (Fri, 25 Aug 2006) | 3 lines

Correct an issues where multiple IPSEC SAs were being negotiated when no
mature SA was found or a replacement SA was due for creation.

Correct the client feedback output with respect to a peer disconnect vs
a peer becoming unresponsive.
r586 | mgrooms | 2006-08-25 08:18:10 +0000 (Fri, 25 Aug 2006) | 1 line

Correct ipsecd status message handling for client. The ipsecc feedback
window no longer eludes to a problem for a normal tunnel disconnect.
r585 | mgrooms | 2006-08-24 22:17:41 +0000 (Thu, 24 Aug 2006) | 1 line

Implement active DPD support. If it has been some time since we have not
received a valid ISAKMP or ESP packet, use DPD to validate the peers
responsiveness. If the peer is still unresponsive, shut down the tunnel.
r584 | mgrooms | 2006-08-24 09:26:21 +0000 (Thu, 24 Aug 2006) | 11 lines

Fix output file location for devcfg and drvcfg. Update the installer
scripts to pull from the in-tree location.

Merge the updated device creation routines from libvnet into devcfg.
While there, correct device removal which apparently was not working at

Fix a bug that caused DPD to always be used even if disabled in the

Don't reassemble or pre-fragment packets that specify the DF bit in the
IP header.

Correct the MAC address value used for speaking to the VNet adapter.

Second round of modifications to decrease the time it takes to setup a
local virtual adapter. Add code to disable and enable virtual adapters.
Removed unused DHCP response and release code.
r583 | mgrooms | 2006-08-23 15:33:25 +0000 (Wed, 23 Aug 2006) | 3 lines

Bring devcfg and drvcfg into the tree to share revisions.

Correct a bug where new a adapter was not being created when no free
adapters were available for acquisition.
r582 | mgrooms | 2006-08-23 14:21:44 +0000 (Wed, 23 Aug 2006) | 1 line

Add quick toggle for NDIS driver debug output. Update todo list.