summaryrefslogtreecommitdiff
path: root/sbin/iked/ikev2.c
AgeCommit message (Expand)Author
2016-06-02Use the last 32-bits of the IPv6 address to dynamically assignPatrick Wildt
2016-06-01Implement a second address pool specifically for IPv6, so thatPatrick Wildt
2016-06-01ikev2_cp_fixaddr() is called to replace unspecified (e.g. 0.0.0.0)Patrick Wildt
2015-10-22iked hereby pledges that it will run with restricted systemReyk Floeter
2015-10-19Remove the ikev1 stub - Since I started iked, it has an empty privsepReyk Floeter
2015-10-15Remove some unnecessary NULL-checks before free(). Change two bzero()mmcc
2015-10-02If the policy certreqtype is 0, use the global one instead.Reyk Floeter
2015-10-01Fix interoperability with Apple iOS9: If we don't get a (valid)Reyk Floeter
2015-08-21Switch iked to C99-style fixed-width integer types.Reyk Floeter
2015-08-19spacing (no binary change, verified with checksums)Reyk Floeter
2015-07-07repair policy-ikesa-linking by replacing the broken RB_TREE w/TAILQMarkus Friedl
2015-03-26initial support for RFC 7427 signatures, so we are no longerMarkus Friedl
2015-02-06unneeded getopt.hTheo de Raadt
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
2014-12-05Store return value of i2d_X509_NAME in a signed integer to makeMike Belopuhov
2014-11-07Fixup a few problems with EAP state transitionMike Belopuhov
2014-11-07Repair initiator with PSK authMike Belopuhov
2014-07-09expire IPcomp SAs too; ok mikeb (some time ago)Markus Friedl
2014-05-13pass SA initiator not the exchange initator to sa_address(); ok mikeb@Markus Friedl
2014-05-09get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't needMarkus Friedl
2014-05-09replace iked_transform pointer with xform id, since target of pointerMarkus Friedl
2014-05-07make authentication work with X509 certificates that don't have aMarkus Friedl
2014-05-07factor out ikev2_ike_auth() (state machine; used multiple times via callbacks)Markus Friedl
2014-05-06change the create-child-sa responder code, so it does not store anyMarkus Friedl
2014-05-06initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkeyMarkus Friedl
2014-05-06cleanup IKE-SA tree handling (fixes repeated-insert & double-remove)Markus Friedl
2014-05-06send the delete with the locally allocated SPI in ikev2_init_create_child_sa()Markus Friedl
2014-05-06initial support for PFS; ok reyk@Markus Friedl
2014-05-06retire IKED_REQ_DELETE and fix delete parsing; ok reyk@Markus Friedl
2014-04-29make sure the state machine only advances if the AUTH payload hasMarkus Friedl
2014-04-28spacingReyk Floeter
2014-04-10Add validation routines to ikev2_pld.c: For each payload type overallReyk Floeter
2014-03-12don't leak an ibuf for each expired SA; ok mikeb@Markus Friedl
2014-03-12unbreak config-address w/o pool; ok mikeb@Markus Friedl
2014-02-26don't policy_ref an activate policy (policy_ref/unref are assymetrical),Markus Friedl
2014-02-21support rekeying for IPCOMP; ok mikeb@Markus Friedl
2014-02-18check the error from ikev2_cp_setaddrMarkus Friedl
2014-02-17interpret 'config address net/prefix' as a pool of addresses andMarkus Friedl
2014-02-17Fix compiler warnings in the format strings: use %zd for ssize_t andReyk Floeter
2014-02-14initial support for IPCompMarkus Friedl
2014-01-24re-lookup the policy as soon as we have the ID of the peer (destid)Markus Friedl
2014-01-24use a bit saner timer apiMike Belopuhov
2014-01-22implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'Markus Friedl
2013-12-09distingush between sa_msgid not set and 0; otherwise we startMarkus Friedl
2013-12-03never cast to sockaddr_storage, always cast to the abstract 'class' sockaddrMarkus Friedl
2013-11-28mark replaced flows as 'not loaded'; this can happen if bothMarkus Friedl
2013-11-28drop duplicate requestsMarkus Friedl
2013-11-28support raw pubkey authentication w/o x509 certificates;Markus Friedl
2013-06-13Add support for protected-subnet config types.Reyk Floeter
2013-03-21remove excessive includesTheo de Raadt