summaryrefslogtreecommitdiff
path: root/sbin/iked/ikev2_pld.c
AgeCommit message (Expand)Author
2019-08-24Fix conflict when IKE SA and Child SA rekeying happen at the same time.tobhe
2019-08-14Fix NAT traversal detection bug when "local" option is not explicitlytobhe
2019-08-12Prepend SPI to send and recv log messages to see which line belongs totobhe
2019-05-11Add support for IKEv2 Message Fragmentation as defined in RFC 7383.Patrick Wildt
2018-03-22The iked(8) fuzzer did not fuzz encrypted payloads. With that changedPatrick Wildt
2017-12-07Change the SA payload parser to parse more than the first proposal. ThisPatrick Wildt
2017-12-04Remove duplicate check that never could execute because the exact samePatrick Wildt
2017-12-04Consistently log "malformed payload" instead of "payload malformed", andPatrick Wildt
2017-12-04Remove check that is now a duplicate due to recent refactoring.Patrick Wildt
2017-12-04The payloads are layered like onions, so you can validate one layer andPatrick Wildt
2017-11-30Add support for rejecting IKE SA messages. This means that we can replyPatrick Wildt
2017-11-27Implement MOBIKE (RFC 4555) support in iked(8), with us acting asPatrick Wildt
2017-04-13Add a NAT-T keepalive timer in case we are behind a NAT gateway.Patrick Wildt
2017-03-27Don't cache the DH group in the policyMike Belopuhov
2017-03-27Add support to reflect the responder IKEv2 COOKIE.Reyk Floeter
2017-03-13Resolve simultaneous IKE SA rekeyingMike Belopuhov
2017-03-13Improve reporting of authentication errorsMike Belopuhov
2017-01-20Include only found SPIs into the PAYLOAD_DELETE messageMike Belopuhov
2017-01-20Minor formatting fixMike Belopuhov
2015-10-15Remove some unnecessary NULL-checks before free(). Change two bzero()mmcc
2015-10-01Don't reject an "empty" CERTREQ (one with no CA hashes), instead treat it asStuart Henderson
2015-10-01Fix interoperability with Apple iOS9: If we don't get a (valid)Reyk Floeter
2015-08-21Switch iked to C99-style fixed-width integer types.Reyk Floeter
2015-08-19spacing (no binary change, verified with checksums)Reyk Floeter
2015-03-26initial support for RFC 7427 signatures, so we are no longerMarkus Friedl
2015-02-06unneeded getopt.hTheo de Raadt
2015-01-19Remove unnecessary <netinet/ip_ipsp.h> includesMike Belopuhov
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
2014-11-07Run eap_parse on the actual message and only when the length is rightMike Belopuhov
2014-05-06initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkeyMarkus Friedl
2014-05-06don't sa_free() in the receive path (prevents use-after-free); ok mikeb@Markus Friedl
2014-05-06make sure some notify payloads are encrypted; ok mikeb@Markus Friedl
2014-05-06initial support for PFS; ok reyk@Markus Friedl
2014-05-05validate the attribute length, too; from hshoexer; ok mikebMarkus Friedl
2014-04-28spacingReyk Floeter
2014-04-10Add validation routines to ikev2_pld.c: For each payload type overallReyk Floeter
2014-02-17Fix compiler warnings in the format strings: use %zd for ssize_t andReyk Floeter
2014-02-14initial support for IPCompMarkus Friedl
2014-02-12make sure to set the msg_responded flag on the original message; ok mikeb@Markus Friedl
2014-01-24use a bit saner timer apiMike Belopuhov
2014-01-22implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'Markus Friedl
2013-12-03never cast to sockaddr_storage, always cast to the abstract 'class' sockaddrMarkus Friedl
2013-11-28support raw pubkey authentication w/o x509 certificates;Markus Friedl
2013-03-21remove excessive includesTheo de Raadt
2013-01-08Remove private CVS tag from an obsolete repository and bump copyrightReyk Floeter
2012-12-15Don't dereference NULL pointers (and some cleanup here).Reyk Floeter
2012-10-22Fix NAT-T support in iked, both on the initiator and the responderReyk Floeter
2012-09-18update email addresses to match reality.Reyk Floeter
2012-06-22decouple timer initialization from timer_registerMike Belopuhov
2012-05-30more timer changesMike Belopuhov