summaryrefslogtreecommitdiff
path: root/sbin/iked
AgeCommit message (Collapse)Author
2012-10-11The RSA public keys will be found in a subdirectory of /etc/iked/Reyk Floeter
called "pubkeys" not "pubkey". Found by Michael Cardell "MC" Widerkrantz
2012-10-09"If srcid is omitted, the default is to use the hostname of the localReyk Floeter
machine." This has been broken when the subjectAltName certificate check was introduced some time ago. Fix it by obtaining the hostname source Id in the certificate request code as well. ok mikeb@
2012-09-25Correct DPADD to not list libssl which is not used by iked.Brad Smith
ok sthen@ mikeb@
2012-09-22last stage of rfc changes, using consistent Rs/Re blocks, and moving theJason McIntyre
references into a STANDARDS section;
2012-09-18update email addresses to match reality.Reyk Floeter
sure jsg@ mikeb@
2012-07-08if you use nitems() in userland, you must define it yourselfTheo de Raadt
discussed with guenther
2012-07-05when rekeying ike sa copy more info from the old one;Mike Belopuhov
fixes the last known iked inter-op problem with windows 7.
2012-07-03Improve the key derivation function to produce correct keying materialMike Belopuhov
when rekeying IKE SA as specified in the section 2.18 of RFC5996. Makes Windows 7 clients a bit happier.
2012-07-02checking state flags make sense only when processing a responseMike Belopuhov
2012-07-02augment every sa_free call with a debugging log messageMike Belopuhov
2012-07-02Don't close IKE SA immediately after creating a new one when rekeying.Mike Belopuhov
Instead set a timeout that will shut it down in case we don't get an SA delete notification.
2012-07-02a state machine is not worth the trouble when you've got a flag. doh!Mike Belopuhov
2012-06-30enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESPChristian Weisgerber
ok mikeb@
2012-06-29Add missing ESN bitsMike Belopuhov
2012-06-27leftover code re-enqueued the same item on the list multiple timesMike Belopuhov
2012-06-27prevent an endless loopMike Belopuhov
2012-06-26improve ikev2_msg_retransmit_timeoutMike Belopuhov
2012-06-26close SA when IKE_SA_INIT or IKE_AUTH exchanges fail;Mike Belopuhov
don't cache the response to IKE_SA_INIT.
2012-06-26compare exchange types as well when looking up a message;Mike Belopuhov
proceed with a response only when the appropriate request is found.
2012-06-22Add initial support for retransmition timeouts and response retries.Mike Belopuhov
This should still be considered an experimental work in progress.
2012-06-22decouple timer initialization from timer_registerMike Belopuhov
2012-06-04Rounding up a number of bytes in a bignum returned by the BN_num_bytes()Mike Belopuhov
has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
2012-05-30more timer changesMike Belopuhov
2012-05-30when changing peer's address in the SA, remove the old entry from theMike Belopuhov
tree before doing the actual change, otherwise we won't remove anything for real. also add the newly created SA to the peer's tree so that initiator timer will treat the ike policy as "in progress".
2012-05-30pass a file descriptor in the msg_fd instead of a function argumentMike Belopuhov
2012-05-29improve timer framework; will be needed soonMike Belopuhov
2012-05-24don't increment the next expected message id when sending a response back.Mike Belopuhov
while it might look like a step backwards, this fixes up eap negotiation and bigger changes to this code are in the pipe anyways.
2012-05-23fixup from/to specificationMike Belopuhov
2012-05-23remove hardcoded values for esp and let ikev2_add_proposals decideMike Belopuhov
which proposals to include if protocol is not specified explicitely; allows iked to successfully negotiate ah.
2012-05-23factor out proposal matching code from ikev2_sa_negotiate and eliminateMike Belopuhov
the protoid argument as a first step towards successful ah negotiation; make code a bit more readable while here.
2012-05-08When setting up NAT-T notify payloads, make sure to supply anMike Belopuhov
actual source address so that a valid hash can be generated. Fixes a bug introduces some time ago that prevented iked from initiating if NAT-T wasn't disabled (via -T) and local address wasn't specified.
2012-05-08rename espxforms to ipsecxforms for clarityMike Belopuhov
2012-05-07fixup formatting in the generated filesMike Belopuhov
2012-05-07Sync up several defines with RFC 5996. IANA has changed the existingMike Belopuhov
IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).
2012-04-24take a stab at documenting when arguments need quoted, and valid macroJason McIntyre
characters; prompted by a diff from robert peichaer org thanks gilles and henning for feedback ok deraadt zinke
2012-04-18undo an error introduced by myself in previous;Jason McIntyre
spotted by Sebastian Rother
2012-04-05rate-limit accepting of new connections while we are experiencingTheo de Raadt
fd exhaustion. ok mikeb
2012-03-24fix some leaksJonathan Gray
ok mikeb@
2011-09-03make -column lists pretty again;Jason McIntyre
specifically, rewrite them to permit some markup in the column headers, and use "Ta" instead of literal tabs; mandoc does not currently match groff 100%, but a mandoc fix may be some time off, and we've gone enough releases with poorly formatting column lists. in some cases i have rewritten the lists as -tag, where -column made little sense.
2011-08-27Under certain circumstances iked can be tricked to bypass a signatureMike Belopuhov
verification caused by the incorrect check of the EVP_VerifyFinal return value. Issue was discovered and reported by Justin Ferguson, justin-dot-ferguson-at-ioactive.com. Thanks! While here, check for HMAC_* return values. ok jsg, markus
2011-08-19as with other list types, column lists generally do not need a Pp/-compactJason McIntyre
construct; this also sidesteps what seems to be a problem with mandoc, in that "-column -compact" seems to mess up the formatting. thus these pages should now have their lists formatted nicely (i.e. correctly aligned and with indent applied); as a side note, the fact that headers are not properly marked up is another issue which will be addressed separately (a mandoc fix is needed, i think). i have fudged a few of these to mark up properly, since the workaround does make sense for some pages. as another side note, i haven;t fixed man7, as i need to prepare a separate diff for kristaps and ingo.
2011-07-05fix memcpy sizeof. found by jsg. ok deraadt krw mikebTed Unangst
2011-07-05Fix IKEV2_N_NO_ADDITIONAL_SAS notification by including the SPIMike Belopuhov
2011-07-03iked requires the same dh diff as isakmpd:Mike Belopuhov
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
2011-05-27spacingReyk Floeter
2011-05-09bump copyrightReyk Floeter
2011-05-09rename functions in proc.c to proc_* and move some code from imsg_util.c toReyk Floeter
proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
2011-05-05Small tweak - add direct pointer to env instead of using an indirect one.Reyk Floeter
2011-05-05Move the proc.c-specific runtime state out of struct iked into a sub-struct.Reyk Floeter
This removes iked-specific stuff from proc.c.
2011-05-05rename iked_proc* to privsep_proc*. no functional change.Reyk Floeter