Age | Commit message (Collapse) | Author | |
---|---|---|---|
2012-10-11 | The RSA public keys will be found in a subdirectory of /etc/iked/ | Reyk Floeter | |
called "pubkeys" not "pubkey". Found by Michael Cardell "MC" Widerkrantz | |||
2012-10-09 | "If srcid is omitted, the default is to use the hostname of the local | Reyk Floeter | |
machine." This has been broken when the subjectAltName certificate check was introduced some time ago. Fix it by obtaining the hostname source Id in the certificate request code as well. ok mikeb@ | |||
2012-09-25 | Correct DPADD to not list libssl which is not used by iked. | Brad Smith | |
ok sthen@ mikeb@ | |||
2012-09-22 | last stage of rfc changes, using consistent Rs/Re blocks, and moving the | Jason McIntyre | |
references into a STANDARDS section; | |||
2012-09-18 | update email addresses to match reality. | Reyk Floeter | |
sure jsg@ mikeb@ | |||
2012-07-08 | if you use nitems() in userland, you must define it yourself | Theo de Raadt | |
discussed with guenther | |||
2012-07-05 | when rekeying ike sa copy more info from the old one; | Mike Belopuhov | |
fixes the last known iked inter-op problem with windows 7. | |||
2012-07-03 | Improve the key derivation function to produce correct keying material | Mike Belopuhov | |
when rekeying IKE SA as specified in the section 2.18 of RFC5996. Makes Windows 7 clients a bit happier. | |||
2012-07-02 | checking state flags make sense only when processing a response | Mike Belopuhov | |
2012-07-02 | augment every sa_free call with a debugging log message | Mike Belopuhov | |
2012-07-02 | Don't close IKE SA immediately after creating a new one when rekeying. | Mike Belopuhov | |
Instead set a timeout that will shut it down in case we don't get an SA delete notification. | |||
2012-07-02 | a state machine is not worth the trouble when you've got a flag. doh! | Mike Belopuhov | |
2012-06-30 | enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP | Christian Weisgerber | |
ok mikeb@ | |||
2012-06-29 | Add missing ESN bits | Mike Belopuhov | |
2012-06-27 | leftover code re-enqueued the same item on the list multiple times | Mike Belopuhov | |
2012-06-27 | prevent an endless loop | Mike Belopuhov | |
2012-06-26 | improve ikev2_msg_retransmit_timeout | Mike Belopuhov | |
2012-06-26 | close SA when IKE_SA_INIT or IKE_AUTH exchanges fail; | Mike Belopuhov | |
don't cache the response to IKE_SA_INIT. | |||
2012-06-26 | compare exchange types as well when looking up a message; | Mike Belopuhov | |
proceed with a response only when the appropriate request is found. | |||
2012-06-22 | Add initial support for retransmition timeouts and response retries. | Mike Belopuhov | |
This should still be considered an experimental work in progress. | |||
2012-06-22 | decouple timer initialization from timer_register | Mike Belopuhov | |
2012-06-04 | Rounding up a number of bytes in a bignum returned by the BN_num_bytes() | Mike Belopuhov | |
has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@ | |||
2012-05-30 | more timer changes | Mike Belopuhov | |
2012-05-30 | when changing peer's address in the SA, remove the old entry from the | Mike Belopuhov | |
tree before doing the actual change, otherwise we won't remove anything for real. also add the newly created SA to the peer's tree so that initiator timer will treat the ike policy as "in progress". | |||
2012-05-30 | pass a file descriptor in the msg_fd instead of a function argument | Mike Belopuhov | |
2012-05-29 | improve timer framework; will be needed soon | Mike Belopuhov | |
2012-05-24 | don't increment the next expected message id when sending a response back. | Mike Belopuhov | |
while it might look like a step backwards, this fixes up eap negotiation and bigger changes to this code are in the pipe anyways. | |||
2012-05-23 | fixup from/to specification | Mike Belopuhov | |
2012-05-23 | remove hardcoded values for esp and let ikev2_add_proposals decide | Mike Belopuhov | |
which proposals to include if protocol is not specified explicitely; allows iked to successfully negotiate ah. | |||
2012-05-23 | factor out proposal matching code from ikev2_sa_negotiate and eliminate | Mike Belopuhov | |
the protoid argument as a first step towards successful ah negotiation; make code a bit more readable while here. | |||
2012-05-08 | When setting up NAT-T notify payloads, make sure to supply an | Mike Belopuhov | |
actual source address so that a valid hash can be generated. Fixes a bug introduces some time ago that prevented iked from initiating if NAT-T wasn't disabled (via -T) and local address wasn't specified. | |||
2012-05-08 | rename espxforms to ipsecxforms for clarity | Mike Belopuhov | |
2012-05-07 | fixup formatting in the generated files | Mike Belopuhov | |
2012-05-07 | Sync up several defines with RFC 5996. IANA has changed the existing | Mike Belopuhov | |
IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK). | |||
2012-04-24 | take a stab at documenting when arguments need quoted, and valid macro | Jason McIntyre | |
characters; prompted by a diff from robert peichaer org thanks gilles and henning for feedback ok deraadt zinke | |||
2012-04-18 | undo an error introduced by myself in previous; | Jason McIntyre | |
spotted by Sebastian Rother | |||
2012-04-05 | rate-limit accepting of new connections while we are experiencing | Theo de Raadt | |
fd exhaustion. ok mikeb | |||
2012-03-24 | fix some leaks | Jonathan Gray | |
ok mikeb@ | |||
2011-09-03 | make -column lists pretty again; | Jason McIntyre | |
specifically, rewrite them to permit some markup in the column headers, and use "Ta" instead of literal tabs; mandoc does not currently match groff 100%, but a mandoc fix may be some time off, and we've gone enough releases with poorly formatting column lists. in some cases i have rewritten the lists as -tag, where -column made little sense. | |||
2011-08-27 | Under certain circumstances iked can be tricked to bypass a signature | Mike Belopuhov | |
verification caused by the incorrect check of the EVP_VerifyFinal return value. Issue was discovered and reported by Justin Ferguson, justin-dot-ferguson-at-ioactive.com. Thanks! While here, check for HMAC_* return values. ok jsg, markus | |||
2011-08-19 | as with other list types, column lists generally do not need a Pp/-compact | Jason McIntyre | |
construct; this also sidesteps what seems to be a problem with mandoc, in that "-column -compact" seems to mess up the formatting. thus these pages should now have their lists formatted nicely (i.e. correctly aligned and with indent applied); as a side note, the fact that headers are not properly marked up is another issue which will be addressed separately (a mandoc fix is needed, i think). i have fudged a few of these to mark up properly, since the workaround does make sense for some pages. as another side note, i haven;t fixed man7, as i need to prepare a separate diff for kristaps and ingo. | |||
2011-07-05 | fix memcpy sizeof. found by jsg. ok deraadt krw mikeb | Ted Unangst | |
2011-07-05 | Fix IKEV2_N_NO_ADDITIONAL_SAS notification by including the SPI | Mike Belopuhov | |
2011-07-03 | iked requires the same dh diff as isakmpd: | Mike Belopuhov | |
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves. | |||
2011-05-27 | spacing | Reyk Floeter | |
2011-05-09 | bump copyright | Reyk Floeter | |
2011-05-09 | rename functions in proc.c to proc_* and move some code from imsg_util.c to | Reyk Floeter | |
proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change. | |||
2011-05-05 | Small tweak - add direct pointer to env instead of using an indirect one. | Reyk Floeter | |
2011-05-05 | Move the proc.c-specific runtime state out of struct iked into a sub-struct. | Reyk Floeter | |
This removes iked-specific stuff from proc.c. | |||
2011-05-05 | rename iked_proc* to privsep_proc*. no functional change. | Reyk Floeter | |