| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2013-01-08 | Remove private CVS tag from an obsolete repository and bump copyright | Reyk Floeter | |
| to 2013 while I'm here... this is my way of saying "happy new year!". | |||
| 2012-12-15 | Remove unused variables. | Reyk Floeter | |
| 2012-12-15 | Don't print an error if the process exited normally. | Reyk Floeter | |
| 2012-12-15 | Plug two memory leaks when cleaning up the dh/dsa crypto structures. | Reyk Floeter | |
| 2012-12-15 | Fix a very hidden but harmless overflow in the MSCHAPv2 code. | Reyk Floeter | |
| 2012-12-15 | Don't pass an uninitialized arg to ibuf_release(); initialize it to NULL. | Reyk Floeter | |
| 2012-12-15 | Don't dereference NULL pointers (and some cleanup here). | Reyk Floeter | |
| 2012-12-04 | remove some unnecessary sys/param.h inclusions | Theo de Raadt | |
| 2012-11-29 | use Nm instead of Xr to self; | Jason McIntyre | |
| 2012-11-29 | Prevent VPN traffic leakages in dual-stack hosts/networks. | Reyk Floeter | |
| See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked. Thanks to Fernando Gont. ok mikeb@ | |||
| 2012-11-16 | promote some debug messages to warnings; ok reyk | Mike Belopuhov | |
| 2012-10-25 | Include the license and copyright notice in the generated files. | Reyk Floeter | |
| 2012-10-25 | Move the arrays of default IKE and ESP transforms into parse.y instead | Reyk Floeter | |
| of generating them with genmap from ikev2.h. They're only really needed in parse.y and this diff also allows to simplify genmap.sh. | |||
| 2012-10-23 | Change the order of variables just to shrink the diff to the (not yet | Reyk Floeter | |
| released) portable version a bit. No functional changes. | |||
| 2012-10-23 | Allow to overwrite a few more definitions like file paths from the | Reyk Floeter | |
| Makefile. No functional change. | |||
| 2012-10-23 | Add a cast for input to inet_pton() to silence a possible but harmless | Reyk Floeter | |
| compiler warning. | |||
| 2012-10-22 | tweak previous; | Jason McIntyre | |
| 2012-10-22 | Fix NAT-T support in iked, both on the initiator and the responder | Reyk Floeter | |
| side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500. Tested by mikeb@ and me ok mikeb@ | |||
| 2012-10-11 | The RSA public keys will be found in a subdirectory of /etc/iked/ | Reyk Floeter | |
| called "pubkeys" not "pubkey". Found by Michael Cardell "MC" Widerkrantz | |||
| 2012-10-09 | "If srcid is omitted, the default is to use the hostname of the local | Reyk Floeter | |
| machine." This has been broken when the subjectAltName certificate check was introduced some time ago. Fix it by obtaining the hostname source Id in the certificate request code as well. ok mikeb@ | |||
| 2012-09-25 | Correct DPADD to not list libssl which is not used by iked. | Brad Smith | |
| ok sthen@ mikeb@ | |||
| 2012-09-22 | last stage of rfc changes, using consistent Rs/Re blocks, and moving the | Jason McIntyre | |
| references into a STANDARDS section; | |||
| 2012-09-18 | update email addresses to match reality. | Reyk Floeter | |
| sure jsg@ mikeb@ | |||
| 2012-07-08 | if you use nitems() in userland, you must define it yourself | Theo de Raadt | |
| discussed with guenther | |||
| 2012-07-05 | when rekeying ike sa copy more info from the old one; | Mike Belopuhov | |
| fixes the last known iked inter-op problem with windows 7. | |||
| 2012-07-03 | Improve the key derivation function to produce correct keying material | Mike Belopuhov | |
| when rekeying IKE SA as specified in the section 2.18 of RFC5996. Makes Windows 7 clients a bit happier. | |||
| 2012-07-02 | checking state flags make sense only when processing a response | Mike Belopuhov | |
| 2012-07-02 | augment every sa_free call with a debugging log message | Mike Belopuhov | |
| 2012-07-02 | Don't close IKE SA immediately after creating a new one when rekeying. | Mike Belopuhov | |
| Instead set a timeout that will shut it down in case we don't get an SA delete notification. | |||
| 2012-07-02 | a state machine is not worth the trouble when you've got a flag. doh! | Mike Belopuhov | |
| 2012-06-30 | enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP | Christian Weisgerber | |
| ok mikeb@ | |||
| 2012-06-29 | Add missing ESN bits | Mike Belopuhov | |
| 2012-06-27 | leftover code re-enqueued the same item on the list multiple times | Mike Belopuhov | |
| 2012-06-27 | prevent an endless loop | Mike Belopuhov | |
| 2012-06-26 | improve ikev2_msg_retransmit_timeout | Mike Belopuhov | |
| 2012-06-26 | close SA when IKE_SA_INIT or IKE_AUTH exchanges fail; | Mike Belopuhov | |
| don't cache the response to IKE_SA_INIT. | |||
| 2012-06-26 | compare exchange types as well when looking up a message; | Mike Belopuhov | |
| proceed with a response only when the appropriate request is found. | |||
| 2012-06-22 | Add initial support for retransmition timeouts and response retries. | Mike Belopuhov | |
| This should still be considered an experimental work in progress. | |||
| 2012-06-22 | decouple timer initialization from timer_register | Mike Belopuhov | |
| 2012-06-04 | Rounding up a number of bytes in a bignum returned by the BN_num_bytes() | Mike Belopuhov | |
| has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@ | |||
| 2012-05-30 | more timer changes | Mike Belopuhov | |
| 2012-05-30 | when changing peer's address in the SA, remove the old entry from the | Mike Belopuhov | |
| tree before doing the actual change, otherwise we won't remove anything for real. also add the newly created SA to the peer's tree so that initiator timer will treat the ike policy as "in progress". | |||
| 2012-05-30 | pass a file descriptor in the msg_fd instead of a function argument | Mike Belopuhov | |
| 2012-05-29 | improve timer framework; will be needed soon | Mike Belopuhov | |
| 2012-05-24 | don't increment the next expected message id when sending a response back. | Mike Belopuhov | |
| while it might look like a step backwards, this fixes up eap negotiation and bigger changes to this code are in the pipe anyways. | |||
| 2012-05-23 | fixup from/to specification | Mike Belopuhov | |
| 2012-05-23 | remove hardcoded values for esp and let ikev2_add_proposals decide | Mike Belopuhov | |
| which proposals to include if protocol is not specified explicitely; allows iked to successfully negotiate ah. | |||
| 2012-05-23 | factor out proposal matching code from ikev2_sa_negotiate and eliminate | Mike Belopuhov | |
| the protoid argument as a first step towards successful ah negotiation; make code a bit more readable while here. | |||
| 2012-05-08 | When setting up NAT-T notify payloads, make sure to supply an | Mike Belopuhov | |
| actual source address so that a valid hash can be generated. Fixes a bug introduces some time ago that prevented iked from initiating if NAT-T wasn't disabled (via -T) and local address wasn't specified. | |||
| 2012-05-08 | rename espxforms to ipsecxforms for clarity | Mike Belopuhov | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |