src - OpenBSD base system

Age	Commit message (Collapse)	Author
2020-11-05	Enable support for ASN1_DN ipsec identifiers.	Peter Hessler
	Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
2020-11-04	Add check for static id size.	tobhe
	ok patrick@
2020-11-03	Add 'any' keyword for request to allow 'request address any'.	tobhe

2020-11-01	Add 'dynamic' keyword to configure flows to dynamically assigned addresses.	tobhe
	The keyword is replaced at runtime with the address assigned from the pool in 'config address'. ok patrick@
2020-10-30	Add missing bits to make 'request addr 0.0.0.0' accept ANY dynamic address.	tobhe

2020-10-30	style(9)	tobhe

2020-10-30	Whitespace fixes.	tobhe

2020-10-30	Fix key payload size. Use size from new SA.	tobhe

2020-10-29	Add initial support to request IP addresses as IKEv2 initiator.	tobhe
	At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be accepted. ok patrick@
2020-10-28	Refactor parts of the dh_* API.	tobhe
	ok patrick@
2020-10-24	Don't modify sa in ikev2_pld_cp. Store cp_type in msg until message has	tobhe
	passed all checks. ok patrick@
2020-10-22	Handle NO_PROPOSAL_CHOSEN for initiator in IKE_SA_INIT exchange.	tobhe
	This NOTIFY payload is not encryted, remove check. ok patrick@
2020-10-22	Add missing break.	tobhe
	ok patrick@
2020-10-21	Remove SAs from ike_dstid_sas on 'ikectl reset sa' to prevent use after free.	tobhe
	Found by csszep <csszep (at) gmail (dot) com> ok patrick@
2020-10-19	Handle NO_PROPOSAL_CHOSEN as IKE_AUTH initiator.	tobhe
	ok markus@
2020-10-09	More unused headers.	tobhe

2020-10-09	Remove unused "wait.h" includes.	tobhe

2020-10-06	Always allocate hash_keylength() for buffers passed to hash_final() to	tobhe
	make sure there is enough space for the non truncated hash output.
2020-10-05	Only handle AUTHENTICATION_FAILED for IKE_AUTH and INFORMATIONAL exchanges.	tobhe
	Reply to INFORMATIONAL messages with AUTHENTICATION_FAILED before deleting the SA. ok markus@
2020-10-03	React to DELETE notifications only in INFORMATIONAL messages	tobhe
	and move the logic closer to the other INFORMATIONAL payloads. Add some more sanity checks while we're at it. ok patrick@
2020-10-02	Send AUTH_FAILED in ikev2_ike_auth_recv() if the message did not contain	tobhe
	an AUTH payload and the policy does not use EAP authentication. ok patrick@
2020-10-01	Skip DELETE payload responses only after they are validated.	tobhe
	ok patrick@
2020-09-30	Don't accept AUTH payloads with invalid auth_method 0.	tobhe
	Fixes duplicate AUTH payload detection. ok patrick@
2020-09-30	Don't accept ID payloads with ID type IKEV2_ID_NONE.	tobhe
	0 is not a valid type and triggers undesired edge cases. ok patrick@
2020-09-30	Don't leak sa->sa_peerauth.id_buf.	tobhe
	ok patrick@
2020-09-29	Check ibuf_seek() return value.	tobhe
	ok patrick@
2020-09-26	Cleanup msg_eap in ikev2_msg_cleanup().	tobhe

2020-09-25	Simplify RB_TREE cleanup loops.	tobhe
	ok markus@
2020-09-24	Cleanup logging, print SPIs where it makes sense.	tobhe

2020-09-23	Add new 'set cert_partial_chain' config option to allow verification of	tobhe
	partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/. ok patrick@
2020-09-21	Fix reassembly of out-of-order fragments. Always take the nextpld field	tobhe
	from the IKE header of fragment #1, not the first received fragment. ok patrick@
2020-09-19	Add SHA2_384 and SHA2_512 to default proposals.	tobhe
	ok patrick@
2020-09-18	Fix memory leak in 'n->name'.	tobhe

2020-09-17	Set retransmit timeout for DELETE message on the replaced SA, not on	tobhe
	the replacement. ok markus@
2020-09-17	Do not send DELETE messages for closing SAs.	tobhe
	ok markus@
2020-09-17	Merge IKEV2_EXCHANGE_CREATE_CHILD_SA and IKEV2_EXCHANGE_INFORMATIONAL	tobhe
	cases.
2020-09-16	Move all the EAP logic from a single branch in the message parsing code to	tobhe
	somewhere past successful message verification, closer to where the other exchanges are handled. EAP is stll special, but this fits a lot better into the overall architecture. Tested with iOS, Stronswan and Windows ok patrick@ sthen@
2020-09-16	Fix EAP authentication if the initiator sends no certificate	tobhe
	request. The locally configured request is used as fallback to find a certificate or key to send. The local auth method for MSCHAP-V2 should be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of raw rsa keys. Tested with Strongswan, iPhone and Windows Found by and ok sthen@ ok patrick@
2020-09-09	Delete dead code.	tobhe

2020-09-08	Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching	tobhe
	the CERTREQ is found, don't wait for more requests. Correctly set type if cert was found as fallback. ok patrick@
2020-09-06	Drop redundant else for readability.	tobhe

2020-09-05	Use peer from policy, not from the acquire message.	tobhe

2020-09-05	Initialize flow_dir and flow_saproto so policy_test() can find the policy	tobhe
	on acquire.
2020-09-04	INFORMATIONAL and CREATE_CHILD_SA exchanges cannot be initiated at the	tobhe
	same time.
2020-09-03	Log OCSP url on connection failure.	tobhe

2020-09-02	Add 30s timeout for OCSP requests.	tobhe
	ok patrick@
2020-09-01	Log SPIs to make it easier to map OCSP messages to SAs.	tobhe

2020-09-01	Make OCSP response status logging less verbose.	tobhe

2020-08-31	Do not register a read/write callback on fd -1 (e.g. if connection failed).	tobhe

2020-08-31	Both ocsp_req_ctx and ocsp_req must be freed. Don't free ocsp_id as it	tobhe
	is owned by ocsp_req and is cleaned up automatically.