| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2021-01-26 | Add support for RSA-PSS PKCS1 signatures. Don't enable them by | tobhe | |
| default for now because of interoperability issues. ok patrick@ | |||
| 2021-01-24 | hmac-sha2-384 and hmac-sha2-512 are enabled by default. | tobhe | |
| 2021-01-23 | Fix typos. | tobhe | |
| From Ryan Kavanagh ok patrick@ | |||
| 2021-01-21 | Handle NO_PROPOSAL_CHOSEN for CREATE_CHILD_SA. | tobhe | |
| ok markus@ | |||
| 2021-01-21 | Add support for INVALID_KE_PAYLOAD in CREATE_CHILD_SA | tobhe | |
| exchange. In the case of an invalid KE error, retry CREATE_CHILD_SA exchange with different group instead of restarting the full IKE handshake. ok markus@ | |||
| 2021-01-20 | Make sure to enforce matching dstid as initiator. Use policy lookup | tobhe | |
| to make sure the negotiated SA matches the selected policy. ok patrick@ | |||
| 2021-01-18 | Sync SA configuration payload to new SA after IKE SA rekeying. | tobhe | |
| 2020-12-29 | getifaddrs() can return entries where ifa_addr is NULL. Check for this | Sebastian Benoit | |
| before accessing anything in ifa_addr. ok claudio@ | |||
| 2020-12-28 | Add back keyword "any" to match any IP address, which actually works | tobhe | |
| after recent fixes. | |||
| 2020-12-27 | Fix "any" and "dynamic" keywords for flows and add proper IPv6 support. | tobhe | |
| For traffic selectors with a keyword on either 'from' or 'to' side, install flow with address family of the opposite side. If both source and destination address are keywords, install flows for both address families. The 'dynamic' keyword is special as it will only install flows for the address family of the dynamically assigned address (specified with the 'config address' option). ok patrick@ | |||
| 2020-12-22 | Log SPI with SPI_SH() wherever possible. | tobhe | |
| 2020-12-21 | Use policy_test() to reassign existing SAs to updated policies after | tobhe | |
| 'ikectl reload'. This prevents initiation of new additional SAs for each policy every time the config is reloaded. ok patrick@ | |||
| 2020-12-20 | Don't leak ipsec_hosts when building hosts_list. | tobhe | |
| ok patrick@ | |||
| 2020-12-17 | Use strtonum() instead of atoi() to parse port option. | tobhe | |
| 2020-12-17 | Sort command line options. | tobhe | |
| ok bluhm@ | |||
| 2020-12-15 | Fix leak of REQUEST string. | tobhe | |
| 2020-12-13 | Make sure flow src and dst addresses have the same address family. | tobhe | |
| ok patrick@ | |||
| 2020-12-11 | The keyword "any" does not actually work properly for traffic selectors. | tobhe | |
| To match all traffic use 0.0.0.0/0 or ::/0. ok patrick@ | |||
| 2020-12-10 | Print valid ikesa/childsa configuration at startup. Comma seperated | tobhe | |
| transforms are not supported. ok patrick@ | |||
| 2020-12-06 | Add support for RSASSA-PSS signature verification (RFC 7427). | tobhe | |
| ok patrick@ | |||
| 2020-12-05 | Make len unsigned. | tobhe | |
| ok patrick@ | |||
| 2020-12-04 | Log pfkey type and message length on write failure. | tobhe | |
| 2020-12-03 | Fix type mismatch. auth_method should be uint8_t. | tobhe | |
| ok markus@ | |||
| 2020-12-02 | The skip steps must be set up for each attribute independently | tobhe | |
| otherwise the wrong rules might me skipped, e.g. if you have policies with different listen addresses that are not sorted by address family. ok patrick@ | |||
| 2020-12-01 | Don't log ESRCH as warning. | tobhe | |
| 2020-11-30 | We need to rekey every child SA (even if acquired): Otherwise we can | tobhe | |
| get out of sync with the peer and the peer would keep on using the expired SA because the lifetime is not negotiated. ok patrick@ | |||
| 2020-11-29 | Add 'set stickyaddress' option. If this option is enabled, iked will try | tobhe | |
| to assign the same 'config address' when an IKESA is negotiated with the DSTID of an existing IKESA. The original IKESA will be closed and the address will be transferred to the new IKESA. ok patrick@ | |||
| 2020-11-28 | Add support for multiple address pools. The parser already allows | tobhe | |
| specifying multiple pools, make ikev2_cp_setaddr() iterate over the pools to find a matching address. ok patrick@ | |||
| 2020-11-27 | Remove redundant state change. ikev2_ikesa_delete() sets the correct state. | tobhe | |
| 2020-11-26 | Use a counter instead of random IV for AES-GCM. Security depends on | tobhe | |
| choosing a unique IV for every encryption operation, using a counter as IV eliminates the risk of random collisions. ok markus@ patrick@ | |||
| 2020-11-25 | Fix proposal error handling. If a proposal contains an unknown transform | tobhe | |
| type or id, ignore the proposal instead of failing the exchange. ok patrick@ | |||
| 2020-11-24 | Fix duplicate sa->sa_cp assignment. | tobhe | |
| 2020-11-23 | Ignore duplicate sigsha2 notify, don't fail the exchange. | tobhe | |
| 2020-11-22 | Fix comment typo. | tobhe | |
| 2020-11-21 | Clean up NATT hack. Pass 'frompeer' as parameter instead of manipulating | tobhe | |
| msg header to get the correct addresses and spis. ok patrick@ | |||
| 2020-11-20 | add -s to synopsis and usage; -S before -s in options list; | Jason McIntyre | |
| 2020-11-20 | Add -s socket option to specify control socket. This can be useful if | tobhe | |
| multiple iked instances running in different rdomains are used. ok patrick@ | |||
| 2020-11-19 | More sa cleanup + constify. | tobhe | |
| ok patrick@ | |||
| 2020-11-18 | Constify sa in ikev2_pld_eap(). The parser code must not change any | tobhe | |
| sa or policy state, this should help make it clearer. ok patrick@ | |||
| 2020-11-17 | Remove redundant indirection via msg_parent. This is only needed in | tobhe | |
| ikev2_pld_parse(). | |||
| 2020-11-16 | Reenable ikev2_init_auth() return value check. Make sure sa_stateok() | tobhe | |
| returns 0 on error. This code path is taken multiple times until all requirements for sa_stateok() are met, so don't delete the SA because of a single failure. ok patrick@ | |||
| 2020-11-16 | Backout ikev2_init_auth() return check to fix regression with | tobhe | |
| certificate authentication. Reported by Mark Patruck <mark (at) wrapped (dot) cx> | |||
| 2020-11-15 | Document new 'dynamic' keyword to create flows from or to a dynamically | tobhe | |
| assigned address. | |||
| 2020-11-14 | Make sure not to replace 0.0.0.0 with dynamic address if it is a a network | tobhe | |
| address (addr_net is set). | |||
| 2020-11-13 | addr_net is already checked in ikev2_cp_setaddr() before sessing | tobhe | |
| sa_addrpool, so we don't need to re-check here. ok patrick@ | |||
| 2020-11-12 | Close SA if ikev2_init_auth() fails. | tobhe | |
| ok markus@ | |||
| 2020-11-12 | Fail if ikev2_init_ike_auth() is entered with invalid state. | tobhe | |
| 2020-11-11 | Cleanup after proc_init() in proc_close(). | tobhe | |
| 2020-11-07 | Implement 'from dynamic', which installs flows where 'dynamic' is replaced | tobhe | |
| with the received dynamic IP addresse. ok patrick@ | |||
| 2020-11-06 | Set correct netmask on patched addresses for debug printing. | tobhe | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |