| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2011-08-19 | as with other list types, column lists generally do not need a Pp/-compact | Jason McIntyre | |
| construct; this also sidesteps what seems to be a problem with mandoc, in that "-column -compact" seems to mess up the formatting. thus these pages should now have their lists formatted nicely (i.e. correctly aligned and with indent applied); as a side note, the fact that headers are not properly marked up is another issue which will be addressed separately (a mandoc fix is needed, i think). i have fudged a few of these to mark up properly, since the workaround does make sense for some pages. as another side note, i haven;t fixed man7, as i need to prepare a separate diff for kristaps and ingo. | |||
| 2011-07-05 | fix memcpy sizeof. found by jsg. ok deraadt krw mikeb | Ted Unangst | |
| 2011-07-05 | Fix IKEV2_N_NO_ADDITIONAL_SAS notification by including the SPI | Mike Belopuhov | |
| 2011-07-03 | iked requires the same dh diff as isakmpd: | Mike Belopuhov | |
| When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves. | |||
| 2011-05-27 | spacing | Reyk Floeter | |
| 2011-05-09 | bump copyright | Reyk Floeter | |
| 2011-05-09 | rename functions in proc.c to proc_* and move some code from imsg_util.c to | Reyk Floeter | |
| proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change. | |||
| 2011-05-05 | Small tweak - add direct pointer to env instead of using an indirect one. | Reyk Floeter | |
| 2011-05-05 | Move the proc.c-specific runtime state out of struct iked into a sub-struct. | Reyk Floeter | |
| This removes iked-specific stuff from proc.c. | |||
| 2011-05-05 | rename iked_proc* to privsep_proc*. no functional change. | Reyk Floeter | |
| 2011-05-02 | store the peer address as it was specified in the policy in the | Mike Belopuhov | |
| tree that is used to figure out whether the policy is active or not. makes active sa lookup via policy work for nat traversal. problem was reported and fix was tested by sthen, ok sthen, reyk | |||
| 2011-04-18 | Improve the iked acquire mode peer <-> policy matching. This change | Reyk Floeter | |
| picks the peer from the acquire message and allows to match masked peers in the policies like "peer any" or "peer 10.0.0.0/8" instead of requiring exactly matching peer specifications. ok mikeb@ | |||
| 2011-04-18 | When the kernel wants to acquire an SA for an unknown flow, lookup a | Reyk Floeter | |
| matching policy and init a new IKE SA. This adds support for "acquire mode" from static flows. ok mikeb@ | |||
| 2011-04-15 | remove unused function ikev2_flows_delete() | Reyk Floeter | |
| 2011-01-28 | improve behavior of drop_sa: always negotiating a new child sa; ok reyk | Mike Belopuhov | |
| 2011-01-26 | Don't initiate any connections in passive mode, not even for ACQUIRE messages | Reyk Floeter | |
| from the PFKEY socket. This is needed for sasyncd. ok mikeb@ | |||
| 2011-01-26 | get rid of acquire flows completely, as they tend to pass traffic | Mike Belopuhov | |
| when there's no sa established (as pointed out by reyk). instead use require mode feature to send acquires from the kernel. this allows us to get rid of the code that changes flow mode to acquire and keep all installed flows in the tree and save up on some code that deals with renegotiation. also several entities were renamed (iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas, ikev2_acquire -> ikev2_acquire_sa). ok reyk | |||
| 2011-01-26 | enable child sas and do sa and flow transfer after succeeding with | Mike Belopuhov | |
| all the preparation steps. don't forget to change {flow,csa}_ikesa pointers when transefing to a different ike sa. ok reyk | |||
| 2011-01-25 | fixup child sa deletion in drop_sa; ok reyk | Mike Belopuhov | |
| 2011-01-24 | fixup previous for the responder mode | Mike Belopuhov | |
| 2011-01-21 | repair rekeying by sending appropriate traffic selector; ok reyk | Mike Belopuhov | |
| 2011-01-21 | don't use memcmp on comparing two iked_addrs but IKED_ADDR_EQ. | Reyk Floeter | |
| ok mikeb@ | |||
| 2011-01-21 | - Fix traffic selector configuration that it is always "from $localnet | Reyk Floeter | |
| to $peernet" and not depending on the initiator/responder mode. - Remove the flow hash calculated but not used anymore. ok mikeb@ | |||
| 2011-01-21 | Remove misleading error message. | Reyk Floeter | |
| ok mikeb@ | |||
| 2011-01-21 | don't create child sas from empty proposals. | Reyk Floeter | |
| ok mikeb@ | |||
| 2011-01-21 | handle empty encrypted payloads (might happen with some informationals) | Reyk Floeter | |
| ok mikeb@ | |||
| 2011-01-21 | tweak previous; | Jason McIntyre | |
| 2011-01-21 | Reimplement the iked(8) policy evaluation for incoming connections to | Reyk Floeter | |
| use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details. The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code. ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@ | |||
| 2011-01-21 | split pfkey initialization into a privileged and unprivileged part to | Reyk Floeter | |
| prevent a possible crash. ok mikeb@ | |||
| 2011-01-18 | reyk noticed that my rb-tree-fu is not that great. fixup compare function | Mike Belopuhov | |
| to do exact matches; ok reyk | |||
| 2011-01-17 | silence stupid gcc warning by initializing a variable with NULL. | Reyk Floeter | |
| 2011-01-17 | Add initial acquire mode support and use it whenever Windows peers decide | Mike Belopuhov | |
| to drop Child SA based on the inactivity timer. In this case we instruct the kernel to send us an acquire message upon receiving a packet for those hosts and initiate a Child SA creation exchange ourselves. ok reyk | |||
| 2011-01-17 | move mask2prefixlen functions to the util module; ok reyk | Mike Belopuhov | |
| 2011-01-12 | postpone processing of pfkey messages received in pfkey_reply instead of | Mike Belopuhov | |
| just dropping them; ok reyk | |||
| 2011-01-12 | decouple flow deletion from the ikev2_childsa_delete; ok reyk | Mike Belopuhov | |
| 2011-01-12 | fixup bogus check; ok reyk | Mike Belopuhov | |
| 2011-01-12 | don't forget to specify spi sizes; ok reyk | Mike Belopuhov | |
| 2010-12-23 | pick netmask instead of address when we mean it; found by dhill, ok reyk | Mike Belopuhov | |
| 2010-12-23 | always add a none payload, should fix ike sa rekeying for responders; ok reyk | Mike Belopuhov | |
| 2010-12-22 | move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because | Reyk Floeter | |
| it is too specific to be in util.c. This will allow to link util.c into ikectl later without all the other dependencies of pritn_id(). | |||
| 2010-12-22 | split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for | Reyk Floeter | |
| everything else. we might need to include util.c in ikectl later. sure mikeb@ | |||
| 2010-12-22 | ikev2 rfc was recently updated, so list the newer one; ok reyk | Mike Belopuhov | |
| 2010-12-22 | Tweak the grammar a little bit by requiring a "bytes" keyword before the | Reyk Floeter | |
| bytes value ("lifetime 123 bytes 456" instead of "lifetime 123 456"). | |||
| 2010-12-22 | Fix a little control socket bug, as discussed with mikeb@ | Reyk Floeter | |
| 2010-12-22 | child sa rekeying revamp plus numerous bugfixes; | Mike Belopuhov | |
| with suggestions and OK from reyk | |||
| 2010-12-21 | Convert netmask from sockaddr to prefixlen correctly as noticed | Mike Belopuhov | |
| by axel rau, axel dot rau at chaos1 dot de. The actual convert functions are taken from bgpd(8). OK reyk | |||
| 2010-12-21 | fixup log_warn and log_debug arguments; ok reyk | Mike Belopuhov | |
| 2010-12-01 | Clarify the internal ibuf API: rename ibuf_copy() to ibuf_get() because | Reyk Floeter | |
| it returns a new buffer from the internal read offset like stdio get functions do and not the same buffer when it is called multiple times. Also rename the old ibuf_get() to ibuf_getdata() because it returns a "special" data type and it matches the stdio get* conventions. pointed out by mikeb@ | |||
| 2010-11-29 | make key exchange faster by not checking the predefined groups with DH_check() | Markus Friedl | |
| ok mikeb@, djm@ | |||
| 2010-11-17 | Allow the -D command line flag to actually define macros. | Chris Kuethe | |
| ok mikeb@ reyk@ | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |