| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2010-06-27 | fix the length check for ASN1_ID Ids. | Reyk Floeter | |
| 2010-06-27 | Verify that the subjectAltName extension is present and matches the | Reyk Floeter | |
| peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it with the certificate subjectName (DN). This prevents the peer from using an arbitrary peer Id (it is signed by the CA in the cert) and qualifies the optional pf tag. | |||
| 2010-06-27 | Instead of modifying and fiddling with the IKE SA in the payload | Reyk Floeter | |
| parsing routines directly, first parse the message and save the parsed elements in the temporary message struct before validating the information and taking any other actions on the actual SA. This needs more testing, but is the cleaner and better approach. | |||
| 2010-06-27 | print the required bits as a string | Reyk Floeter | |
| 2010-06-27 | cycle static buffers in print_bits() | Reyk Floeter | |
| 2010-06-26 | malloc/strlcpy -> strdup. Apparently I forgot to commit this one with | Kenneth R Westerback | |
| the similar changes to dhcpd. | |||
| 2010-06-26 | Whitespace. | Kenneth R Westerback | |
| 2010-06-26 | revert the files that have been accidentally committed with my | Reyk Floeter | |
| previous parse.y change. | |||
| 2010-06-26 | Add a way to enable and set the keepalive parameters for gre(4). | Claudio Jeker | |
| OK deraadt, reyk | |||
| 2010-06-26 | mixing any (AF_UNSPEC) with AF_INET/INET6 is not an address family mismatch | Reyk Floeter | |
| 2010-06-26 | Include the Id type in the generated SA tag that is passed to the | Reyk Floeter | |
| kernel, just like isakmpd does it. In difference to isakmpd, the Id type is printed in capital letters, eg. FQDN/foo.example.com, because it is using the existing print_map() API. For consistency, rename a few Id types in grammar and code from the RFC-names to the OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just IPV4, DER_ASN1_DN to ASN1_DN etc. | |||
| 2010-06-26 | allow a user to set a -c count of 0. | Peter Hessler | |
| while here, change ping6 to use strtonum instead of strtol. OK claudio@ | |||
| 2010-06-25 | remove -m (merge). | Henning Brauer | |
| it is violating the transactional model we have and made stronger in pf, it is broken in some cases and since some options are passed to the kernel while some are userland only and affect how the rules are parsed it is complete bullshit anyway - obviously, changing options that affect ruleset parsing without reloading and thus reparsing the ruleset cannot work. so stop pretending it could and cut the crap. ok dlg krw deraadt | |||
| 2010-06-24 | unbreak the ikectl log verbose/brief commands. | Reyk Floeter | |
| 2010-06-23 | rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or | Reyk Floeter | |
| ec521 -> ecp521). this matches the common naming for ec groups better. | |||
| 2010-06-23 | further cleanup of the dh code: | Reyk Floeter | |
| - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well. | |||
| 2010-06-22 | rename devname->devicename to prevent shadowing devname(3). ok marco jsing | Darren Tucker | |
| 2010-06-18 | Make bioctl(8) disklabel UID friendly by attempting to open the device | Joel Sing | |
| using opendev(3) first and then trying /dev/bio if that failed. Also use opendev(3) when getting device numbers for softraid. ok marco@ | |||
| 2010-06-15 | When fsck_ffs is used with disklabel UIDs the hot root test fails in | Joel Sing | |
| blockcheck() since we try to stat() the UID. This means that we fail to reload the mount if we have indeed cleaned the read-only root file system. To avoid this, rerun blockcheck() if the real name is different to the original device name, once we have opened the device with opendev(3). ok krw@ thib@ | |||
| 2010-06-15 | fix keyword sort order | Reyk Floeter | |
| 2010-06-15 | only compare the SPIi in the SA tree | Reyk Floeter | |
| 2010-06-14 | check if cert is available and valid | Reyk Floeter | |
| 2010-06-14 | Initiator mode with certificates; needs more work but works. | Reyk Floeter | |
| 2010-06-14 | Initial support for initiator mode which allows to run iked as a | Reyk Floeter | |
| "client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests... | |||
| 2010-06-14 | the ikesa prf config option is currently broken | Reyk Floeter | |
| 2010-06-14 | fix block length for AES | Reyk Floeter | |
| 2010-06-14 | fix EAP responder mode | Reyk Floeter | |
| 2010-06-14 | NAT detection again: make it work in initiator and responder mode | Reyk Floeter | |
| 2010-06-14 | remove policy lookup debug message | Reyk Floeter | |
| 2010-06-14 | NAT detection with SPIr is always 0 | Reyk Floeter | |
| 2010-06-14 | restructure code a bit to move closer to initiator mode: | Reyk Floeter | |
| - split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly. | |||
| 2010-06-14 | cleanup messages and parsed information correctly | Reyk Floeter | |
| 2010-06-14 | add define for saproto 0 | Reyk Floeter | |
| 2010-06-14 | More code for initiator mode (not finished yet) | Reyk Floeter | |
| 2010-06-11 | add some infrastructure to support timers and initiator mode later. | Reyk Floeter | |
| 2010-06-11 | tweak the code slightly so we can remove -lssl | Jonathan Gray | |
| ok reyk@ | |||
| 2010-06-10 | don't print keywords as underlined arguments. | Reyk Floeter | |
| 2010-06-10 | update usage() | Reyk Floeter | |
| 2010-06-10 | Add the -S flag which does the same as "set passive" but matches the | Reyk Floeter | |
| isakmpd flag. | |||
| 2010-06-10 | move a bzero of the x509 store context higher up so the | Jonathan Gray | |
| cert validation does something useful. ok reyk@ | |||
| 2010-06-10 | add new commands: the couple/decouple commands will set loading of the | Reyk Floeter | |
| learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet. | |||
| 2010-06-10 | Add another tree to lookup policy SAs by peer address. | Reyk Floeter | |
| 2010-06-10 | simplify the pfkey code by adding a pfkey_write() function | Reyk Floeter | |
| 2010-06-10 | small fix for sockaddr_cmp() | Reyk Floeter | |
| 2010-06-10 | i don't like splitting source code in too many source files but ikev2.c | Reyk Floeter | |
| has grown too large, so split it in 3 files and rename a few functions to organize the code a bit better. | |||
| 2010-06-10 | only call RB_REMOVE once when removing an SA. | Reyk Floeter | |
| 2010-06-09 | add missing headers needed for opendev() and close() | Charles Longeau | |
| ok jsing@ krw@ | |||
| 2010-06-07 | $OpenBSD$ | Jonathan Gray | |
| ok claudio@ | |||
| 2010-06-07 | Oups, an unused prototype sneaked into ifconfig. Found by jsg@ | Claudio Jeker | |
| 2010-06-07 | switch iked pki files to /etc/iked, discussed with reyk. | Jonathan Gray | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |