replace iked_transform pointer with xform id, since target of pointer
might be freed (e.g. on ike sa rekey); ok mikeb@

match iked proc.c infrastructure with proc.c

ok reyk@

make authentication work with X509 certificates that don't have a
subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly;
feedback & ok mikeb@

change the create-child-sa responder code, so it does not store any
state in the ikesa structure. this way we can initiate a create-child-sa
and process requests for the peer at the same time. ok mik

change the create-child-sa responder code, so it does not store any
state in the ikesa structure. this way we can initiate a create-child-sa
and process requests for the peer at the same time. ok mikeb@

show more ...

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

initial support for PFS; ok reyk@

retire IKED_REQ_DELETE and fix delete parsing; ok reyk@

make sure the state machine only advances if the AUTH payload has
been verified; with & ok mikeb@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Add validation routines to ikev2_pld.c: For each payload type overall
header structure is checked for sanity before copying the header.
Always pass down the number of remaining bytes in the payload o

Add validation routines to ikev2_pld.c: For each payload type overall
header structure is checked for sanity before copying the header.
Always pass down the number of remaining bytes in the payload or
substructure so we can always ensure to not go beyond actual data.
Also remove the quick parsing step as it does not provide a real
benefit anymore.

From Hans-Joerg Hoexer

ok mikeb@ markus@

show more ...

support rekeying for IPCOMP; ok mikeb@

interpret 'config address net/prefix' as a pool of addresses and
randomly choose the address for CFG_REQUEST. this address will be used
to replace 0.0.0.0/32 in the specified flow. e.g.
> ikev2 passi

interpret 'config address net/prefix' as a pool of addresses and
randomly choose the address for CFG_REQUEST. this address will be used
to replace 0.0.0.0/32 in the specified flow. e.g.
> ikev2 passive esp from 192.168.1.0/24 to 0.0.0.0 \
> config address 192.168.10.200/24
will assign an address between 192.168.10.200 and 192.168.10.254
and replace 0.0.0.0 with this address.
ok mikeb@ on older version of this diff.

show more ...

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

remove unused function that distracts from cleaning up the imsg_flush() mess
ok krw, florian, henning

initial support for IPComp
still experimental and rekeying needs some work; ok mikeb@

enable format-string checks for log_*(); ok mikeb

use a bit saner timer api

implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'
(less aggressive, only if the ESP-SAs are actually used);
feedback & ok mikeb@

distingush between sa_msgid not set and 0; otherwise we start
dropping messages if we usually are the initiator and the peer
initiates rekeying first. ok mikeb@

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

document sa_msgid & sa_reqid; ok mikeb@

support raw pubkey authentication w/o x509 certificates;
mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@

Make the bit string u_char * in print_bits(). In practice we
shouldn't have chars > 127 in these but it is better not to assume
this. OK deraadt@

pass caller to ca_sslerror for better error messages; ok mikeb

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".