#
37ce25f4 |
| 09-May-2014 |
markus <markus@openbsd.org> |
replace iked_transform pointer with xform id, since target of pointer might be freed (e.g. on ike sa rekey); ok mikeb@
|
#
86f93ed3 |
| 08-May-2014 |
blambert <blambert@openbsd.org> |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
54977822 |
| 07-May-2014 |
markus <markus@openbsd.org> |
make authentication work with X509 certificates that don't have a subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly; feedback & ok mikeb@
|
#
0cdab560 |
| 06-May-2014 |
markus <markus@openbsd.org> |
change the create-child-sa responder code, so it does not store any state in the ikesa structure. this way we can initiate a create-child-sa and process requests for the peer at the same time. ok mik
change the create-child-sa responder code, so it does not store any state in the ikesa structure. this way we can initiate a create-child-sa and process requests for the peer at the same time. ok mikeb@
show more ...
|
#
6e1880a3 |
| 06-May-2014 |
markus <markus@openbsd.org> |
initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey events while we are busy initiating child-SAs; ok mikeb@
|
#
9be30034 |
| 06-May-2014 |
markus <markus@openbsd.org> |
initial support for PFS; ok reyk@
|
#
b544cb80 |
| 06-May-2014 |
markus <markus@openbsd.org> |
retire IKED_REQ_DELETE and fix delete parsing; ok reyk@
|
#
4a986ab9 |
| 29-Apr-2014 |
markus <markus@openbsd.org> |
make sure the state machine only advances if the AUTH payload has been verified; with & ok mikeb@
|
#
bf556abc |
| 22-Apr-2014 |
reyk <reyk@openbsd.org> |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
#
d39d09fe |
| 10-Apr-2014 |
reyk <reyk@openbsd.org> |
Add validation routines to ikev2_pld.c: For each payload type overall header structure is checked for sanity before copying the header. Always pass down the number of remaining bytes in the payload o
Add validation routines to ikev2_pld.c: For each payload type overall header structure is checked for sanity before copying the header. Always pass down the number of remaining bytes in the payload or substructure so we can always ensure to not go beyond actual data. Also remove the quick parsing step as it does not provide a real benefit anymore.
From Hans-Joerg Hoexer
ok mikeb@ markus@
show more ...
|
#
bb108424 |
| 21-Feb-2014 |
markus <markus@openbsd.org> |
support rekeying for IPCOMP; ok mikeb@
|
#
43be1c05 |
| 17-Feb-2014 |
markus <markus@openbsd.org> |
interpret 'config address net/prefix' as a pool of addresses and randomly choose the address for CFG_REQUEST. this address will be used to replace 0.0.0.0/32 in the specified flow. e.g. > ikev2 passi
interpret 'config address net/prefix' as a pool of addresses and randomly choose the address for CFG_REQUEST. this address will be used to replace 0.0.0.0/32 in the specified flow. e.g. > ikev2 passive esp from 192.168.1.0/24 to 0.0.0.0 \ > config address 192.168.10.200/24 will assign an address between 192.168.10.200 and 192.168.10.254 and replace 0.0.0.0 with this address. ok mikeb@ on older version of this diff.
show more ...
|
#
6d3b905b |
| 17-Feb-2014 |
markus <markus@openbsd.org> |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
3d042458 |
| 14-Feb-2014 |
benno <benno@openbsd.org> |
remove unused function that distracts from cleaning up the imsg_flush() mess ok krw, florian, henning
|
#
03f6ad09 |
| 14-Feb-2014 |
markus <markus@openbsd.org> |
initial support for IPComp still experimental and rekeying needs some work; ok mikeb@
|
#
e482ada4 |
| 24-Jan-2014 |
markus <markus@openbsd.org> |
enable format-string checks for log_*(); ok mikeb
|
#
b3eeaceb |
| 24-Jan-2014 |
mikeb <mikeb@openbsd.org> |
use a bit saner timer api
|
#
131966b1 |
| 22-Jan-2014 |
markus <markus@openbsd.org> |
implement DPD similar to isakmpd, but only send DPD-messages 'on-demand' (less aggressive, only if the ESP-SAs are actually used); feedback & ok mikeb@
|
#
5dd59b3c |
| 09-Dec-2013 |
markus <markus@openbsd.org> |
distingush between sa_msgid not set and 0; otherwise we start dropping messages if we usually are the initiator and the peer initiates rekeying first. ok mikeb@
|
#
47d6a31c |
| 03-Dec-2013 |
markus <markus@openbsd.org> |
never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
|
#
8a315063 |
| 28-Nov-2013 |
markus <markus@openbsd.org> |
document sa_msgid & sa_reqid; ok mikeb@
|
#
a77120ea |
| 28-Nov-2013 |
markus <markus@openbsd.org> |
support raw pubkey authentication w/o x509 certificates; mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@
|
#
2e9c6580 |
| 21-Nov-2013 |
millert <millert@openbsd.org> |
Make the bit string u_char * in print_bits(). In practice we shouldn't have chars > 127 in these but it is better not to assume this. OK deraadt@
|
#
86cf9d9c |
| 14-Nov-2013 |
markus <markus@openbsd.org> |
pass caller to ca_sslerror for better error messages; ok mikeb
|
#
fcebd35d |
| 08-Jan-2013 |
reyk <reyk@openbsd.org> |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|