master
Name already in use
Commits on Aug 24, 2020
-
Check for automake versions within the last decade
As time goes by and new automake versions are released, have old versions drop off at the tail end. Arbitrarily pick a decade as the time window and have version 1.11 be the oldest version we explicitly check for.
-
Commits on Dec 3, 2019
-
Merge pull request #15 from puddingpimp/master
Initialise bignums in modp_init (Fix unintialised bignum pointer)
-
Initialise bignums in modp_init (Fix unintialised bignum pointer)
BN_hex2bin() will only create a new bignum if the pointer given to it is null, otherwise it assumes it is given an existing bignum to reuse. This was causing the ikev2 slave to crash every time on sa init for me.
Commits on Jan 26, 2019
Commits on Jan 25, 2019
Commits on Jan 20, 2019
-
marcel@brkt.com does not exist any more. Use marcel@FreeBSD.org instead.
-
Commits on Jan 19, 2019
Commits on Jan 6, 2019
-
-
-
mschap_auth_response() mschap_msk() mschap_nt_response()
-
-
-
-
Commits on Nov 16, 2018
-
Marcel Moolenaar committed
Nov 16, 2018
Commits on Nov 19, 2017
-
Fix RSA public key authentication, broken with change 69e8de5
Pointed out by: Brandon Bergren
Marcel Moolenaar committedNov 19, 2017
Commits on Oct 1, 2017
-
Consistently prefer IP_RECVORIGDSTADDR over IP_RECVDSTADDR
On FreeBSD 12.x both IP_RECVORIGDSTADDR and IP_RECVDSTADDR are defined. When setting the socket options, we took IP_RECVORIGDSTADDR over IP_RECVDSTADDR, and when receiving a datagram from the socket, we took IP_RECVDSTADDR over IP_RECVORIGDSTADDR. Consequently, we didn't get the destination address and dropped the packet.
Marcel Moolenaar committedOct 1, 2017
Commits on Sep 20, 2017
-
Better support intermediate CAs
Don't require to know or have all CAs in the chain. Instead, find the outer-most issuer we know that's in the CERTREQ and find a certificate chain that is rooted by that CA. Save the partial certificate chain in the SA and send them to the peer in as many CERT payloads as there are certificates in the (partial) chain. Similarly, collect all CERT payloads in a partial chain and us all the certificates to verify the leaf certificate. Save the partial chain in the same way we save our local cert.
Marcel Moolenaar committedSep 20, 2017
Commits on Aug 31, 2017
-
Let's keep AES-GCM out of the default proposal
GCM doesn't need an integ xform and I don't think the current code works well when we really have a disjoint proposals.
Marcel Moolenaar committedAug 31, 2017 -
Add DH groups 19, 20 & 21 to the default IKE proposal
These groups are known as ECP-256, ECP-384 & ECP-521 (resp.)
Marcel Moolenaar committedAug 31, 2017 -
Add SHA2-512 & SHA2-384 to the default IKE & IPsec SA xforms
Marcel Moolenaar committedAug 31, 2017 -
Add AES-GCM-16 to the default ESP transforms
Marcel Moolenaar committedAug 31, 2017 -
We can't just filter the transforms the kernel doesn't support. The proposal has the total number of transforms. As such, we need to first determine the total supported transforms and then add the transforms that are supported.
Marcel Moolenaar committedAug 31, 2017
Commits on Apr 4, 2017
-
Map from IKE's xform Id to pfkey's algorithm Id when checking
against the kernel's list of supported algorithms. Also, when the xform length is 0, accept the xform if the algorithm has a fixed key length. The kernel will typically do the right thing when presented with a 0 length.
Marcel Moolenaar committedApr 4, 2017
Commits on Apr 3, 2017
-
Save the supported algorithms and check proposals against them.
Marcel Moolenaar committedApr 3, 2017 -
Add pfkey_supports_xform() and pfkey_process_supported()
This is the first step towards negotiating only those xforms that the kernel supports.
Marcel Moolenaar committedApr 3, 2017
Commits on Mar 15, 2017
-
Add flow_precious to keep track of the flows we want to keep
in the kernel for lazy mode. The problem with using a negative value for flow_loaded is that it doesn't work when we have to consider that the flow may not have been loaded yet. This can happen when we receive a SA_INIT request before we initialized the SA.
Marcel Moolenaar committedMar 15, 2017
Commits on Mar 3, 2017
-
Lower the SA replay window to 255 to avoid overflows on
FreeBSD.
Marcel Moolenaar committedMar 3, 2017 -
Bump the SA replay window size from 64 to 512
Reasons for this are: o A 64-packet window causes replay checks to fail under network load. A 256-packet window does not have this problem. o At least 1 network vendor considers switching to 512, which leads me to think that 256 is borderline.Marcel Moolenaar committedMar 3, 2017
Commits on Feb 25, 2017
-
Merge branch 'event' of https://github.com/xcllnt/openiked into event
Marcel Moolenaar committedFeb 25, 2017