Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Commits on Aug 24, 2020

  1. Check for automake versions within the last decade

    As time goes by and new automake versions are released, have old
    versions drop off at the tail end. Arbitrarily pick a decade as
    the time window and have version 1.11 be the oldest version we
    explicitly check for.
    xcllnt committed Aug 24, 2020

Commits on Dec 3, 2019

  1. Merge pull request #15 from puddingpimp/master

    Initialise bignums in modp_init (Fix unintialised bignum pointer)
    xcllnt committed Dec 3, 2019
  2. Initialise bignums in modp_init (Fix unintialised bignum pointer)

    BN_hex2bin() will only create a new bignum if the pointer given to it is null,
    otherwise it assumes it is given an existing bignum to reuse.
    
    This was causing the ikev2 slave to crash every time on sa init for me.
    puddingpimp committed Dec 3, 2019

Commits on Jan 26, 2019

Commits on Jan 20, 2019

  1. [Issue #14] Properly create iked.conf.5

    Submitted by: mi@FreeBSD.org
    xcllnt committed Jan 20, 2019
  2. Update my email address

    marcel@brkt.com does not exist any more. Use marcel@FreeBSD.org
    instead.
    xcllnt committed Jan 20, 2019

Commits on Jan 19, 2019

  1. Add .gitignore

    xcllnt committed Jan 19, 2019
  2. Convert ikev2.c to OpenSSL 1.1

    xcllnt committed Jan 19, 2019

Commits on Nov 16, 2018

  1. automake is up to 1.16

    Marcel Moolenaar committed Nov 16, 2018

Commits on Nov 19, 2017

  1. Fix RSA public key authentication, broken with change 69e8de5

    Pointed out by: Brandon Bergren
    Marcel Moolenaar committed Nov 19, 2017

Commits on Oct 1, 2017

  1. Consistently prefer IP_RECVORIGDSTADDR over IP_RECVDSTADDR

    On FreeBSD 12.x both IP_RECVORIGDSTADDR and IP_RECVDSTADDR are
    defined. When setting the socket options, we took IP_RECVORIGDSTADDR
    over IP_RECVDSTADDR, and when receiving a datagram from the socket,
    we took IP_RECVDSTADDR over IP_RECVORIGDSTADDR. Consequently, we
    didn't get the destination address and dropped the packet.
    Marcel Moolenaar committed Oct 1, 2017

Commits on Sep 20, 2017

  1. Better support intermediate CAs

    Don't require to know or have all CAs in the chain.  Instead,
    find the outer-most issuer we know that's in the CERTREQ and
    find a certificate chain that is rooted by that CA.  Save
    the partial certificate chain in the SA and send them to the
    peer in as many CERT payloads as there are certificates in
    the (partial) chain.
    
    Similarly, collect all CERT payloads in a partial chain and
    us all the certificates to verify the leaf certificate.  Save
    the partial chain in the same way we save our local cert.
    Marcel Moolenaar committed Sep 20, 2017

Commits on Aug 31, 2017

  1. Let's keep AES-GCM out of the default proposal

    GCM doesn't need an integ xform and I don't think the current
    code works well when we really have a disjoint proposals.
    Marcel Moolenaar committed Aug 31, 2017
  2. Add DH groups 19, 20 & 21 to the default IKE proposal

    These groups are known as ECP-256, ECP-384 & ECP-521 (resp.)
    Marcel Moolenaar committed Aug 31, 2017
  3. Add SHA2-512 & SHA2-384 to the default IKE & IPsec SA xforms

    Marcel Moolenaar committed Aug 31, 2017
  4. Add AES-GCM-16 to the default ESP transforms

    Marcel Moolenaar committed Aug 31, 2017
  5. Fix sending proposals

    We can't just filter the transforms the kernel doesn't support.
    The proposal has the total number of transforms.  As such, we
    need to first determine the total supported transforms and then
    add the transforms that are supported.
    Marcel Moolenaar committed Aug 31, 2017

Commits on Apr 4, 2017

  1. Map from IKE's xform Id to pfkey's algorithm Id when checking

    against the kernel's list of supported algorithms.
    Also, when the xform length is 0, accept the xform if the
    algorithm has a fixed key length. The kernel will typically
    do the right thing when presented with a 0 length.
    Marcel Moolenaar committed Apr 4, 2017

Commits on Apr 3, 2017

  1. Add pfkey_supports_xform() and pfkey_process_supported()

    This is the first step towards negotiating only those xforms
    that the kernel supports.
    Marcel Moolenaar committed Apr 3, 2017

Commits on Mar 15, 2017

  1. Add flow_precious to keep track of the flows we want to keep

    in the kernel for lazy mode.  The problem with using a negative
    value for flow_loaded is that it doesn't work when we have to
    consider that the flow may not have been loaded yet. This can
    happen when we receive a SA_INIT request before we initialized
    the SA.
    Marcel Moolenaar committed Mar 15, 2017

Commits on Mar 3, 2017

  1. Lower the SA replay window to 255 to avoid overflows on

    FreeBSD.
    Marcel Moolenaar committed Mar 3, 2017
  2. Bump the SA replay window size from 64 to 512

    Reasons for this are:
     o  A 64-packet window causes replay checks to fail under
        network load. A 256-packet window does not have this
        problem.
     o  At least 1 network vendor considers switching to 512,
        which leads me to think that 256 is borderline.
    Marcel Moolenaar committed Mar 3, 2017

Commits on Feb 25, 2017

Older