| Age | Commit message (Collapse) | Author |
|---|
|
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
|
|
and we move an SA from one to another policy, we need to make sure to do
refcounting if the policies involved are already in the garbage collect
phase.
ok markus@ mikeb@
|
|
instead pull in <netinet/in.h> or <arpa/inet.h> when those are needed.
ok florian@ beck@ millert@
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
From and OK markus@, OK reyk
|
|
steal code.
|
|
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
|
TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
|
so it is safe calling log_* after an error without loosing the it.
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
Brought up by doug@, ok reyk, djm, doug
|
|
As a related change, load the local.pub and local.key keys after
privsep and reload them on SIGHUP/reload.
OK mikeb@
|
|
|
|
additional actions before printing it. OK rzalamena@
|
|
Doesn't matter in iked as recvfromto is only called with flags = 0, but
this code tends to be copied. ok sthen@ florian@
|
|
Report and fix by Nikolay Edigaryev <edigaryev at gmail ! com>,
thanks! OK reyk@
|
|
"ikectl log verbose" and keeps the control process separated from the
cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
|
Ok jca@ and reyk@
|
|
Ok mikeb@
|
|
ok reyk@ florian@
|
|
correctly, as parse.y's $$ is not zero-initialized.
Found by Rene Ammerlaan
OK markus@ florian@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
addresses from the pool, instead of the fourth byte, which usually
represents network bits.
ok markus@ mikeb@
|
|
clients can be given an IPv4 and IPv6 address at the same time,
thus enabling dual stack usage.
ok markus@ mikeb@
|
|
addresses by specified (e.g. 192.0.2.1) ones. The function should
return if the address is already set. The check was wrong for the
IPv6 case, as it returned if it's not set. This caused the address
to never be fixed.
ok markus@ mikeb@
|
|
|
|
OK reyk
|
|
|
|
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
|
|
|
|
|
|
|
|
|
|
|
with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
|
include the process name, and replace all calls of fatal*(NULL) with
fatal(__func__) for better debugging.
OK benno@
|
|
get rid of the "LOSS OF MIND" joke. Haha. We keep on removing it and
it shows up again because it accidentally gets synced from somewhere
else. bgpd and ospfd don't have it anymore, but their offsprings
still carry it. If you see it, remove it, and, in the OpenBSD ISC
case, use the original text from /usr/share/misc/license.template.
All authors agree.
|
|
sync log.c with relayd and httpd - all three daemons are using a copy
of the same file now. Nevertheless, adding "extern int debug/verbose"
in util.c is not super nice but helps for now. No functional change.
|
|
strndup().
ok millert@
|
|
policy after receiving it from the parent. print_policy ->
print_proto -> getprotobynumber -> pledge abort because it tried to
access /etc/protocols without rpath. It was just a debugging message
that can be moved to the parent (printing the policy on the sender
side and not the receiver side). The parent has rpath and dns.
Issue found by sthen@ with "proto etherip"
OK sthen@ benno@
|
|
|
|
|
