| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2014-04-18 | round up some enemy sympathizers found calling RAND_seed(). | Ted Unangst | |
| ok beck reyk | |||
| 2014-04-16 | More des_foo -> DES_foo | Miod Vallat | |
| 2014-04-14 | Fix the following idiom in the following way: | Bret Lambert | |
| arc4random_buf(seed, sizeof(seed)); RAND_seed(seed, sizeof(seed)); + explicit_bzero(seed, sizeof(seed)); ok reyk@ | |||
| 2014-04-10 | Add validation routines to ikev2_pld.c: For each payload type overall | Reyk Floeter | |
| header structure is checked for sanity before copying the header. Always pass down the number of remaining bytes in the payload or substructure so we can always ensure to not go beyond actual data. Also remove the quick parsing step as it does not provide a real benefit anymore. From Hans-Joerg Hoexer ok mikeb@ markus@ | |||
| 2014-03-12 | don't leak an ibuf for each expired SA; ok mikeb@ | Markus Friedl | |
| 2014-03-12 | unbreak config-address w/o pool; ok mikeb@ | Markus Friedl | |
| 2014-02-26 | don't policy_ref an activate policy (policy_ref/unref are assymetrical), | Markus Friedl | |
| otherwise the policy list might get corrupted; from haesbaert | |||
| 2014-02-21 | support rekeying for IPCOMP; ok mikeb@ | Markus Friedl | |
| 2014-02-18 | check the error from ikev2_cp_setaddr | Markus Friedl | |
| 2014-02-17 | interpret 'config address net/prefix' as a pool of addresses and | Markus Friedl | |
| randomly choose the address for CFG_REQUEST. this address will be used to replace 0.0.0.0/32 in the specified flow. e.g. > ikev2 passive esp from 192.168.1.0/24 to 0.0.0.0 \ > config address 192.168.10.200/24 will assign an address between 192.168.10.200 and 192.168.10.254 and replace 0.0.0.0 with this address. ok mikeb@ on older version of this diff. | |||
| 2014-02-17 | basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' | Markus Friedl | |
| ok mikeb@ | |||
| 2014-02-17 | Fix compiler warnings in the format strings: use %zd for ssize_t and | Reyk Floeter | |
| %zu for size_t. From Andre de Oliveira With input and OK from blambert@ markus@ | |||
| 2014-02-14 | remove unused function that distracts from cleaning up the imsg_flush() mess | Sebastian Benoit | |
| ok krw, florian, henning | |||
| 2014-02-14 | initial support for IPComp | Markus Friedl | |
| still experimental and rekeying needs some work; ok mikeb@ | |||
| 2014-02-12 | make sure to set the msg_responded flag on the original message; ok mikeb@ | Markus Friedl | |
| 2014-01-24 | re-lookup the policy as soon as we have the ID of the peer (destid) | Markus Friedl | |
| ok mikeb@ | |||
| 2014-01-24 | enable format-string checks for log_*(); ok mikeb | Markus Friedl | |
| 2014-01-24 | make sure sa_lookup() can actually find SAs; ok mikeb | Markus Friedl | |
| 2014-01-24 | don't leak prv RSA key for each signature; ok mikeb | Markus Friedl | |
| 2014-01-24 | use a bit saner timer api | Mike Belopuhov | |
| 2014-01-22 | implement DPD similar to isakmpd, but only send DPD-messages 'on-demand' | Markus Friedl | |
| (less aggressive, only if the ESP-SAs are actually used); feedback & ok mikeb@ | |||
| 2014-01-22 | relax the cfg file secrecy check slightly to allow group readability | Henning Brauer | |
| default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian | |||
| 2014-01-18 | Remove -Wbounded: it is now the compiler default. | Martynas Venckus | |
| 2013-12-09 | distingush between sa_msgid not set and 0; otherwise we start | Markus Friedl | |
| dropping messages if we usually are the initiator and the peer initiates rekeying first. ok mikeb@ | |||
| 2013-12-04 | Use EVP_sha1 directly instead of doing the EVP_get_digestbyname lookup. | Mike Belopuhov | |
| Correct the comment while here: RFC5996 says we SHOULD use SHA1 as a hashing function for RSA Digital Signatures. Tested by and OK markus. | |||
| 2013-12-03 | never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr | Markus Friedl | |
| this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@ | |||
| 2013-11-28 | mark replaced flows as 'not loaded'; this can happen if both | Markus Friedl | |
| sides negotiate the same flow, but only one flow is active in the kernel; ok mikeb@ | |||
| 2013-11-28 | don't leak duplicate flows; ok mikeb@ | Markus Friedl | |
| 2013-11-28 | drop duplicate requests | Markus Friedl | |
| otherwise IKE_AUTH requests might be accepted twice, leading to TWO child-SAs with the same remote SPI, but different local SPIs, leading to corrupt child-SA tables. with & ok mikeb@ | |||
| 2013-11-28 | document sa_msgid & sa_reqid; ok mikeb@ | Markus Friedl | |
| 2013-11-28 | sa_lookup: don't compare with sh_rspi if rspi is not set | Markus Friedl | |
| otherwise this can happen: initiator retransmits SA_INIT with rspi of zero, sa_lookup for responder fails, and it creates a new SA, that cannot be inserted in the SA tree | |||
| 2013-11-28 | sa_new(): discard & free duplicate IKESAs; ok mibek@ | Markus Friedl | |
| 2013-11-28 | include hexdump in debug output only for -vvv; ok mikeb@ | Markus Friedl | |
| 2013-11-28 | support raw pubkey authentication w/o x509 certificates; | Markus Friedl | |
| mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@ | |||
| 2013-11-25 | use u_char for buffers in yylex, for ctype calls | Sebastian Benoit | |
| found by millert@, from deraadt@ | |||
| 2013-11-22 | Whole bunch of (unsigned char) casts carefully added for ctype calls. | Theo de Raadt | |
| Careful second audit by millert | |||
| 2013-11-21 | Make the bit string u_char * in print_bits(). In practice we | Todd C. Miller | |
| shouldn't have chars > 127 in these but it is better not to assume this. OK deraadt@ | |||
| 2013-11-15 | Cope with the EAGAIN API change for msgbuf_write() | Mike Belopuhov | |
| 2013-11-14 | ignore messages for other daemons, like isakmpd does; ok mikeb | Markus Friedl | |
| 2013-11-14 | setup pfkey timer before use; ok mikeb | Markus Friedl | |
| 2013-11-14 | pass caller to ca_sslerror for better error messages; ok mikeb | Markus Friedl | |
| 2013-11-14 | verify EC points; from hshoexer; ok mikeb | Markus Friedl | |
| 2013-11-14 | not need to specify OBJDIR; ok mikeb | Markus Friedl | |
| 2013-11-01 | altq -> new queue in examples | Henning Brauer | |
| From: Arto Jonsson <ajonsson at kapsi.fi> | |||
| 2013-10-24 | no need for netinet/ip_var.h (and friends) | Theo de Raadt | |
| 2013-09-26 | After some manipulations with the buffer, ike message header (hdr) | Mike Belopuhov | |
| might no longer point to the same memory as before. The bug was reported and fix was tested by LEVAI Daniel. Thanks! | |||
| 2013-07-16 | Add missing .Mt macros for AUTHORS email addresses. | Ingo Schwarze | |
| From Jan Stary <hans at stare dot cz>. ok jmc@ | |||
| 2013-06-29 | do not use Sx for sections outwith the page; | Jason McIntyre | |
| man4 still to go... | |||
| 2013-06-13 | Add support for protected-subnet config types. | Reyk Floeter | |
| From Ryan Slack | |||
| 2013-05-22 | Move the gmac/null ciphers to a different table block, clearly labelled as | Stuart Henderson | |
| not doing encryption. ok reyk@ | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |