| Age | Commit message (Collapse) | Author |
|---|
|
specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mandoc fix may be some time off, and we've gone enough releases
with poorly formatting column lists.
in some cases i have rewritten the lists as -tag, where -column made
little sense.
|
|
verification caused by the incorrect check of the EVP_VerifyFinal
return value. Issue was discovered and reported by Justin Ferguson,
justin-dot-ferguson-at-ioactive.com. Thanks!
While here, check for HMAC_* return values.
ok jsg, markus
|
|
construct;
this also sidesteps what seems to be a problem with mandoc, in that
"-column -compact" seems to mess up the formatting. thus these pages should
now have their lists formatted nicely (i.e. correctly aligned and with indent
applied);
as a side note, the fact that headers are not properly marked up is another
issue which will be addressed separately (a mandoc fix is needed, i think).
i have fudged a few of these to mark up properly, since the workaround does
make sense for some pages.
as another side note, i haven;t fixed man7, as i need to prepare a separate
diff for kristaps and ingo.
|
|
|
|
|
|
When BN_bn2bin converts a bignum to the binary representation
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.
|
|
|
|
|
|
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.
|
|
|
|
This removes iked-specific stuff from proc.c.
|
|
|
|
tree that is used to figure out whether the policy is active or
not. makes active sa lookup via policy work for nat traversal.
problem was reported and fix was tested by sthen, ok sthen, reyk
|
|
picks the peer from the acquire message and allows to match masked
peers in the policies like "peer any" or "peer 10.0.0.0/8" instead of
requiring exactly matching peer specifications.
ok mikeb@
|
|
matching policy and init a new IKE SA. This adds support for "acquire mode"
from static flows.
ok mikeb@
|
|
|
|
|
|
from the PFKEY socket. This is needed for sasyncd.
ok mikeb@
|
|
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk
|
|
all the preparation steps. don't forget to change {flow,csa}_ikesa
pointers when transefing to a different ike sa. ok reyk
|
|
|
|
|
|
|
|
ok mikeb@
|
|
to $peernet" and not depending on the initiator/responder mode.
- Remove the flow hash calculated but not used anymore.
ok mikeb@
|
|
ok mikeb@
|
|
ok mikeb@
|
|
ok mikeb@
|
|
|
|
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@
|
|
prevent a possible crash.
ok mikeb@
|
|
to do exact matches; ok reyk
|
|
|
|
to drop Child SA based on the inactivity timer. In this case we instruct
the kernel to send us an acquire message upon receiving a packet for those
hosts and initiate a Child SA creation exchange ourselves.
ok reyk
|
|
|
|
just dropping them; ok reyk
|
|
|
|
|
|
|
|
|
|
|
|
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().
|
|
everything else. we might need to include util.c in ikectl later.
sure mikeb@
|
|
|
|
bytes value ("lifetime 123 bytes 456" instead of "lifetime 123 456").
|
|
|
|
with suggestions and OK from reyk
|
|
by axel rau, axel dot rau at chaos1 dot de. The actual convert
functions are taken from bgpd(8). OK reyk
|
|
|
|
it returns a new buffer from the internal read offset like stdio get
functions do and not the same buffer when it is called multiple times.
Also rename the old ibuf_get() to ibuf_getdata() because it returns
a "special" data type and it matches the stdio get* conventions.
pointed out by mikeb@
|
