src - OpenBSD base system

Age	Commit message (Collapse)	Author
2021-04-03	Add size check for sockaddr mask.	tobhe

2021-03-25	Sync correct ROUNDUP() from net/route.c	tobhe

2021-03-23	Don't send DELETE notify if IKE SA is replaced because of	tobhe
	'enforcesingleikesa'. Fixes an interop problem with strongswan if make-before-break is enabled. ok patrick@
2021-03-21	The tag comes after iface in iked.conf(5).	tobhe

2021-03-16	Add 'grp31' alias for curve25519 as documented in iked.conf(5).	tobhe

2021-03-15	We makes sure that a dh group is required if the local proposal	tobhe
	contains an explicit group transform. Override requiredh if one of the local options is 'none' so that a proposal with no DH group and on with explicit group 'none' result in a match. ok patrick@
2021-03-15	Ignore msg_ke in CREATE_CHILD_SA if DH negotiation results in group	tobhe
	'none' (disabling PFS). Fixes a bug when the initiator sends a KE payload but the negotiation results in DH group "none". For other DH group mismatches we send an INVALID_KE notify, for 'none' we can just ignore the KE payload. ok patrick@
2021-03-14	Log errors with log level info and SPI.	tobhe

2021-03-09	Also log transforms on IKE SA rekey.	tobhe

2021-03-07	Log ESN for child SAs if enabled.	tobhe

2021-03-06	whitespace	tobhe

2021-03-05	Print PFS group for rekeyed Child SAs.	tobhe
	ok patrick@
2021-03-05	Log transforms of established IKE and Child SAs.	tobhe
	ok patrick@
2021-03-05	Move policy printing code from parse.y to new print.c	tobhe
	ok patrick@
2021-03-04	Remove -g from CFLAGS. This was accidentally added with the last commit.	tobhe

2021-03-04	Derive config netmask from address pool if not explicitly configured.	tobhe
	ok markus@
2021-03-03	Free sc_vroute on shutdown.	tobhe

2021-03-02	Increase the size of iov in pfkey_sa() to be large enough for all	Jonathan Gray
	possible options. ok tobhe@
2021-03-01	Make sure sa_policy is not NULL in sa_configure_iface(). This can happen	tobhe
	if the SA is deleted because of a failed policy lookup.
2021-02-28	Rename addr to gateway.	tobhe

2021-02-27	Set RTF_GATEWAY for host route based on RTM_GET response.	tobhe

2021-02-26	Set RTF_GATEWAY for flow routes, not for host route.	tobhe

2021-02-26	Fix and improve handling of address families in vroute_getcloneroute().	tobhe
	ok patrick@
2021-02-25	Constify cipher API.	tobhe
	ok markus@
2021-02-24	Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().	tobhe
	From Moritz Schmitt ok patrick@
2021-02-22	Don't pass 'id' as argument to make function signature match similar	tobhe
	functions. config_setpfkey() is always called with id PROC_IKEV2.
2021-02-21	Don't explicitly send address family in IMSG_VROUTE_ADD. The receiving	tobhe
	process parses af from the sockaddrs. ok patrick@
2021-02-20	Fail on invalid address family.	tobhe

2021-02-19	Fail on duplicate nonce payload.	tobhe
	ok patrick@
2021-02-18	Save one allocation by passing msg_nonce ownership instead of using	tobhe
	ibuf_dup(). ok patrick@
2021-02-18	Remove redundant ibuf_release. msg_ke is always NULL because of the	tobhe
	duplicate check above.
2021-02-18	Pass ownership instead of duplicating ibuf msg_ke.	tobhe
	ok patrick@
2021-02-16	Fail on duplicate KE payload.	tobhe
	ok patrick@
2021-02-13	Add dynamic address configuration for roadwarrior clients.	tobhe
	The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows. Input from sthen@ and claudio@ ok patrick@
2021-02-12	Fix local and peer addresses in policy lookup for dangling SAs	tobhe
	after ikectl reload. ok patrick@
2021-02-11	Explicitly unset IKED_REQ_CERTVALID before sending cert to ca process.	tobhe
	ok markus@
2021-02-10	Delay deletion of IKE SAs on rekey when stickyaddress is enabled to make	tobhe
	sure peers can keep their previously assigned addresses. ok patrick@
2021-02-09	Add optional 'group none' transform for child SAs and fix handling of	tobhe
	'group none'. We currently send no transform of type DH by default, which should be equivalent to explicitly sending a single DH transform of type 'none'. However, the proposal matching logic had a bug where these two would not match, effectively breaking the ability to negotiate optional PFS. This commit fixes the bug but continues to send no DH proposal by default to remain backwards compatible with older versions. ok patrick@
2021-02-08	Clean up kernel IPsec flows and security associations on shutdown.	tobhe
	Discussed with sthen@ ok patrick@
2021-02-07	Free X509_STOREs in ca_shutdown().	tobhe

2021-02-07	Fix address leaks in expand_flows().	tobhe
	ok patrick@
2021-02-04	Rename 'struct group' to 'struct dh_group' for more clarity and	tobhe
	to avoid name clashes. ok patrick@
2021-02-04	EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()	tobhe
	do the same thing. Remove redundant check and always use the _GFp() variant. discussed with tb@ ok patrick@
2021-02-04	Upgrade to OpenSSL 1.1 compatible crypto API. Add additional	tobhe
	checks where needed. ok markus@ patrick@
2021-02-01	Take flows into consideration for policy lookup as initiator.	tobhe
	Fixes a bug where policies that only differ in their flow configuration lead to a handshake error. Found by claudio@ ok patrick@
2021-02-01	Whitespace	tobhe

2021-01-31	Ignore addresses that are not 0/32 (dynamic) in ikev2_cp_fixaddr()	tobhe
	instead of throwing an error. Fixes a bug where flows without 'dynamic' were skipped when 'config/request address' is used. ok patrick@
2021-01-31	Don't leak flows if ikev2_cp_fixflow() fails.	tobhe
	ok patrick@
2021-01-29	Add proper padding for pfkey messages. Use ROUNDUP() for auth and	tobhe
	enc keys. ok patrick@
2021-01-28	Extern privsep_process. Fixes compilation with -fno-common.	mortimer
	ok deraadt@