| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
and poll() at the same time may lead to a race that locks up the
process in recv().
ok bluhm@
|
|
ok bluhm@
|
|
ok patrick@
|
|
|
|
This helps debug authentication issues with x509 certificates.
ok markus@
|
|
ok markus@
|
|
|
|
with an unconditional EVP_CIPHER_CTX_free().
ok tobhe
|
|
in dsa_length() or dsa_prefix() when the selected encoding is invalid.
ok markus@
|
|
ok markus@
|
|
|
|
to iked. Encryption keys and nonces are generated by the handshake and don't
have to be supplied in the config.
|
|
Only modify SA after sucessful ikev2_msg_decrypt().
ok patrick@
|
|
not ESP transforms. Fixes broken key exchange negotiation with
matching proposals.
ok patrick@ markus@
|
|
|
|
|
|
correct "cast" in ipsec.conf.5 to "cast128", add missing
"chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some
places.
ok jmc sthen
|
|
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@
ok patrick@
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
Without this change the responder would always prefer the first DH
group configured in its policy. This would lead to invalid KE
messages that cause an additional exchange which old
implementations do not support correctly. Now we ignore the order
of DH groups in the policy and prefer the group from the policy
that matches the KE payload.
from markus@
ok patrick@
|
|
ok patrick@
|
|
contain a partially copied password
ok tobhe
|
|
ok tobhe
|
|
don't delete the pointer.
ok markus@
|
|
ok markus@
|
|
ok patrick@
|
|
|
|
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.
Automatic name server configuration is enabled by default for policies using
the 'iface' option.
discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@
|
|
Lower limits lead to excessive rekeying and lost data in high performance
setups without much benefit.
Brought up by mvs@
ok patrick@ sthen@
|
|
data not being accessible.
From Claudia Priesterjahn @ achelos
ok patrick@
|
|
printing for route flags.
ok markus@
|
|
ok markus@
|
|
address before checking sa_addrpool. Fixes a bug where no flows are added
if a single address instead of a pool is configured in config address.
Reported by Sebastien Leclerc
ok patrick@
|
|
Fixes a regression found by landry@.
ok patrick@
|
|
them explicitly on shutdown. Store netmask in route queue
to fix cleanup of 0/1 routes. Sending delete messages
without mask doesn't work reliably.
ok patrick@
|
|
Fixes a bug where no flows are loaded when a single config address without
pool is configured.
ok patrick@
|
|
Only skip .0 address if the pool is big enough.
ok patrick@
|
|
based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
|
ok patrick@
|
|
addresses and routes in iked_vroute_sc to not depend on ikev2
process for cleanup.
This makes sure that all flows, routes and addresses are deleted
no matter which process is killed first.
ok patrick@
|
|
ok tobhe
|
|
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.
ok bluhm@, tb@
|
|
ok patrick@
|
|
sa_cp_addr and sa_cp_addr6 are moved to the new SA before the old
SA is deleted.
Fixes a bug where host routes were deleted on IKE SA rekey.
ok patrick@
|
|
|
|
|
|
'enforcesingleikesa'. Fixes an interop problem with strongswan
if make-before-break is enabled.
ok patrick@
|
|
|
