| Age | Commit message (Collapse) | Author |
|---|
|
ok reyk@ florian@
|
|
correctly, as parse.y's $$ is not zero-initialized.
Found by Rene Ammerlaan
OK markus@ florian@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
addresses from the pool, instead of the fourth byte, which usually
represents network bits.
ok markus@ mikeb@
|
|
clients can be given an IPv4 and IPv6 address at the same time,
thus enabling dual stack usage.
ok markus@ mikeb@
|
|
addresses by specified (e.g. 192.0.2.1) ones. The function should
return if the address is already set. The check was wrong for the
IPv6 case, as it returned if it's not set. This caused the address
to never be fixed.
ok markus@ mikeb@
|
|
|
|
OK reyk
|
|
|
|
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
|
|
|
|
|
|
|
|
|
|
|
with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
|
include the process name, and replace all calls of fatal*(NULL) with
fatal(__func__) for better debugging.
OK benno@
|
|
get rid of the "LOSS OF MIND" joke. Haha. We keep on removing it and
it shows up again because it accidentally gets synced from somewhere
else. bgpd and ospfd don't have it anymore, but their offsprings
still carry it. If you see it, remove it, and, in the OpenBSD ISC
case, use the original text from /usr/share/misc/license.template.
All authors agree.
|
|
sync log.c with relayd and httpd - all three daemons are using a copy
of the same file now. Nevertheless, adding "extern int debug/verbose"
in util.c is not super nice but helps for now. No functional change.
|
|
strndup().
ok millert@
|
|
policy after receiving it from the parent. print_policy ->
print_proto -> getprotobynumber -> pledge abort because it tried to
access /etc/protocols without rpath. It was just a debugging message
that can be moved to the parent (printing the policy on the sender
side and not the receiver side). The parent has rpath and dns.
Issue found by sthen@ with "proto etherip"
OK sthen@ benno@
|
|
|
|
|
|
|
|
|
|
|
|
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@
|
|
-static for NFS-over-IPsec that might mount the libraries after /usr.
The benefit of linking iked dynamic outweighs the historic reason, eg.
to get full address space randomization and to benefit from libcrypto
updates, so we turn it into a dynamic binary.
OK deraadt@ naddy@
|
|
Confirmed by markus@ with an identical diff
|
|
|
|
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.
|
|
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
|
calls on pf data to explicit_bzero().
ok mikeb@
|
|
with Curve448). And we already support it. Mention it here to update
the Id when it was assigned by IANA.
|
|
assigned an official ID 28 for it. This is good news, and we should
really support it as well. Just add the ID for now.
Discussed with mikeb@
|
|
minimum out there. Even El Capitan announces 3DES and SHA1 instead of MD5.
OK mikeb@
|
|
This fixes EAP (user-based auth) with IKEv2 in El Capitan.
OK mikeb@
|
|
if no CERTREQ were received. In conjunction with the previous iOS9 interop fix,
this may fix an interop problem seen by Denis Lapshin with BlackBerry OS 10.3.1
and one of a number with firebrick.co.uk's IKEv2 implementation diagnosed by
their developer Cliff Hones. ok reyk@
|
|
CERTREQ but a CERT, respond with a local CERT that was selected based
on our own policy instead of leaving it out. This seems to be valid
with the RFC that makes the CERTREQ optional and allows to ignore it
or to apply an own policy.
OK mikeb@ sthen@
|
|
ok mikeb@
|
|
OK mikeb@
|
|
|
|
|
|
This repairs setup of SPD flows that specify port only on the one
side of the from-to specification.
ok markus
|
|
ok mikeb
|
|
(e.g. the policy might be used-after-free on 'ikectl reconfig')
ok mikeb@
|
|
Reported by trondd at kagu-tsuchi ! com, thanks!
|
|
Pointed out by Markus Elfring
OK mikeb@ millert@
|
|
With help and ok from mikeb@
|
|
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@
|
