src - OpenBSD base system

Age	Commit message (Collapse)	Author
2015-07-07	repair policy-ikesa-linking by replacing the broken RB_TREE w/TAILQ	Markus Friedl
	(e.g. the policy might be used-after-free on 'ikectl reconfig') ok mikeb@
2015-07-03	Terminate 'config' keyword array with a NULL element.	Mike Belopuhov
	Reported by trondd at kagu-tsuchi ! com, thanks!
2015-06-11	Use "compliant" header guards by avoiding the reserved '_' namespace.	Reyk Floeter
	Pointed out by Markus Elfring OK mikeb@ millert@
2015-06-05	Fix coupling and decoupling operations.	vgross
	With help and ok from mikeb@
2015-06-03	Do not assume that asprintf() clears the pointer on failure, which	Todd C. Miller
	is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
2015-03-26	initial support for RFC 7427 signatures, so we are no longer	Markus Friedl
	restricted to SHA1 for RSA signatures. ok mikeb@
2015-02-28	Reduce usage of predefined strings in manpages.	Anthony J. Bentley
	Predefined strings are not very portable across troff implementations, and they make the source much harder to read. Usually the intended character can be written directly. No output changes, except for two instances where the incorrect escape was used in the first place. tweaks + ok schwarze@
2015-02-15	convert bcmp to memcmp	Ted Unangst
	ok doug millert miod
2015-02-08	Use AI_ADDRCONFIG when resolv hosts on startup.	Reyk Floeter
	OK henning@
2015-02-06	unneeded getopt.h	Theo de Raadt

2015-01-19	Remove unnecessary <netinet/ip_ipsp.h> includes	Mike Belopuhov

2015-01-16	Replace <sys/param.h> with <limits.h> and other less dirty headers where	Theo de Raadt
	possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2015-01-15	tell the truth about DES.	Igor Sobrado
	joint work with djm@ and jsing@ ok djm@
2015-01-12	Don't forget about protocol specification when configuring flows.	Mike Belopuhov
	Tested by and OK claudio.
2015-01-02	PFS stands for Perfect Forward Secrecy.	Igor Sobrado
	ok reyk@
2014-12-16	Replace setpgrp(0, getpid()) with setpgid(0, 0). OK deraadt@ tedu@	Todd C. Miller

2014-12-05	Store return value of i2d_X509_NAME in a signed integer to make	Mike Belopuhov
	sure the negative error gets treated correctly and doesn't get accidentally promoted to a huge unsigned value. From Pedro Martelletto, thanks! OK reyk
2014-12-05	Specify correct number of iovecs when sending replies to the ikev2 proc	Mike Belopuhov
	Crash reported and fix tested by Vincent Gross <dermiste at kilob ! yt>; patch from Pedro Martelletto, thanks!
2014-12-03	Init SPI using arc4random_buf, rather than (r << 32) \| r	Theo de Raadt
	ok matthew
2014-11-20	Don't allow embedded nul characters in strings.	Jonathan Gray
	Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer. pfctl parse.y patch from and ok deraadt@
2014-11-20	remove nt and lanman functions which aren't used. ok reyk yasuoka	Ted Unangst

2014-11-14	Add gcc printf format attributes to iked's parse.y and remove unused	Doug Hogan
	yywarn() definition. ok bluhm@
2014-11-10	tweak previous; ok mikeb	Jason McIntyre
	plus a macro fix while here...
2014-11-10	copy pubkey section from isakmpd(8); ok reyk	Mike Belopuhov

2014-11-07	Fixup a few problems with EAP state transition	Mike Belopuhov
	First of all we don't need to satisfy valid EAP state flags for IKEV2_STATE_EAP as it's an initial EAP exchange state. Then when waiting for the "ca" process to construct our AUTH payload we need to bail while sa_localauth is not available. With this change Win7 is able to establish the the tunnel again. ok markus
2014-11-07	Run eap_parse on the actual message and only when the length is right	Mike Belopuhov

2014-11-07	Repair initiator with PSK auth	Mike Belopuhov
	Attempt state transition to VALID (or EAP_VALID) in the ikev2_ike_auth after we have completed authentication synchronously (PSK) or asynchronously (X.509 and RSA) eliminating the need to do so in multiple places and restoring the correct order for PSK. ok markus
2014-10-29	convert simple cases of select() to poll()	Theo de Raadt
	ok doug
2014-10-25	Remove unnecessary netinet/in_systm.h include.	Lawrence Teo
	ok millert@
2014-10-18	Simple malloc() to reallocarray() conversion to potentially avoid integer	Doug Hogan
	overflow. ok deraadt@
2014-10-12	DH_compute_key() returns -1 on error but this was not	Jonathan Gray
	handled by testing the result with a negation. Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem. ok reyk@
2014-10-08	trivial use of reallocarray()	Theo de Raadt

2014-08-27	Add support for Curve25519 using the public domain code that is found	Reyk Floeter
	in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently. OK mikeb@ markus@
2014-08-25	Add support for DH groups 27-30 using the Brainpool curves which have	Reyk Floeter
	previously been added to LibreSSL's libcrypto. ok markus@ mikeb@
2014-08-25	Delete secret or secret-derived data with explicit_bzero.	Doug Hogan
	concept ok deraadt@ diff looks ok tedu@
2014-08-18	Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it	Reyk Floeter
	now instead of terminating the process. ok mikeb@
2014-08-05	Fix an example, nat-to requires to specify the "out" direction in pf rules.	Reyk Floeter
	From "Vigdis" via misc@ can go in deraadt@
2014-07-12	Sync msgbuf_write() changes from relayd.	Reyk Floeter
	Please note that proc.c should be kept identical in relayd, iked and snmpd (currently without the includes). ok benno@
2014-07-10	add additional includes required to build with -DOPENSSL_NO_DEPRECATED	Jonathan Gray
	ok reyk@
2014-07-09	expire IPcomp SAs too; ok mikeb (some time ago)	Markus Friedl

2014-06-03	Handle the event parameter of libevent callback function as a bit	YASUOKA Masahiko
	mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c ok reyk
2014-05-13	pass SA initiator not the exchange initator to sa_address(); ok mikeb@	Markus Friedl

2014-05-09	get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't need	Markus Friedl
	to update it on rekey (fixes use-after-free); ok mikeb@
2014-05-09	replace iked_transform pointer with xform id, since target of pointer	Markus Friedl
	might be freed (e.g. on ike sa rekey); ok mikeb@
2014-05-08	match iked proc.c infrastructure with proc.c	Bret Lambert
	ok reyk@
2014-05-07	try postponed requests first, so we do in-order processing; ok mikeb@	Markus Friedl

2014-05-07	print msgid for debugging; ok reyk & mikeb	Markus Friedl

2014-05-07	make authentication work with X509 certificates that don't have a	Markus Friedl
	subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly; feedback & ok mikeb@
2014-05-07	factor out ikev2_ike_auth() (state machine; used multiple times via callbacks)	Markus Friedl
	from ikev2_ike_auth_recv() code (message parsing; used once); ok mikeb@
2014-05-06	change the create-child-sa responder code, so it does not store any	Markus Friedl
	state in the ikesa structure. this way we can initiate a create-child-sa and process requests for the peer at the same time. ok mikeb@