| Age | Commit message (Collapse) | Author |
|---|
|
also some minor tweaks while here...
|
|
Makes it easier to check live status of complex setups.
ok hshoexer@
|
|
ok visa@, markus@
|
|
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
causes confusion.
OK hshoexer@
|
|
|
|
flow which the first SA matched by the flow type. This behaviour
was mostly undocumented and unexpected. Make SA bundles explicit
in ipsec.conf(5). Only group SAs that have the same src and dst
and also the same bundle identifier.
OK hshoexer@
|
|
ok mikeb
|
|
print them by default.
OK hshoexer@
|
|
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
|
|
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
|
|
|
|
|
|
|
ok deraadt@
|
|
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@
|
|
|
|
|
|
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
|
|
Predefined strings are not very portable across troff implementations,
and they make the source much harder to read. Usually the intended
character can be written directly.
No output changes, except for two instances where the incorrect escape
was used in the first place.
tweaks + ok schwarze@
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
joint work with djm@ and jsing@, who suggested stronger words warning people
away from single-DES.
ok djm@
|
|
ok reyk@
|
|
support.
|
|
ok deraadt@ tedu@
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
characters.
ok sthen@ naddy@ markus@
|
|
|
|
this was missed when unifying text in the other parse.y parsers (see e.g.
pf.conf.5 r1.495). Noticed in a misc@ post by zeloff at zeloff/org.
|
|
|
|
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
|
found by millert@, ok deraadt@
|
|
Careful second audit by millert
|
|
From: Arto Jonsson <ajonsson at kapsi.fi>
|
|
names in ike_section_p2 applies to phase-1 transforms as well.
|
|
man4 still to go...
|
|
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
|
|
does not include a "," character. ok otto@
|
|
Only using p1name or p2name as a transform identifier (as in rev 1.74)
breaks setups that allow multiple transforms for a connection, e.g. in
ike passive esp from any to 1.1.1.1 quick enc aes-128
ike passive esp from any to 1.1.1.1 quick enc aes-192
the aes-128 will be overwritten. ok and feedback mikeb@
|
|
Tweaked from his fix and ok mikeb@
|
|
"several."
Note: if anyone adds support for more unit specifiers in the future,
please change this back to "several" (instead of using an exact number)
so that it matches the iked.conf(5) man page. :)
While here, fix a typo in the quick mode section: "phase 1 lifetime" ->
"phase 2 lifetime"
ok mikeb sthen jmc haesbaert henning
|
|
|
|
to specify extended options like SA Lifetime. All the hard work was
done by lteo@, while naddy@ and me have made sure that defaults and
AH still work; sthen and jmc have looked over the diffs as well.
|
|
ok mikeb naddy sthen; procedures ok henning
|
|
ok mikeb sthen haesbaert henning
|
|
or AES-GMAC. These algorithms cannot be used safely with static
keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for
completeness sake.
ok mikeb@
|
|
|
|
keyword in the grammar to create a esn-enabled rule (no reason to
do so for manual sa configuration). instead decode sa flags so
that we can also watch changes happening in the realtime with the
monitor mode. prompted and ok by naddy
|
