Age | Commit message (Collapse) | Author |
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
|
|
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
|
|
|
|
|
|
|
ok deraadt@
|
|
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@
|
|
|
|
|
|
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
|
|
Predefined strings are not very portable across troff implementations,
and they make the source much harder to read. Usually the intended
character can be written directly.
No output changes, except for two instances where the incorrect escape
was used in the first place.
tweaks + ok schwarze@
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
joint work with djm@ and jsing@, who suggested stronger words warning people
away from single-DES.
ok djm@
|
|
ok reyk@
|
|
support.
|
|
ok deraadt@ tedu@
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
characters.
ok sthen@ naddy@ markus@
|
|
|
|
this was missed when unifying text in the other parse.y parsers (see e.g.
pf.conf.5 r1.495). Noticed in a misc@ post by zeloff at zeloff/org.
|
|
|
|
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
|
found by millert@, ok deraadt@
|
|
Careful second audit by millert
|
|
From: Arto Jonsson <ajonsson at kapsi.fi>
|
|
names in ike_section_p2 applies to phase-1 transforms as well.
|
|
man4 still to go...
|
|
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
|
|
does not include a "," character. ok otto@
|
|
Only using p1name or p2name as a transform identifier (as in rev 1.74)
breaks setups that allow multiple transforms for a connection, e.g. in
ike passive esp from any to 1.1.1.1 quick enc aes-128
ike passive esp from any to 1.1.1.1 quick enc aes-192
the aes-128 will be overwritten. ok and feedback mikeb@
|
|
Tweaked from his fix and ok mikeb@
|
|
"several."
Note: if anyone adds support for more unit specifiers in the future,
please change this back to "several" (instead of using an exact number)
so that it matches the iked.conf(5) man page. :)
While here, fix a typo in the quick mode section: "phase 1 lifetime" ->
"phase 2 lifetime"
ok mikeb sthen jmc haesbaert henning
|
|
|
|
to specify extended options like SA Lifetime. All the hard work was
done by lteo@, while naddy@ and me have made sure that defaults and
AH still work; sthen and jmc have looked over the diffs as well.
|
|
ok mikeb naddy sthen; procedures ok henning
|
|
ok mikeb sthen haesbaert henning
|
|
or AES-GMAC. These algorithms cannot be used safely with static
keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for
completeness sake.
ok mikeb@
|
|
|
|
keyword in the grammar to create a esn-enabled rule (no reason to
do so for manual sa configuration). instead decode sa flags so
that we can also watch changes happening in the realtime with the
monitor mode. prompted and ok by naddy
|
|
ok mikeb@
|
|
|
|
characters;
prompted by a diff from robert peichaer org
thanks gilles and henning for feedback
ok deraadt zinke
|
|
ok miod@
|
|
|
|
|
|
- prevent an erroneous space in the formatting of -D
|
|
reminder to adjust synopsis and usage (again...)
|
|
command line, ok mikeb sthen
|
|
specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mandoc fix may be some time off, and we've gone enough releases
with poorly formatting column lists.
in some cases i have rewritten the lists as -tag, where -column made
little sense.
|