Age | Commit message (Collapse) | Author | |
---|---|---|---|
2007-03-26 | typo in initial RCS tag ($OpenBSD: -> $OpenBSD$) | Pedro Martelletto | |
2007-03-18 | Fix usage of predefined lifetimes. "Default-phase-[12]-lifetime" | Hans-Joerg Hoexer | |
just specifies the values to be used. However, the specifications are called "LIFE_MAIN_MODE" and "LIFE_QUICK_MODE". ok ho@ jmc@ | |||
2007-03-05 | Set pointer to NULL after freeing it, so callers of | Moritz Jodeit | |
key_from_printable() are not fooled into using it afterwards. OK hshoexer@ | |||
2007-03-03 | There may be more than one item in the subjectAltName (cropping up | Tom Cosgrove | |
with CACert certificates) so don't require the reported length to be exactly equal to the length of the data, but accept it if it's <= the length of the data (i.e. we just use the first alt name). The purpose of the check is to make sure we don't try to read beyond the data we actually have. ok cloder@ hshoexer@ | |||
2007-03-03 | keynote_cert_obtain should not leak in case of error. OK moritz@ | Chad Loder | |
2007-03-03 | Make sure we can't accidentally free() a pointer that's been accepted | Tom Cosgrove | |
by message_add_payload(), since we are no longer responsible for it. ok cloder@ hshoexer@ moritz@ | |||
2007-03-01 | improve the description of -a. specifically, make it clear that | Jason McIntyre | |
ipsec.conf users do not want to run isakmpd -a unless they are messing with manual flows; closes documentation/5399, from sthen original diff and feedback from sthen ok hshoexer | |||
2007-02-22 | Add a comment that explains, why the VID of draft 2 NAT-T includes | Hans-Joerg Hoexer | |
a traling '\n'. suggested by and ok deraadt@, jmc@ | |||
2007-02-19 | tweak; | Jason McIntyre | |
2007-02-19 | Document NULL encryption. | Hans-Joerg Hoexer | |
2007-02-19 | isakmpd bits for ESP+NULL encryption. This is useful, when AH can | Hans-Joerg Hoexer | |
not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks! | |||
2006-12-05 | plug memleak, noticed by jesus@mxtelecom.com | Hans-Joerg Hoexer | |
ok moritz@, tested by jesus@mxtelecom.com (thanks!) | |||
2006-12-05 | some carp/sasyncd bits from msf and myself; | Jason McIntyre | |
ok mpf | |||
2006-12-05 | Don't leak message structures, when we see unsupported payloads | Moritz Jodeit | |
or if the payload node allocation fails. Also adjust a comment to make it more clear, who's responsible for freeing the message structs. Input from cloder@. OK hshoexer@ | |||
2006-11-30 | new ui command 'rmv': removes an entry from a list, thus reversing an | Markus Friedl | |
'add' operation; ok ho, hshoexer, jmc eVS: ---------------------------------------------------------------------- | |||
2006-11-29 | no need to document generation of local.key 3 times; | Jason McIntyre | |
spotted by mcbride, ok hshoexer; | |||
2006-11-29 | zap trailing spaces; | Jason McIntyre | |
2006-11-29 | Document the new location of local.pub, and clarify the fact that local.key | Ryan Thomas McBride | |
contains the entire keypair. ok deraadt jmc | |||
2006-11-28 | do not re-add existing entries; ok hshoexer | Markus Friedl | |
2006-11-24 | add support to tag ipsec traffic belonging to specific IKE-initiated | Reyk Floeter | |
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@ | |||
2006-11-09 | support public keys w/o SubjectPublicKeyInfo (format: BEGIN RSA PUBLIC KEY) | Markus Friedl | |
ok ho, hshoexer | |||
2006-10-29 | Fix TAILQ usage, preventing crashes | Pedro Martelletto | |
Okay henning@ krw@ millert@ hshoexer@ | |||
2006-10-18 | do not name FILE * variables "fd" since it is confusing | Theo de Raadt | |
2006-10-05 | Reword sentence to fix grammar nit. | Tom Cosgrove | |
ok jmc@ | |||
2006-09-19 | Use S_IS* macros insted of masking with S_IF* flags. The latter may | Otto Moerbeek | |
have multiple bits set, which leads to surprising results. Spotted by/partly from Paul Stoeber, more to come. ok ho@ miod@ hshoexer@ | |||
2006-09-15 | Remove "Delete-SAs" config option. This was needed for interaction | Hans-Joerg Hoexer | |
with sasyncd(8). Now sasyncd(8) controls isakmpd(8) regarding SA deletion so this option is obsolete. ok mpf jmc | |||
2006-09-09 | point people towards ipsec.conf.5; after some discussion w/ reyk | Jason McIntyre | |
ok hshoexer reyk | |||
2006-09-01 | use shell-independent examples; | Jason McIntyre | |
2006-09-01 | Add a new UI command to force isakmpd into passive only mode. | Marco Pfatschbacher | |
Will be used by sasyncd to prevent two talking isakmpd's in an HA setup. Based on a diff by ho@. OK ho@, hshoexer@, deraadt@ | |||
2006-08-31 | document an issue with subjectAltName found by reyk; | Jason McIntyre | |
ok hshoexer ho reyk | |||
2006-08-31 | remove a confusing sentence; ok hshoexer ho | Jason McIntyre | |
2006-08-30 | fix isakmpd -Ka, as used by bgpd, or acquire flows set up via ipsecctl. | Henning Brauer | |
acquire flows need to be recorded on the fly via connection_record_passive(), otherwise later lookups fail and the policy check fails. ok hshoexer ho markus msf deraadt | |||
2006-08-30 | rewording; from reyk cloder hshoexer | Jason McIntyre | |
ok ho | |||
2006-08-30 | need to retry writing to pfkey socket on EAGAIN, ok theo hshoexer | Henning Brauer | |
2006-08-30 | Make SA deletion on shutdown the default again. Use -S for failover | Hans-Joerg Hoexer | |
situations where you do not want this. Discussed and agreed on with ho, mcbride, markus, cloder,... We will have to teach sasyncd to deal with this. Testing by msf and hshoexer with help from mtu ok markus cloder | |||
2006-08-30 | Back out r1.103, which caused SA's to leak until memory was exhausted. | Chad Loder | |
OK hshoexer, nathanael, mpf, "get that in" deraadt | |||
2006-08-30 | do not call pf_key_v2_disable_sa twice; ok hshoexer, ho | Markus Friedl | |
2006-08-29 | Properly define quick mode suites for AH. With naddy. | Hans-Joerg Hoexer | |
ok ho | |||
2006-08-22 | correct function name in log message. | Hans-Joerg Hoexer | |
2006-07-24 | Style; return is not a function. hshoexer@ ok. | Hakan Olsson | |
2006-07-02 | Let isakmpd send out a vendor ID announcing isamkpds release version. | Hans-Joerg Hoexer | |
Will be handy for release specific bug fixes, etc. Suggested by markus@ quite some time ago. ok markus@ | |||
2006-06-29 | Document that pcap files can only be writen to the /var/run directory. | Hans-Joerg Hoexer | |
2006-06-18 | clean up some gotos. Originally from Andrey Matveev <evol at online | Hans-Joerg Hoexer | |
dot ptt dot ru>. Ok and help moritz@ | |||
2006-06-17 | Do not leak file descriptor in error path. From Andrey Matveev | Hans-Joerg Hoexer | |
<evol at online dot ptt dot ru>, thanks! | |||
2006-06-14 | indentation. | Hans-Joerg Hoexer | |
2006-06-11 | Document AESCTR for quick mode and SHA2-* for main mode. Help by jmc. | Hans-Joerg Hoexer | |
ok jmc@ | |||
2006-06-11 | tweaks; | Jason McIntyre | |
2006-06-10 | Document -S and the "Delete-SAs" tag. Those will enable SA deletion | Hans-Joerg Hoexer | |
on shutdown. | |||
2006-06-10 | Make deletion of SAs on shutdown optional. The default behaviour | Hans-Joerg Hoexer | |
now is to not delete SAs. Needed for reliable ipsec failover. Suggested by mtu@. Moreover, this ensures that packets do not leak when isakmpd is shutdown. ok mcbride@, testing mtu@ | |||
2006-06-10 | Allow isakmpd to use a different private rsa key per isakmp ID. Hans wrote ↵ | Mathieu Sauve-Frankel | |
this a long time ago, I synced it to -current and tested. ok hshoexer@ |