src - OpenBSD base system

Age	Commit message (Collapse)	Author
2007-06-02	safer snprintf construct with more paranoid length calculation	Peter Valchev
	ok millert
2007-06-01	Let conf_trans_node() set all parts of the node, so that we don't	Moritz Jodeit
	have to expose the node to the outside. Without this, conf_trans_node() created a node, linked it into the conf_trans queue and returned it to the caller. If something failed in one of the callers, the half-initialized node would still be linked in the queue and could get accessed later on. ok hshoexer@
2007-05-31	convert to new .Dd format;	Jason McIntyre

2007-05-27	Don't include sys/mbuf.h it is not needed. OK mcbride@ msf@	Claudio Jeker

2007-05-23	Get rid of some obsolete exampels.	Hans-Joerg Hoexer
	ok and prodding @jmc
2007-05-07	Bump crypto buffer logging (before crypto/after crypto) to level 70 from	Chad Loder
	level 30. This was a huge cause of log spam at level 30 and below, and is really not that useful.
2007-05-07	It was possible for phase 1 negotiation to fail due to lifetime duration	Chad Loder
	mismatch without any log message stating so. This diff makes sure that all phase 1 negotiation failures due to proposal attribute mismatch are logged. Also change these messages from LOG_NEGOTIATION debug level 70 to always be logged (not just with debug). General idea OK hshoexer, tested here in production.
2007-05-07	Document "M active\|passive" ui command.	Joel Knight
	ok jmc@ mpf@
2007-05-05	Kill a log message which looks like an error message but is actually	Chad Loder
	both meaningless and harmless. ("nat_t_check_vendor_payload: bad size") ok todd
2007-04-22	Free allocated node in conf_set_now() before failing,	Moritz Jodeit
	so we do not leak memory. ok hshoexer@
2007-04-22	Use conf_free_list() after calling conf_get_list().	Moritz Jodeit
	Otherwise we leak memory. ok ho@
2007-04-16	There's no point in checking ptr for NULL before doing free(ptr)	Moritz Jodeit
	since free(NULL) is just fine. ok hshoexer@
2007-04-15	Fix interop-issue with vpn peers that start reyking on port 4500 when	Hans-Joerg Hoexer
	NAT-T is used. Solves problems with cisco and openswan. Tested by todd@ (cisco interop), ok ho@ Original fix with Stefan Roth (stefan dot roth at siemens dot com), thanks!
2007-04-08	Fix lint comments. s/Fall through/FALLTHROUGH/.	Moritz Jodeit
	ok hshoexer@
2007-04-08	o Kill another strerror() from a call to log_error(),	Moritz Jodeit
	which already adds the errno string. o Avoid closing fd, if it's -1. o Don't replace illegal pathes with /dev/null in m_priv_local_sanitize_path(). All callers skip it anyways, in the failure case. ok hshoexer@
2007-04-02	Don't append the errno string in a log_error() call,	Moritz Jodeit
	since it will be automatically be appended. ok hshoexer@
2007-04-02	When setting all signals to their default handlers, start	Moritz Jodeit
	with signal 1, since there's no signal 0. ok hshoexer@
2007-04-02	Don't let -r fall through to the next case block,	Moritz Jodeit
	if INSECURE_RAND is defined. ok hshoexer@
2007-03-26	typo in initial RCS tag ($OpenBSD: -> $OpenBSD$)	Pedro Martelletto

2007-03-18	Fix usage of predefined lifetimes. "Default-phase-[12]-lifetime"	Hans-Joerg Hoexer
	just specifies the values to be used. However, the specifications are called "LIFE_MAIN_MODE" and "LIFE_QUICK_MODE". ok ho@ jmc@
2007-03-05	Set pointer to NULL after freeing it, so callers of	Moritz Jodeit
	key_from_printable() are not fooled into using it afterwards. OK hshoexer@
2007-03-03	There may be more than one item in the subjectAltName (cropping up	Tom Cosgrove
	with CACert certificates) so don't require the reported length to be exactly equal to the length of the data, but accept it if it's <= the length of the data (i.e. we just use the first alt name). The purpose of the check is to make sure we don't try to read beyond the data we actually have. ok cloder@ hshoexer@
2007-03-03	keynote_cert_obtain should not leak in case of error. OK moritz@	Chad Loder

2007-03-03	Make sure we can't accidentally free() a pointer that's been accepted	Tom Cosgrove
	by message_add_payload(), since we are no longer responsible for it. ok cloder@ hshoexer@ moritz@
2007-03-01	improve the description of -a. specifically, make it clear that	Jason McIntyre
	ipsec.conf users do not want to run isakmpd -a unless they are messing with manual flows; closes documentation/5399, from sthen original diff and feedback from sthen ok hshoexer
2007-02-22	Add a comment that explains, why the VID of draft 2 NAT-T includes	Hans-Joerg Hoexer
	a traling '\n'. suggested by and ok deraadt@, jmc@
2007-02-19	tweak;	Jason McIntyre

2007-02-19	Document NULL encryption.	Hans-Joerg Hoexer

2007-02-19	isakmpd bits for ESP+NULL encryption. This is useful, when AH can	Hans-Joerg Hoexer
	not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
2006-12-05	plug memleak, noticed by jesus@mxtelecom.com	Hans-Joerg Hoexer
	ok moritz@, tested by jesus@mxtelecom.com (thanks!)
2006-12-05	some carp/sasyncd bits from msf and myself;	Jason McIntyre
	ok mpf
2006-12-05	Don't leak message structures, when we see unsupported payloads	Moritz Jodeit
	or if the payload node allocation fails. Also adjust a comment to make it more clear, who's responsible for freeing the message structs. Input from cloder@. OK hshoexer@
2006-11-30	new ui command 'rmv': removes an entry from a list, thus reversing an	Markus Friedl
	'add' operation; ok ho, hshoexer, jmc eVS: ----------------------------------------------------------------------
2006-11-29	no need to document generation of local.key 3 times;	Jason McIntyre
	spotted by mcbride, ok hshoexer;
2006-11-29	zap trailing spaces;	Jason McIntyre

2006-11-29	Document the new location of local.pub, and clarify the fact that local.key	Ryan Thomas McBride
	contains the entire keypair. ok deraadt jmc
2006-11-28	do not re-add existing entries; ok hshoexer	Markus Friedl

2006-11-24	add support to tag ipsec traffic belonging to specific IKE-initiated	Reyk Floeter
	phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-09	support public keys w/o SubjectPublicKeyInfo (format: BEGIN RSA PUBLIC KEY)	Markus Friedl
	ok ho, hshoexer
2006-10-29	Fix TAILQ usage, preventing crashes	Pedro Martelletto
	Okay henning@ krw@ millert@ hshoexer@
2006-10-18	do not name FILE * variables "fd" since it is confusing	Theo de Raadt

2006-10-05	Reword sentence to fix grammar nit.	Tom Cosgrove
	ok jmc@
2006-09-19	Use S_IS* macros insted of masking with S_IF* flags. The latter may	Otto Moerbeek
	have multiple bits set, which leads to surprising results. Spotted by/partly from Paul Stoeber, more to come. ok ho@ miod@ hshoexer@
2006-09-15	Remove "Delete-SAs" config option. This was needed for interaction	Hans-Joerg Hoexer
	with sasyncd(8). Now sasyncd(8) controls isakmpd(8) regarding SA deletion so this option is obsolete. ok mpf jmc
2006-09-09	point people towards ipsec.conf.5; after some discussion w/ reyk	Jason McIntyre
	ok hshoexer reyk
2006-09-01	use shell-independent examples;	Jason McIntyre

2006-09-01	Add a new UI command to force isakmpd into passive only mode.	Marco Pfatschbacher
	Will be used by sasyncd to prevent two talking isakmpd's in an HA setup. Based on a diff by ho@. OK ho@, hshoexer@, deraadt@
2006-08-31	document an issue with subjectAltName found by reyk;	Jason McIntyre
	ok hshoexer ho reyk
2006-08-31	remove a confusing sentence; ok hshoexer ho	Jason McIntyre

2006-08-30	fix isakmpd -Ka, as used by bgpd, or acquire flows set up via ipsecctl.	Henning Brauer
	acquire flows need to be recorded on the fly via connection_record_passive(), otherwise later lookups fail and the policy check fails. ok hshoexer ho markus msf deraadt