| Age | Commit message (Collapse) | Author |
|---|
|
not valid during phase 2.
From Dirk Mast <condor2k at googlemail dot com>, thanks!
ok markus@
|
|
detached addresses. bind(2) will not allow this. ok hshoexer, fries
|
|
|
|
|
|
return NULL. This happens if isakmpd is configured for the other
address family. Add a NULL pointer check and initialize rv.
ok hshoexer
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
short for IPv6. Increase the buffer size from 80 to 200 where
appropriate. For the M command a buffer for 10 bytes is sufficient.
ok hshoexer@ mpf@ grunk@
|
|
instead of IPV6_ADDR_SUBNET where appropriate. Then isakmpd has
the same behaviour for IPv6 and IPv4.
ok markus@
|
|
option parsing. Found out the hard way by jdixon on ifstated.
ok sobrado@, jdixon@, millert@
|
|
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis
|
|
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer
|
|
an extensive discussion with otto, kettenis, millert, and hshoexer
|
|
ok deraadt
|
|
<mitja at muzenic dot net>, diff provided already quite some time ago,
many many thanks. This should have gone in months ago but I was slacking,
sorry for that.
|
|
From Igor Zinovik <zinovik@cs.karelia.ru>
ok hshoexer@
|
|
|
|
|
|
|
|
|
|
glitch introduced by previous commit.
ok markus@
|
|
is not passed over NFS (unless readdir+ is used). fixes pr 5557
with and ok hshoexer@
|
|
Cisco IOS and other initiators that only send their certs in response
to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several
others who did lots of testing - thanks to all.
ok hshoexer@
|
|
zinovik@cs.karelia.ru. Thanks!
|
|
ok millert
|
|
have to expose the node to the outside.
Without this, conf_trans_node() created a node, linked it into the
conf_trans queue and returned it to the caller. If something failed
in one of the callers, the half-initialized node would still be
linked in the queue and could get accessed later on.
ok hshoexer@
|
|
|
|
|
|
ok and prodding @jmc
|
|
level 30. This was a huge cause of log spam at level 30 and below, and is
really not that useful.
|
|
mismatch without any log message stating so. This diff makes sure that
all phase 1 negotiation failures due to proposal attribute mismatch are
logged. Also change these messages from LOG_NEGOTIATION debug level 70 to
always be logged (not just with debug).
General idea OK hshoexer, tested here in production.
|
|
ok jmc@ mpf@
|
|
both meaningless and harmless. ("nat_t_check_vendor_payload: bad size")
ok todd
|
|
so we do not leak memory.
ok hshoexer@
|
|
Otherwise we leak memory.
ok ho@
|
|
since free(NULL) is just fine.
ok hshoexer@
|
|
NAT-T is used. Solves problems with cisco and openswan.
Tested by todd@ (cisco interop), ok ho@
Original fix with Stefan Roth (stefan dot roth at siemens dot com),
thanks!
|
|
ok hshoexer@
|
|
which already adds the errno string.
o Avoid closing fd, if it's -1.
o Don't replace illegal pathes with /dev/null in
m_priv_local_sanitize_path(). All callers skip it
anyways, in the failure case.
ok hshoexer@
|
|
since it will be automatically be appended.
ok hshoexer@
|
|
with signal 1, since there's no signal 0.
ok hshoexer@
|
|
if INSECURE_RAND is defined.
ok hshoexer@
|
|
|
|
just specifies the values to be used. However, the specifications
are called "LIFE_MAIN_MODE" and "LIFE_QUICK_MODE".
ok ho@ jmc@
|
|
key_from_printable() are not fooled into using it
afterwards.
OK hshoexer@
|
|
with CACert certificates) so don't require the reported length to be
exactly equal to the length of the data, but accept it if it's <=
the length of the data (i.e. we just use the first alt name). The
purpose of the check is to make sure we don't try to read beyond the
data we actually have.
ok cloder@ hshoexer@
|
|
|
|
by message_add_payload(), since we are no longer responsible for it.
ok cloder@ hshoexer@ moritz@
|
|
ipsec.conf users do not want to run isakmpd -a unless they are
messing with manual flows;
closes documentation/5399, from sthen
original diff and feedback from sthen
ok hshoexer
|
|
a traling '\n'.
suggested by and ok deraadt@, jmc@
|
|
|
