| Age | Commit message (Collapse) | Author |
|---|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
|
|
- show an example sed to substitute the $ENV::CERTIP/CERTFQDN strings
while copying /etc/ssl/x509v3.cnf to a temp file
- don't use /etc/ssl/x509v3.cnf on the command line when we've just
told people to copy and edit
- fix an instance of CERTIP that should have been CERTFQDN
based on diffs from Sevan Janiyan, feedback/ok jmc@
|
|
where the "wrong" #define was used.
ok dlg@
|
|
ok millert@ mpi@
|
|
the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used with carp(4).
ok sthen@ mpi@
|
|
|
|
No object change.
|
|
Fix at least interoperability with Cisco when isakmpd(8) is initiating
the connections, originally reported by sebastia@ in 2014.
Refreshed diff from and ok hshoexer@, ok sthen@, ok remi@
|
|
From Scott Cheloha, ok tb@
|
|
also some minor tweaks while here...
|
|
Instead of the full point, only the X point is included.
The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.
Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.
Prompted by and ok mpi@
|
|
ok visa@, markus@
|
|
`finalize' function with the `fail' argument when this happen.
Introduce some sanity checks in exchange_free() to be able to call if
even if the data structure isn't completely initialized.
Plug memory leaks when exchange_establish() fails. While here fix a
double free in one of the error paths.
Based on a diff from hshoexer@, ok stsp@, markus@
|
|
ok markus@
|
|
arguments to f_key_v2_connection_check().
The race can be triggered by sending SIGHUP to the daemon. Note that
this change do not fix the memory leak if exchange_establish() fails.
Reported by MichaÅ Koc.
ok hshoexer@, markus@, henning@
|
|
This deference can occur because sa_find() is called from a timer and
iterates over all existing `sa'. At that time the corresponding
`finalize_exchange' might not have been called, in which case it is
unsafe to dereference `src_net', `dst_net' & co.
Issue reported by MichaÅ Koc. ok hshoexer@, markus@
|
|
okay millert@
|
|
OK espie@
|
|
programs will build even without a make depend first.
okay tb@ millert@
|
|
Started by, and ok, deraadt@
|
|
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
|
|
instead pull in <netinet/in.h> or <arpa/inet.h> when those are needed.
ok florian@ beck@ millert@
|
|
Brought up by doug@, ok reyk, djm, doug
|
|
if they precede the noun and omit hyphens otherwise.
ok tj
|
|
# If you have ElectricFence available, you can spot abuses of the heap."
Or, uhm you can simply use our malloc.
|
|
ok beck
|
|
ok deraadt@
|
|
Diff from Yuuichi Someya.
ok reyk markus
|
|
is when sanitising standard fd's before calling daemon().
Use a tweaked version of the ssh(1) function in all three places
found using fcntl() this way.
ok jca@ beck@
|
|
Feedback millert@ kettenis@
|
|
Base on diff from Yuuichi Someya
ok markus reyk mikeb
|
|
issue reported by igor.kos
(temporary) fix entirely provided by sthen
|
|
|
|
|
|
|
|
|
|
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
|
ok deraadt@
|
|
|
|
Like really, who does??!
|
|
malloc, calloc, realloc*
ok krw millert
|
|
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@
|
|
a fstat() call.
ok mikeb@ markus@
|
|
to the same policy is already active. OK markus, hshoexer
|
|
|
|
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
|
|
ok markus, hshoexer
|
|
ok doug millert miod
|
