| Age | Commit message (Collapse) | Author |
|---|
|
then self-sign it rather than using the "openssl req" shortcut. This allows
us to specify -extfile and thus set the correct certificate extensions so
that stricter SSL implementations will trust this as a CA cert, and matches
how things are done in ssl(8). This is basically a partial revert of r1.77.
Researched by chrisz@, tweak/ok jmc@ ok beck@
|
|
ok millert@
|
|
ok mikeb
|
|
|
|
fundamentally broken.
ok jsing mikeb
|
|
Careful second audit by millert
|
|
multiple IPsec SAs in NAT-T case.
This fixes a problem that L2TP/IPsec connections are disconnected
improper in case multiple Windows clients are connected from behind
one NAT.
ok markus
|
|
ok mikeb
|
|
tweaks/ok jmc@
|
|
pointer or non-const array, as that minimizes the symbols, maximizes the
placement into read-only memory, and avoids warnings from gcc -Wformat=2
when they're used as format strings.
ok deraadt@
|
|
No functional change.
|
|
ok millert sthen
|
|
ok mikeb
|
|
|
|
ok deraadt@
|
|
|
|
okay krw@
|
|
report from Thomas Proell/Siemens ProductCERT; fix from hshoexer; ok mikeb
|
|
|
|
|
|
Most of the patch from Arto Jonsson <ajonsson at kapsi dot fi>.
jmc@ agrees in principle that .Lk is the right macro to use.
While here, update a few broken links,
and add missing markup at a few places.
|
|
lteo@ noticed that ipsecctl allowed them within the ike rules
while isakmpd failed to load the generated configuration.
The fix was verified by hshoexer, ok naddy
|
|
ok mikeb@
|
|
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@
|
|
|
|
It is going to get removed from libc and this file is the only
one using it.
discussed with deraadt@ guenther@
ok deraadt@
|
|
uses the FQDN type in NAT-T with transport mode.
ok markus
|
|
flow instead of the ID payload. This will fix a part of problems of
L2TP/IPsec from NAT'd clients.
ok markus@
tested by markus@ and myself.
|
|
isakmpd.8: rsa:1024 -> rsa:2048 (ok markus)
all: X509 -> X.509
from Lawrence Teo
|
|
ok mikeb@
|
|
the standard OpenBSD-style parse.y handle continuing lines with backslashes,
paying particular attention to how comments are handled (which can cause
nasty side-effects if you're not expecting it).
Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey,
patrick keshishian and Florian Obser, ok jmc@.
|
|
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.
Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.
ok sthen
|
|
ok sthen
|
|
|
|
ok sthen@ markus@
|
|
Previously, a specific check was made for any -D log option being
used and, if so, *no* -v log entries are made, losing potentially
useful log entries. ok lum@
|
|
for chars.
|
|
routing domain.
While here, update comment on what the ioctl is used for (from sthen@).
OK mikeb@, sthen@
|
|
number. Without this, isakmpd deletes SAs from the same IP on an
INITIAL-CONTACT message, possibly deleting unrelated NATed tunnels.
Fixes PR 5562. Verified by Mikolaj Kucharski.
ok mikeb@
|
|
ok mikeb@, djm@
|
|
blambert, ok jsg, "seems ok" todd
|
|
so, copy a small bit of logic to make DPD interop with FortiGate function
tested by me, ok mikeb@, silence from 'the usual suspects'
|
|
telnet portion partially from the latest heimdal.
ok mikeb@
|
|
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
|
from mikeb
|
|
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).
ok deraadt@
|
|
ok reyk
|
|
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8)
is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8)
and not worked on, but maybe in the future - I want to get IKEv2 support
first done right. So keep on using isakmpd(8) for IKEv1 for now...
ok deraadt@
|
|
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.
|
|
ok ho@ mpf@ krw@ sthen@ kjell@
|
