| Age | Commit message (Collapse) | Author |
|---|
|
|
|
This happens when there's only one component (e.g. "/foo"). This
bug has been present since June 1990 when it was commited to mountd.c
SCCS version 5.9.
Note: the bug is on the second changed line, the first line is changed
for visual consistency.
From CheriBSD via FreeBSD
ok millert@ deraadt@
|
|
Reminded by jmc
|
|
Add missing TPMR section to ifconfig(8) by moving the commands from the
driver's manual to it (copy/paste) and document the ioctl(2) interface in
tpmr(4).
Indenting tpmr's first EXAMPLE while here; from jmc.
OK jmc
|
|
tpmr is a trivial bridge and has no specific ioctls, so to distinguish
it from the rest we must rely on the interface name; assuming that it
is tpmr because neither is_bridge() nor is_switch() return success is
not possible due to the way ifconfig is designed: it runs all *_status()
commands for all interface types.
OK dlg
|
|
This is to reduce duplicate code and prepare for bridge_status() to cover
all bridge like interfaces: bridge(4), switch(4) and tpmr(4).
OK dlg
|
|
DECLINE messages emitted when required options were missing did not contain the
address.
Reported via tech@ and fix tested by Dominik Schreilechner.
|
|
bridge_status() and switch_status() do the regular sanity check with
SIOCGIFFLAGS, but both functions also call is_switch() and bridge_status()
also calls is_bridge().
is_bridge() checks SIOCGIFFLAGS again, then both is_*() helpers finally do
driver specific ioctl(2) calls to test whether the given interface is
indeed a bridge(4) or a switch(4).
SIOCGIFFLAGS serves no purpose here and is taken care of in ifconfig.c's
getinfo(), so remove its calls from brconfig.c entirely.
OK dlg
|
|
Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de>
ok patrick@, markus@, tb@
|
|
Complete the synopsis while here.
Feedback OK jmc
|
|
ok patrick@
|
|
OPT is misleading and usually refers to command line arguments to pfctl
ok sashan kn
|
|
|
|
First transport mode for child SAs was implemented, then a few
interoperability issues have been identified with peers other than iked,
now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this so this
"just works".
Feedback tobhe deraadt sthen
OK tobhe
|
|
If we rekey both the IKESA and an CHILDSA in a small time
window a strongswan peer might reposend with a TEMPORARY_FAILURE
notification.
In this case we retry the rekey of the IKESA after a short
timeout and queue PFKEY expire messages (by returning -1 in
ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.
ok markus@
|
|
|
|
ok patrick@
|
|
Complete the description of "-s info -v" such that grepping for them
in the manual pager yields something.
Feedback jmc
OK sashan
|
|
|
|
ok markus@
|
|
From Larry Hynes via tech@.
|
|
|
|
ok kn@ patrick@
|
|
When using certificate authentication the CERT payload is mandatory and as the
name suggests is used to send a certificate containing a public key used for
the authentication signature.
For pubkey authentication the key is preshared and stored locally, but only
the 'ca' process can read the local keys. The 'ikev2' process had to get the
key from the received CERT payload to verify the authentication signature.
The peer ID + raw key was then forwarded to the 'ca' process which
compared the key against the contents of /etc/iked/pubkey and returned either
CERTVALID or CERTINVALID.
With this change a message containing only the ID may be sent from 'ikev2' to
the 'ca' process if CERT was not included. In this case the CA process will
try to find a local key matching the ID and return it to the 'ikev2' process.
The auth verification happens after the 'ca' process has verified or found a
key and returned it to the 'ikev2' process, eliminating the need for
the CERT payload.
Making CERTREQ optional is easier because we already have a fallback case if
the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this
same fallback.
This should fix public key authentication interoperability with *swan and
other IKEv2 implementations.
ok and tested by kn@
ok patrick@
|
|
used by the processor chip. Although we have a SENSOR_WATTHOUR sensor
type its units are not really suitable for this sensor. So add a
SENSOR_ENERGY type that uses micro Joules as its unit.
ok deraadt@
|
|
ok patrick@
|
|
in phase one to be used in phase 5, unless we're tight on memory.
From FreeBSD; ok bket@
|
|
|
|
|
|
is properly cleaned up in ikev2_msg_retransmit_timeout().
ok patrick@
|
|
w/o using string functions on data that *MIGHT NOT* be NUL
terminated. Fiddle parse_domain_name_list() to avoid string functions
for the same reason.
Problem encountered by Jesper Wallin when running with
vm.malloc_conf=CFGJUR, although he later proved 'J' (more junking) was
the actual trouble maker.
|
|
ok patrick@
|
|
family and length field. This fixes route(8) to handle "::/0"
properly. Also fix "route add -inet 0.0.0.0 -prefixlen 0 (gateway)"
to work properly.
ok kn
|
|
This is the name the other BSDs use for this, there is no reason to
be different, the IPv6 RFCs call these addresses temporary, and some
software in ports wants to use this as well.
Most recently pointed out for firefox by landry.
OK claudio, sthen
|
|
|
|
|
|
OK florian@, kn@, millert@
|
|
IKEV2_CERT_X509_CERT.
|
|
parser aren't needed as they are checked at runtime during the handshake.
Moreover, these checks during startup of the daemon never worked
properly when dstid was not explicitly configured. The dstid depends
on the ID message payload which is only known after the initial handshake.
ok patrick@
|
|
|
|
|
|
naddy gave me a pointer in the right direction
ok millert@ deraadt@
looks good to matt dunwoodie
|
|
|
|
|
|
note that this links ifconfig with libcrypto to get at base64
encoding and decoding routines. im looking at an alternative way
to do that, so hopefully this is temporary.
secondly, note that all the wireguard stuff is under ifndef SMALL,
so the special build of ifconfig for install media does include
wireguard support, and also does not need libcrypto.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
ncg * ipg calcualtion can overflow if signed types are used. Move
to uint32_t for the relevant values. Aligned with FreeBSD changes.
Also make sure newfs refuses to create an fs with more that 2^32-1
inodes. ok millert@
|
|
ok patrick@
|
|
ok patrick@
|
|
|
|
ok patrick@
|
