summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2018-01-04Comments and grammar use '_decl' so use _decl instead of _declarationKenneth R Westerback
in the names of the respective parsing functions.
2018-01-04space -> tabMartin Pieuchot
No object change.
2018-01-04parse_lease_time() is an unnecessary abstraction. Just useKenneth R Westerback
parse_number('L') since it is parsing unsigned 32bit integers.
2018-01-04We only parse decimal numbers, so parse_decimal() -> parse_number() toKenneth R Westerback
match grammar comments and improve euphony.
2018-01-02Add missing mouse type. Reported by bit shifter on misc@; ok bru@anton
2018-01-02More grammar comments improvements.Kenneth R Westerback
2018-01-01Tweak syntax comments into consistency and completeness.Kenneth R Westerback
2017-12-31Remove an unused variable and instruct lex not to produce the input() functionanton
since it's never used; ok guenther@
2017-12-23Since ikev2_init_recv() is supposed to only handle responses to anPatrick Wildt
exchange that we initiatiated, we are not allowed to respond to such a msg. Also we don't need the DH check in ikev2_sa_initiator_dh() as it's only called when we initiate, so the check would not run, or when we get a Create Child SA response, where an error should only lead to us having another attempt at an exchange. Found by and ok markus@
2017-12-20Always 'send' host-name, rather than relying on dhclient.conf to askKenneth R Westerback
for it. Removes the need to install a dhclient.conf for a default configuration. Install script simplification to follow. General enthusiasm. ok millert@ benno@ tom@ ian@
2017-12-18Stop inserting and paying attention to 'interface <if>;'Kenneth R Westerback
inside 'lease {}' declarations. We don't keep leases from multiple interfaces in dhclient.leases.<if> files. One less thing to parse and keep in memory. More rope for those wanting to do unspeakable things with their lease files.
2017-12-18Tighten /usr/local and /usr/X11R6 so that 8G disks still fit in our defaultAntoine Jacoutot
partitioning scheme. ok florian@ benno@
2017-12-17Further simplifY lease parsing. Fold add_lease() into read_lease_db(),Kenneth R Westerback
and move all lease parsing into parse_lease().
2017-12-16With leases no longer in dhclient.conf, rename a bunch ofKenneth R Westerback
functions and fields to more obvious names reflecting this separation.
2017-12-13Fix whitespace botch that snuck in.Kenneth R Westerback
2017-12-13Simplifiy parser by not worrying about nesting 'interface <if> {}'Kenneth R Westerback
statements. They are silly but harmless and work fine.
2017-12-13getsockname(2) needs to be passed the length of the input struct.Patrick Wildt
ok jca@
2017-12-10add #ifndef SMALL to slaacd.c as needed to fix 'make release'Stefan Sperling
2017-12-10Move privileged initialization from frontend to main process.Florian Obser
Needed for future work where we will spin up children via fork - privdrop - exec. Child processes will no longer come up with root privileges.
2017-12-09Add ACTION_IGNORE and nuke ignored_options, ignored_option_count fieldsKenneth R Westerback
in struct client_config.
2017-12-08When accepting a BOOTP lease, do not leak offered values of leaseKenneth R Westerback
time, renewal time, rebinding time. Use the ACTION_DEFAULT mechanism to set the default expiry time for any lease so gauche as to not provide one. Use the DHCP default lease times for BOOTP leases instead of, bizarrely, shorter times.
2017-12-08Convert snprintf+write into dprintf. It is simply easier to read, andTheo de Raadt
provides retry on short-write file descriptors. ok florian, previous versions seen by millert
2017-12-07Change the SA payload parser to parse more than the first proposal. ThisPatrick Wildt
allows us to select one of the peer's proposals (and not only the first). ok sthen@ hshoexer@
2017-12-07adjust the "timeout" text, now that leases are no longerJason McIntyre
specified in dhclient.conf; ok krw
2017-12-07Set ifi->offer to NULL after free'ing it.Kenneth R Westerback
2017-12-07Nuke support for defining last-gasp leases in dhclient.conf.Kenneth R Westerback
2017-12-07Set the correct ENCAPSULATION_MODE when doing NAT-T.Martin Pieuchot
Fix at least interoperability with Cisco when isakmpd(8) is initiating the connections, originally reported by sebastia@ in 2014. Refreshed diff from and ok hshoexer@, ok sthen@, ok remi@
2017-12-06Disentangle dhclient.conf static lease handling from dynamicKenneth R Westerback
lease handling. Simplifies code and makes it easier to consider excising this 'feature'.
2017-12-05Use clock_gettime(CLOCK_MONOTONIC) to schedule timersJeremie Courreges-Anglas
From Scott Cheloha, ok tb@
2017-12-05When removing duplicate dynamic leases from the cache, compare theKenneth R Westerback
SSID against ifi->ssid, not the SSID of the new lease. They should be the same, but this makes the intent clearer and removes an assumption about the contents of ifi->active.
2017-12-05When sending out a proposal we create an SA/SPI for the Child SAs if wePatrick Wildt
are an initiator and store the information on the proposal, because we only had one proposal so far. This changes the code to only create one SA on the first proposal and then apply the SPI to all other proposals as well. ok markus@
2017-12-04Remove duplicate check that never could execute because the exact samePatrick Wildt
condition is handled a line before.
2017-12-04Consistently log "malformed payload" instead of "payload malformed", andPatrick Wildt
replace "minimal" with "minimum".
2017-12-04Remove check that is now a duplicate due to recent refactoring.Patrick Wildt
2017-12-04The payloads are layered like onions, so you can validate one layer andPatrick Wildt
then call the next one, which can then validate itself. Thing is, most layers try to run validations on the upper layer, which is not useful and rather confusing. This cleans it up. First change is that the generic payload parser does not anymore pass the length of the whole datagram, including all remaining payloads, but passes only the length of the specific payload to the specific payload parser. Second change is that the payload validators don't check the length of the upper layer, but only verify their own lengths. Diff discussed with hshoexer@ and sthen@ Tested by sthen@
2017-12-04change "if (lp &&" to "if lp != NULL &&".Theo Buehler
pointed out by krw
2017-12-04Avoid a NULL-deref in get_recorded_lease() leading to a segfault seenTheo Buehler
by aja and others. ok krw
2017-12-04Initialize variable, otherwise the pointer might contain stack garbage.Patrick Wildt
2017-12-03If we wanted to send out more proposals than just one, we need to set aPatrick Wildt
flag in the SA header that there is another proposal coming. The "more" attribute borrows its values, as specified in the RFC, from IKEv1. ok sthen@
2017-12-03The RFC specifies that to accept a proposal, we must select a transformPatrick Wildt
for each transform type. We do some sanity checks, for instance we do require an encryption transform for ESP, but that's not enough. We need to check that for every proposed transform type we have found a matching transform in our own proposal. ok sthen@
2017-12-03Move timer fields 'expiry" and "rebind" out of struct client_leaseKenneth R Westerback
and into struct interface_info. Nuke set_lease_times().
2017-12-03Abandon nagging about "_" violating RFC 952. This removes the needKenneth R Westerback
for a custom res_hnok(), so just use the libc version of res_hnok(). Requested by deraadt@
2017-12-01The RFC specifies that in an SA payload the proposals must be numberedPatrick Wildt
starting with number 1. Subsequent proposals must be one more than the previous proposal. ok sthen@
2017-12-01Turns out that, as specified in the RFC, the initial Child SA does notPatrick Wildt
do PFS and is assumed to be secured using the DH exchange in the first handshake. Thus there is no KE/N payload in the IKE_AUTH exchange and we must not include a DH group other than None, which essentially means we must not supply any DH transforms in the IKE_AUTH messages. So now we skip adding the DH transforms for initiating and responding to IKE_AUTH messages. ok sthen@
2017-11-30Add support for rejecting IKE SA messages. This means that we can replyPatrick Wildt
to IKE SA INIT messages with no proposal chosen, as we already do for Child SAs. For that the error "adding" is done in a new function shared by both send error handlers. We need two "send error" functions because the init error is unencrypted, while all later ones are not. Now we can add more cases, like Child SA not found or that the DH group is not what we expect. Save the IKE SA INIT responses, even if it's an error message, so we can retransmit it if the response is lost on the way back to the initiator and he tries again. This also helps mitigate DoS attacks as specified in the RFC. Only if it is indeed a new attempt, like after an INVALID KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt to create a new SA. ok sthen@
2017-11-30use the same macro consistently for the various carp balancing modes;Jason McIntyre
2017-11-30no more arp mode for carp; from martin rettbergJason McIntyre
2017-11-29Print_host is used mainly in printf style functions. So do not return NULLClaudio Jeker
instead return "unknown". OK beck@
2017-11-28The divert structure was using the port number to indicate thatAlexander Bluhm
divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Adapt the pf rule struct in kernel and pfctl, no functional change. Note that kernel and pfctl have to be updated together. OK sashan@
2017-11-28in auto-allocation, increase size of /usr/src to 1.3G.Sebastian Benoit
Our tree is now 1.1G big. ok florian@, sure deraadt@