Age | Commit message (Collapse) | Author |
|
in the names of the respective parsing functions.
|
|
No object change.
|
|
parse_number('L') since it is parsing unsigned 32bit integers.
|
|
match grammar comments and improve euphony.
|
|
|
|
|
|
|
|
since it's never used; ok guenther@
|
|
exchange that we initiatiated, we are not allowed to respond to such
a msg. Also we don't need the DH check in ikev2_sa_initiator_dh() as
it's only called when we initiate, so the check would not run, or when
we get a Create Child SA response, where an error should only lead to
us having another attempt at an exchange.
Found by and ok markus@
|
|
for it. Removes the need to install a dhclient.conf for a default
configuration.
Install script simplification to follow.
General enthusiasm. ok millert@ benno@ tom@ ian@
|
|
inside 'lease {}' declarations. We don't keep leases from
multiple interfaces in dhclient.leases.<if> files.
One less thing to parse and keep in memory. More rope for
those wanting to do unspeakable things with their lease files.
|
|
partitioning scheme.
ok florian@ benno@
|
|
and move all lease parsing into parse_lease().
|
|
functions and fields to more obvious names reflecting this
separation.
|
|
|
|
statements. They are silly but harmless and work fine.
|
|
ok jca@
|
|
|
|
Needed for future work where we will spin up children via
fork - privdrop - exec. Child processes will no longer come
up with root privileges.
|
|
in struct client_config.
|
|
time, renewal time, rebinding time. Use the ACTION_DEFAULT mechanism
to set the default expiry time for any lease so gauche as to not
provide one. Use the DHCP default lease times for BOOTP leases instead
of, bizarrely, shorter times.
|
|
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert
|
|
allows us to select one of the peer's proposals (and not only the first).
ok sthen@ hshoexer@
|
|
specified in dhclient.conf;
ok krw
|
|
|
|
|
|
Fix at least interoperability with Cisco when isakmpd(8) is initiating
the connections, originally reported by sebastia@ in 2014.
Refreshed diff from and ok hshoexer@, ok sthen@, ok remi@
|
|
lease handling. Simplifies code and makes it easier to
consider excising this 'feature'.
|
|
From Scott Cheloha, ok tb@
|
|
SSID against ifi->ssid, not the SSID of the new lease. They
should be the same, but this makes the intent clearer and removes
an assumption about the contents of ifi->active.
|
|
are an initiator and store the information on the proposal, because we
only had one proposal so far. This changes the code to only create one
SA on the first proposal and then apply the SPI to all other proposals
as well.
ok markus@
|
|
condition is handled a line before.
|
|
replace "minimal" with "minimum".
|
|
|
|
then call the next one, which can then validate itself. Thing is, most
layers try to run validations on the upper layer, which is not useful
and rather confusing. This cleans it up.
First change is that the generic payload parser does not anymore pass
the length of the whole datagram, including all remaining payloads, but
passes only the length of the specific payload to the specific payload
parser. Second change is that the payload validators don't check the
length of the upper layer, but only verify their own lengths.
Diff discussed with hshoexer@ and sthen@
Tested by sthen@
|
|
pointed out by krw
|
|
by aja and others.
ok krw
|
|
|
|
flag in the SA header that there is another proposal coming. The "more"
attribute borrows its values, as specified in the RFC, from IKEv1.
ok sthen@
|
|
for each transform type. We do some sanity checks, for instance we do
require an encryption transform for ESP, but that's not enough. We need
to check that for every proposed transform type we have found a matching
transform in our own proposal.
ok sthen@
|
|
and into struct interface_info. Nuke set_lease_times().
|
|
for a custom res_hnok(), so just use the libc version of res_hnok().
Requested by deraadt@
|
|
starting with number 1. Subsequent proposals must be one more than the
previous proposal.
ok sthen@
|
|
do PFS and is assumed to be secured using the DH exchange in the first
handshake. Thus there is no KE/N payload in the IKE_AUTH exchange and
we must not include a DH group other than None, which essentially means
we must not supply any DH transforms in the IKE_AUTH messages. So now
we skip adding the DH transforms for initiating and responding to
IKE_AUTH messages.
ok sthen@
|
|
to IKE SA INIT messages with no proposal chosen, as we already do for
Child SAs. For that the error "adding" is done in a new function shared
by both send error handlers. We need two "send error" functions because
the init error is unencrypted, while all later ones are not. Now we can
add more cases, like Child SA not found or that the DH group is not what
we expect.
Save the IKE SA INIT responses, even if it's an error message, so we can
retransmit it if the response is lost on the way back to the initiator
and he tries again. This also helps mitigate DoS attacks as specified
in the RFC. Only if it is indeed a new attempt, like after an INVALID
KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt
to create a new SA.
ok sthen@
|
|
|
|
|
|
instead return "unknown".
OK beck@
|
|
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
|
|
Our tree is now 1.1G big.
ok florian@, sure deraadt@
|