src - OpenBSD base system

Age	Commit message (Collapse)	Author
2011-01-29	no need for fopen, when opendev gives us a perfectly good fd.	Ted Unangst
	from "maurice"
2011-01-28	improve behavior of drop_sa: always negotiating a new child sa; ok reyk	Mike Belopuhov

2011-01-26	Don't initiate any connections in passive mode, not even for ACQUIRE messages	Reyk Floeter
	from the PFKEY socket. This is needed for sasyncd. ok mikeb@
2011-01-26	get rid of acquire flows completely, as they tend to pass traffic	Mike Belopuhov
	when there's no sa established (as pointed out by reyk). instead use require mode feature to send acquires from the kernel. this allows us to get rid of the code that changes flow mode to acquire and keep all installed flows in the tree and save up on some code that deals with renegotiation. also several entities were renamed (iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas, ikev2_acquire -> ikev2_acquire_sa). ok reyk
2011-01-26	enable child sas and do sa and flow transfer after succeeding with	Mike Belopuhov
	all the preparation steps. don't forget to change {flow,csa}_ikesa pointers when transefing to a different ike sa. ok reyk
2011-01-25	fixup child sa deletion in drop_sa; ok reyk	Mike Belopuhov

2011-01-24	fixup previous for the responder mode	Mike Belopuhov

2011-01-23	'pfctl -x none' did not turn debugging off. Skip the syslog internal	Alexander Bluhm
	"no priority" priority named "none". This makes 'pfctl -x none' equivalent to 'pfctl -x crit'. ok mcbride@ henning@
2011-01-21	repair rekeying by sending appropriate traffic selector; ok reyk	Mike Belopuhov

2011-01-21	don't use memcmp on comparing two iked_addrs but IKED_ADDR_EQ.	Reyk Floeter
	ok mikeb@
2011-01-21	- Fix traffic selector configuration that it is always "from $localnet	Reyk Floeter
	to $peernet" and not depending on the initiator/responder mode. - Remove the flow hash calculated but not used anymore. ok mikeb@
2011-01-21	Remove misleading error message.	Reyk Floeter
	ok mikeb@
2011-01-21	don't create child sas from empty proposals.	Reyk Floeter
	ok mikeb@
2011-01-21	handle empty encrypted payloads (might happen with some informationals)	Reyk Floeter
	ok mikeb@
2011-01-21	tweak previous;	Jason McIntyre

2011-01-21	Reimplement the iked(8) policy evaluation for incoming connections to	Reyk Floeter
	use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details. The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code. ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
2011-01-21	split pfkey initialization into a privileged and unprivileged part to	Reyk Floeter
	prevent a possible crash. ok mikeb@
2011-01-18	reyk noticed that my rb-tree-fu is not that great. fixup compare function	Mike Belopuhov
	to do exact matches; ok reyk
2011-01-17	silence stupid gcc warning by initializing a variable with NULL.	Reyk Floeter

2011-01-17	Add initial acquire mode support and use it whenever Windows peers decide	Mike Belopuhov
	to drop Child SA based on the inactivity timer. In this case we instruct the kernel to send us an acquire message upon receiving a packet for those hosts and initiate a Child SA creation exchange ourselves. ok reyk
2011-01-17	move mask2prefixlen functions to the util module; ok reyk	Mike Belopuhov

2011-01-12	postpone processing of pfkey messages received in pfkey_reply instead of	Mike Belopuhov
	just dropping them; ok reyk
2011-01-12	decouple flow deletion from the ikev2_childsa_delete; ok reyk	Mike Belopuhov

2011-01-12	fixup bogus check; ok reyk	Mike Belopuhov

2011-01-12	don't forget to specify spi sizes; ok reyk	Mike Belopuhov

2010-12-31	According to pf_scrub_ip6() pf does not support the scrub options	Alexander Bluhm
	no-df, random-id, set-tos for IPv6 rules. Check this in pfctl and document it in pf.conf(5). ok henning@ jmc@
2010-12-29	Fix swapctl -A with DUIDs in /etc/fstab, and plug a small memory leak.	Stefan Sperling
	ok jsing@ (who also pointed out a DPADD tweak missing from my diff)
2010-12-23	pick netmask instead of address when we mean it; found by dhill, ok reyk	Mike Belopuhov

2010-12-23	always add a none payload, should fix ike sa rekeying for responders; ok reyk	Mike Belopuhov

2010-12-23	spelling fixes; from Daniel Dickman	Jason McIntyre

2010-12-22	move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because	Reyk Floeter
	it is too specific to be in util.c. This will allow to link util.c into ikectl later without all the other dependencies of pritn_id().
2010-12-22	split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for	Reyk Floeter
	everything else. we might need to include util.c in ikectl later. sure mikeb@
2010-12-22	ikev2 rfc was recently updated, so list the newer one; ok reyk	Mike Belopuhov

2010-12-22	Tweak the grammar a little bit by requiring a "bytes" keyword before the	Reyk Floeter
	bytes value ("lifetime 123 bytes 456" instead of "lifetime 123 456").
2010-12-22	Fix a little control socket bug, as discussed with mikeb@	Reyk Floeter

2010-12-22	-s carries the same caveat as -p; from Jiri B.	Jason McIntyre
	ok krw
2010-12-22	child sa rekeying revamp plus numerous bugfixes;	Mike Belopuhov
	with suggestions and OK from reyk
2010-12-21	Convert netmask from sockaddr to prefixlen correctly as noticed	Mike Belopuhov
	by axel rau, axel dot rau at chaos1 dot de. The actual convert functions are taken from bgpd(8). OK reyk
2010-12-21	fixup log_warn and log_debug arguments; ok reyk	Mike Belopuhov

2010-12-18	remove david as author. he is not to blame for the current C implementation.	Ted Unangst
	ok david
2010-12-18	add some off_t and ssize_t love; ok stsp millert	Theo de Raadt

2010-12-17	Add missing util.h include for opendev()	Todd C. Miller

2010-12-15	make the "invalid probability:" yyerror suck less	Henning Brauer
	From: Thomas Pfaff <tpfaff@tp76.info>
2010-12-13	stray tabs and spaces	Marco Peereboom

2010-12-13	stray tab	Marco Peereboom

2010-12-09	When looking up an SA based on peer address, also check the port	Martin Hedenfal
	number. Without this, isakmpd deletes SAs from the same IP on an INITIAL-CONTACT message, possibly deleting unrelated NATed tunnels. Fixes PR 5562. Verified by Mikolaj Kucharski. ok mikeb@
2010-12-03	disklabel now uses "duid", not "uid";	Jason McIntyre

2010-12-01	Allow add a -s switch to make bioctl read the passphrase from stdin. Handy	Chris Kuethe
	for scripting a big batch of remote unlocks. ok marco
2010-12-01	Clarify the internal ibuf API: rename ibuf_copy() to ibuf_get() because	Reyk Floeter
	it returns a new buffer from the internal read offset like stdio get functions do and not the same buffer when it is called multiple times. Also rename the old ibuf_get() to ibuf_getdata() because it returns a "special" data type and it matches the stdio get* conventions. pointed out by mikeb@
2010-12-01	remove some unused tokens	Jonathan Gray
	ok henning@ mcbride@