Age | Commit message (Collapse) | Author |
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
alternative to X.509 CA verification. this will be needed to support public
key authentication like isakmpd does; a few bits are still missing.
|
|
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).
ok deraadt@
|
|
|
|
ok henning@ krw@
|
|
|
|
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
|
|
That isn't the case. eg thorn, Cyrillic_CHE, L2_tcedilla, L5_scedilla and
L7_zcaron has the same (0xfe). So you have a 20% chance to get the right
output from wsconsctl.
Use the ksym name to decide which ksyms isn't Latin-1. Store that information
in the ksym tables. The use the keyboard encoding to make an educated guess
of which character to return.
Let say your encoding is pl. You have Latin-2 characters in the map.
Then check first for Latin-2 characters if none found try Latin-1.
ok miod@
-moj
|
|
|
|
ok claudio@
|
|
lookup a cert from /etc/iked/certs/ that is signed by a requested CA.
As a second step we also compare the subjectAltName of any found
certificate now to match the local srcid; this allows to have multiple
certs for the same CA but different srcids in the certs/ directory but
enforces that the subjectAltName has to be set correctly.
requested by jsg@
|
|
|
|
|
|
peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it
with the certificate subjectName (DN). This prevents the peer from
using an arbitrary peer Id (it is signed by the CA in the cert) and
qualifies the optional pf tag.
|
|
parsing routines directly, first parse the message and save the parsed
elements in the temporary message struct before validating the
information and taking any other actions on the actual SA. This needs
more testing, but is the cleaner and better approach.
|
|
|
|
|
|
the similar changes to dhcpd.
|
|
|
|
previous parse.y change.
|
|
OK deraadt, reyk
|
|
|
|
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.
|
|
while here, change ping6 to use strtonum instead of strtol.
OK claudio@
|
|
it is violating the transactional model we have and made stronger in
pf, it is broken in some cases and since some options are passed to the
kernel while some are userland only and affect how the rules are
parsed it is complete bullshit anyway - obviously, changing options
that affect ruleset parsing without reloading and thus reparsing the
ruleset cannot work. so stop pretending it could and cut the crap.
ok dlg krw deraadt
|
|
|
|
ec521 -> ecp521). this matches the common naming for ec groups better.
|
|
- remove dh_selftest(), this should go into regress somewhere
- remove any iked-specific dependencies from dh.c/dh.h which allows us to
use this code in other projects as well.
|
|
|
|
using opendev(3) first and then trying /dev/bio if that failed. Also use
opendev(3) when getting device numbers for softraid.
ok marco@
|
|
blockcheck() since we try to stat() the UID. This means that we fail to
reload the mount if we have indeed cleaned the read-only root file system.
To avoid this, rerun blockcheck() if the real name is different to the
original device name, once we have opened the device with opendev(3).
ok krw@ thib@
|
|
|
|
|
|
|
|
|
|
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.
It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- split responder/initiator- specific code into different functions and use
shared functions for common stuff.
- first parse the received message and store information in the temporary
message struct instead of modifying the ike sa in the parsing code directly.
|
|
|
|
|
|
|
|
|
|
ok reyk@
|
|
|
|
|