| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2012-07-08 | set_pid() does not need prompt string, low or high parameters. These | Kenneth R Westerback | |
| are all constants. Independantly suggested by guenther@. | |||
| 2012-07-08 | Disallow manual security associations that use AES-CTR, AES-GCM, | Christian Weisgerber | |
| or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations. Also include a tweak (with jmc@) to the key size explanation, for completeness sake. ok mikeb@ | |||
| 2012-07-08 | New attempt to make the -P flag work with -ss, so that states can be | Lawrence Teo | |
| printed with port names if desired. tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's. ok henning sthen | |||
| 2012-07-08 | Split out an ask_pid() function rather than over-parameterizing the | Kenneth R Westerback | |
| ask_num() function. Remove now unneeded 'flags' and 'help' parameters from both. Display out of range values in hex in ask_pid(), since we are seeking hex input. ok guenther@ | |||
| 2012-07-08 | Return EROFS when a read-write mount of a read-only sd(4) device | Kenneth R Westerback | |
| is attempted. This is instead of the current EACCES and is intended to result in better error messages from mount(8). Tweak default EROFS error text to mention fsck'ing in mount_ext2fs and mount_msdos since they both have fsck's like ffs. ok deraadt@ aja@ ian@ phessler@ | |||
| 2012-07-08 | Call Xsetpid() to edit the partition type from Xedit() rather than | Kenneth R Westerback | |
| duplicating the code. Allows simplification of the EDIT() #define in Xedit() since we always ASK_DEC and use a NULL help parameter when invoking ask_num(). | |||
| 2012-07-08 | if you use nitems() in userland, you must define it yourself | Theo de Raadt | |
| discussed with guenther | |||
| 2012-07-08 | Nuke useless EDIT() #define in Xsetpid. | Kenneth R Westerback | |
| A #define to simplify a function calling snippet does not simply or help when it is used only once. | |||
| 2012-07-08 | Replace tricker atoi() and hand rolled parsing with strsep() and | Kenneth R Westerback | |
| strtonum(). Make related error messages consistant. ok haesbaert@ | |||
| 2012-07-07 | copy&paste mistake in error message | Christian Weisgerber | |
| 2012-07-07 | remove incorrect check in pfctl preventing set-tos for ipvshit. | Henning Brauer | |
| the kernel has code to deal with set-tos and that crap. don't ask for details. stuart ok | |||
| 2012-07-07 | rename prio in struct pf_rule and related structs to set_prio so it is | Henning Brauer | |
| utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc | |||
| 2012-07-07 | Replace atoi() with strtonum() where it's easy. Make related error | Kenneth R Westerback | |
| messages consistant. Check for valid partition when 'select'ing a partition. ok haesbaert@ | |||
| 2012-07-05 | don't output "esn" string in the rule section as we can't use the | Mike Belopuhov | |
| keyword in the grammar to create a esn-enabled rule (no reason to do so for manual sa configuration). instead decode sa flags so that we can also watch changes happening in the realtime with the monitor mode. prompted and ok by naddy | |||
| 2012-07-05 | when rekeying ike sa copy more info from the old one; | Mike Belopuhov | |
| fixes the last known iked inter-op problem with windows 7. | |||
| 2012-07-03 | Improve the key derivation function to produce correct keying material | Mike Belopuhov | |
| when rekeying IKE SA as specified in the section 2.18 of RFC5996. Makes Windows 7 clients a bit happier. | |||
| 2012-07-02 | checking state flags make sense only when processing a response | Mike Belopuhov | |
| 2012-07-02 | augment every sa_free call with a debugging log message | Mike Belopuhov | |
| 2012-07-02 | Don't close IKE SA immediately after creating a new one when rekeying. | Mike Belopuhov | |
| Instead set a timeout that will shut it down in case we don't get an SA delete notification. | |||
| 2012-07-02 | a state machine is not worth the trouble when you've got a flag. doh! | Mike Belopuhov | |
| 2012-06-30 | enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP | Christian Weisgerber | |
| ok mikeb@ | |||
| 2012-06-29 | Add missing ESN bits | Mike Belopuhov | |
| 2012-06-29 | Print esn flag when dumping SAs with ESN enabled | Mike Belopuhov | |
| 2012-06-28 | prevent salt_len overflow; reported by andrew nelless, ok otto, tedu | Mike Belopuhov | |
| 2012-06-27 | leftover code re-enqueued the same item on the list multiple times | Mike Belopuhov | |
| 2012-06-27 | prevent an endless loop | Mike Belopuhov | |
| 2012-06-26 | Add some more paranoia and make code clearer. Check that the required | Kenneth R Westerback | |
| length field for the option is present before using it. Reject lease if no length field is present. | |||
| 2012-06-26 | RFC 2132 says "Options containing NVT ASCII data SHOULD NOT include | Kenneth R Westerback | |
| a trailing NULL; however, the receiver of such options MUST be prepared to delete trailing nulls if they exist." So delete (all) trailing NUL's when parsing NVT ASCII options. Should fix odd results when 'append'ing info to such options via dhclient.conf. FreeBSD commit to fix 'append' logic in a different way pointed out by brad. | |||
| 2012-06-26 | improve ikev2_msg_retransmit_timeout | Mike Belopuhov | |
| 2012-06-26 | close SA when IKE_SA_INIT or IKE_AUTH exchanges fail; | Mike Belopuhov | |
| don't cache the response to IKE_SA_INIT. | |||
| 2012-06-26 | compare exchange types as well when looking up a message; | Mike Belopuhov | |
| proceed with a response only when the appropriate request is found. | |||
| 2012-06-25 | log all, not log-all; ok henning | Jason McIntyre | |
| 2012-06-24 | Nuke interface_link_status() (check media status only) and use | Kenneth R Westerback | |
| interface_status() (check IFF_UP|IFF_RUNNING and media status). The interface is forced up when dhclient starts so the flags should be correct. Thanks to guenther@ for pointing out the original raison d'etre of the difference between the two. | |||
| 2012-06-22 | Add initial support for retransmition timeouts and response retries. | Mike Belopuhov | |
| This should still be considered an experimental work in progress. | |||
| 2012-06-22 | decouple timer initialization from timer_register | Mike Belopuhov | |
| 2012-06-22 | Two 'ioctl() < 0' -> 'ioctl() == -1'. guenther@ says they're odd. | Kenneth R Westerback | |
| 2012-06-22 | Set state to S_REBOOTING when calling state_reboot() and set state | Kenneth R Westerback | |
| inside state_reboot() to S_INIT when calling state_init(). Rather than the other way around. Makes for more consistant idiom and might reduce state confusion. | |||
| 2012-06-20 | Cancel all timeouts in state_reboot(), since we can get there from any state | Mark Kettenis | |
| if a link state change happens. Fixes a problem where we'd continue to send (corrupted) discover packets after binding. ok krw@ | |||
| 2012-06-20 | no more boot_mac68k(8); | Jason McIntyre | |
| 2012-06-20 | more mac68k bits for the attic | Matthew Dempsky | |
| 2012-06-20 | Delete some more SUBDIR += mac68k. | Matthew Dempsky | |
| 2012-06-04 | Rounding up a number of bytes in a bignum returned by the BN_num_bytes() | Mike Belopuhov | |
| has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@ | |||
| 2012-06-01 | revert previous, breaks tcpdump | Jonathan Gray | |
| spotted by jmc@ | |||
| 2012-06-01 | Make the -P flag work with -ss, so that states can be printed with port | Lawrence Teo | |
| names if desired. ok henning | |||
| 2012-05-31 | Clarify issues del (bridge command) vs delete (IP address command); | Theo de Raadt | |
| documentation not fixed after ifconfig/brconfig merge spotted by Pieter Verberne ok camield | |||
| 2012-05-31 | Let quotacheck work with duid based fstab. Missed one open() -> opendev() | Kenneth R Westerback | |
| from Rogier Krieger's original diff. Found by and fix tested by dlg@ | |||
| 2012-05-30 | more timer changes | Mike Belopuhov | |
| 2012-05-30 | when changing peer's address in the SA, remove the old entry from the | Mike Belopuhov | |
| tree before doing the actual change, otherwise we won't remove anything for real. also add the newly created SA to the peer's tree so that initiator timer will treat the ike policy as "in progress". | |||
| 2012-05-30 | pass a file descriptor in the msg_fd instead of a function argument | Mike Belopuhov | |
| 2012-05-29 | Fix tyop in error message; this was copied from/to umount(8)'s umount.c ↵ | Jasper Lievisse Adriaanse | |
| which was just fixed. | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |