| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2020-12-13 | Make sure flow src and dst addresses have the same address family. | tobhe | |
| ok patrick@ | |||
| 2020-12-11 | The keyword "any" does not actually work properly for traffic selectors. | tobhe | |
| To match all traffic use 0.0.0.0/0 or ::/0. ok patrick@ | |||
| 2020-12-11 | Introduce query_imsg2str() to simplify printing "qname class type". | Florian Obser | |
| OK kn some time ago | |||
| 2020-12-11 | The recent fix to handle large answers in unwind (errata #5 for 6.8) | Florian Obser | |
| has the downside to always copy the maximum IMSG size (about 16k) between the resolver and frontend process for DNS answers because we had to keep it as simple as possible. We can now rearange things in -current to be less wasteful. This copies only the usually small DNS answer. In the unusual case that a DNS answer is larger than the maximum IMSG size fragment the message and send multiple IMSGs. | |||
| 2020-12-11 | Warning: arithmetic on a pointer to void is a GNU extension; merged | Florian Obser | |
| upstream. | |||
| 2020-12-11 | Sprinkle in some static to prevent missing prototype warnings; merged | Florian Obser | |
| upstream. | |||
| 2020-12-11 | sync to libunbound 1.13.0 | Florian Obser | |
| Support for channel reuse of TCP and TLS (DoT) streams should improve latency when the DoT strategy is used in unwind. | |||
| 2020-12-11 | pass down the `skip' flag to the mountfs() function in the case of | Robert Nagy | |
| manually mounting a device which is not present in fstab(5) so that the `-s' flag can be used in this case as well. ok millert@, deraadt@ | |||
| 2020-12-10 | Simplify '-i' handling, failing immediately during command line parsing | Kenneth R Westerback | |
| when an invalid option name is encountered. | |||
| 2020-12-10 | Print valid ikesa/childsa configuration at startup. Comma seperated | tobhe | |
| transforms are not supported. ok patrick@ | |||
| 2020-12-07 | synproxy should be processing incoming SYN packets only. | Alexandr Nedvedicky | |
| issue noticed by sthen@. fix discussed with bluhm@ and procter@ OK bluhm@, kn@, procter@ | |||
| 2020-12-06 | Oops. Missed chunk in previous. | Kenneth R Westerback | |
| fatal() immediately whem parsing command line option '-c' reveals a non-existant file. Original diff, tweaks & ok kn@ | |||
| 2020-12-06 | Add support for RSASSA-PSS signature verification (RFC 7427). | tobhe | |
| ok patrick@ | |||
| 2020-12-06 | fatal() immediately whem parsing command line option '-c' reveals a non-existant | Kenneth R Westerback | |
| file. Original diff, tweaks & ok kn@ | |||
| 2020-12-05 | Make len unsigned. | tobhe | |
| ok patrick@ | |||
| 2020-12-04 | Log pfkey type and message length on write failure. | tobhe | |
| 2020-12-03 | Fix type mismatch. auth_method should be uint8_t. | tobhe | |
| ok markus@ | |||
| 2020-12-02 | The skip steps must be set up for each attribute independently | tobhe | |
| otherwise the wrong rules might me skipped, e.g. if you have policies with different listen addresses that are not sorted by address family. ok patrick@ | |||
| 2020-12-01 | Don't log ESRCH as warning. | tobhe | |
| 2020-12-01 | Sync get_ifrdomain() to rad(8) version by removing a useles (void) | Florian Obser | |
| cast in front of a strlcpy(3). tb@ had pointed out that the use in rad(8) was not consistent. I consider the void cast a useless annotation, either the strl* functions must have the canonical trucation check or it must be obvious that truncation cannot happen or is not a problem. While at it remove a bunch more casts that snuck in over time. | |||
| 2020-12-01 | Extract another couple of chunks from main() into helper functions, | Kenneth R Westerback | |
| get_routefd() and set_user(). | |||
| 2020-11-30 | We need to rekey every child SA (even if acquired): Otherwise we can | tobhe | |
| get out of sync with the peer and the peer would keep on using the expired SA because the lifetime is not negotiated. ok patrick@ | |||
| 2020-11-29 | Add 'set stickyaddress' option. If this option is enabled, iked will try | tobhe | |
| to assign the same 'config address' when an IKESA is negotiated with the DSTID of an existing IKESA. The original IKESA will be closed and the address will be transferred to the new IKESA. ok patrick@ | |||
| 2020-11-29 | Fix previous; we need to set the icmp6ev in the interface to NULL | Florian Obser | |
| otherwise we are referencing the wrong one when the rdomain changes. Sorry for not spotting it earlier. | |||
| 2020-11-28 | improve legibility of the newly introduced unref_icmp6ev() before this | Christian Weisgerber | |
| code gets copied around; ok florian@ | |||
| 2020-11-28 | Add support for multiple address pools. The parser already allows | tobhe | |
| specifying multiple pools, make ikev2_cp_setaddr() iterate over the pools to find a matching address. ok patrick@ | |||
| 2020-11-28 | An interface might have disappeared or switched rdomains while we | Florian Obser | |
| waited for a FD. It's not a fatal condition if it arrives late. OK tb | |||
| 2020-11-28 | Reduce code duplication by introducing unref_icmp6ev(). | Florian Obser | |
| OK tb | |||
| 2020-11-28 | Handle the case of an autoconf interface changing its rdomain. | Florian Obser | |
| To avoide code duplication have get_icmp6ev_by_rdomain() either return an existing icmp6ev in the correct rdomain or allocate one. OK tb | |||
| 2020-11-27 | Remove redundant state change. ikev2_ikesa_delete() sets the correct state. | tobhe | |
| 2020-11-27 | Shuffle code relating to initializing the physical interface and the | Kenneth R Westerback | |
| internal structure reflecting the interface into a function that in turn calls simple helper functions to do the different actions involved. Simplifies the overly lengthy main(), correctly starts the state machine with the state of the interface link as DOWN when IFF_UP is 0, tests more initialization actions when '-n' is used. | |||
| 2020-11-26 | Use a counter instead of random IV for AES-GCM. Security depends on | tobhe | |
| choosing a unique IV for every encryption operation, using a counter as IV eliminates the risk of random collisions. ok markus@ patrick@ | |||
| 2020-11-25 | Fix proposal error handling. If a proposal contains an unknown transform | tobhe | |
| type or id, ignore the proposal instead of failing the exchange. ok patrick@ | |||
| 2020-11-25 | Teach route(8) about the names of the IEEE80211_F_* flags. | Kenneth R Westerback | |
| 2020-11-25 | When processing proposed static routes (inc. default route) ignore | Kenneth R Westerback | |
| routes that are already present, neither deleting nor re-adding them. | |||
| 2020-11-24 | Fix duplicate sa->sa_cp assignment. | tobhe | |
| 2020-11-23 | Ignore duplicate sigsha2 notify, don't fail the exchange. | tobhe | |
| 2020-11-22 | Fix comment typo. | tobhe | |
| 2020-11-21 | No need to update ifi->state just before setting quit to TERMINATE. | Kenneth R Westerback | |
| Check quit != TERMINATE before trying to open leases file. | |||
| 2020-11-21 | Clean up NATT hack. Pass 'frompeer' as parameter instead of manipulating | tobhe | |
| msg header to get the correct addresses and spis. ok patrick@ | |||
| 2020-11-21 | No need to update resolv.conf when renewing a lease does not result in any | Kenneth R Westerback | |
| configuration changges. | |||
| 2020-11-21 | When REBOOT'ing it is necessary to apply_defaults() to the recorded | Kenneth R Westerback | |
| lease and use the updated values to initialize ifi->expiry and ifi->rebinding. Fixes odd behaviour, bouncing the link in particular, when using dhclient.conf to change the lease renew/rebind/expiry timing. e.g. when debugging wifi interface behaviour. | |||
| 2020-11-20 | The default lease rebind time is 7 * (expiry/8), not 8 * (expiry/7). | Kenneth R Westerback | |
| 2020-11-20 | add -s to synopsis and usage; -S before -s in options list; | Jason McIntyre | |
| 2020-11-20 | Add -s socket option to specify control socket. This can be useful if | tobhe | |
| multiple iked instances running in different rdomains are used. ok patrick@ | |||
| 2020-11-19 | Avoid spurious resolv.conf updates when | Kenneth R Westerback | |
| 1) The RTM_PROPOSAL telling unwind(8) about DNS servers is seen. 2) The interface is in the process of getting a new or renewed lease. 3) The default route is not UP. Edge cases discovered while debugging urtwn(4) link bouncing. | |||
| 2020-11-19 | More sa cleanup + constify. | tobhe | |
| ok patrick@ | |||
| 2020-11-18 | Constify sa in ikev2_pld_eap(). The parser code must not change any | tobhe | |
| sa or policy state, this should help make it clearer. ok patrick@ | |||
| 2020-11-18 | Recognize get_link_ifa() failure (a.k.a. "invalid interface") as a fatal error | Kenneth R Westerback | |
| in interface_state() as it is elsewhere. Avoids any possible NULL pointer dereference. | |||
| 2020-11-18 | No need to call get_hw_address() from interface_state() since the | Kenneth R Westerback | |
| appropriate ifa is already known and ifi->rdomain does not need to be updated because a change of rdomain causes a link bounce and thus reinitialization of ifi. One less invocation of getifaddrs() during route message processing. | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |