| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2020-10-09 | More unused headers. | tobhe | |
| 2020-10-09 | Remove unused "wait.h" includes. | tobhe | |
| 2020-10-07 | Fix display of P2P link to be consistent over all AF. | denis | |
| OK kn@, input from claudio@ | |||
| 2020-10-07 | Reverse previous, needs discussion. | denis | |
| 2020-10-07 | Fix display of P2P link to be consistent over all AF. | denis | |
| 2020-10-06 | Always allocate hash_keylength() for buffers passed to hash_final() to | tobhe | |
| make sure there is enough space for the non truncated hash output. | |||
| 2020-10-05 | Only handle AUTHENTICATION_FAILED for IKE_AUTH and INFORMATIONAL exchanges. | tobhe | |
| Reply to INFORMATIONAL messages with AUTHENTICATION_FAILED before deleting the SA. ok markus@ | |||
| 2020-10-03 | React to DELETE notifications only in INFORMATIONAL messages | tobhe | |
| and move the logic closer to the other INFORMATIONAL payloads. Add some more sanity checks while we're at it. ok patrick@ | |||
| 2020-10-02 | Send AUTH_FAILED in ikev2_ike_auth_recv() if the message did not contain | tobhe | |
| an AUTH payload and the policy does not use EAP authentication. ok patrick@ | |||
| 2020-10-02 | Plug leak of 'str': at the end of the strsep() loop it is NULL, so | Otto Moerbeek | |
| freeing it is a no-op. Leak detected by my experimental malloc leak detector. ok florian@ | |||
| 2020-10-01 | Skip DELETE payload responses only after they are validated. | tobhe | |
| ok patrick@ | |||
| 2020-10-01 | Teach wsconsctl about astfb(4). | Mark Kettenis | |
| 2020-10-01 | rdomain IDs do not need to exist for "on rdomain N" to work | kn | |
| Unlike "... rtable N", pf.conf(5)'s "on rdomain N" does not alter packet state and will always work no matter if rdomain N currently exists or not, i.e. the rule "pass on rdomain 42" will simply match (and pass) packets if rdomain 42 exists, and it will simply not match (neither pass nor block) packets if 42 does not exist. There's no need to reload the ruleset whenever routing domains are created or deleted, which can already be observed now by creating an rdomain, loading rules referencing it and deleting the same rdomain immediately afterwards: pf will continue to work as expected. Relax both pfctl(8)'s parser check as well as pf(4)'s copyin routine to accept any valid routing domain ID without expecting it to exist at the time of ruleset creation - this lifts the requirement to create rdomains before referencing them in pf.conf while keeping pf behaviour unchanged. Prompted by yasuoka's recent pfctl parse.y r1.702 commit requiring an rtable to exist upon ruleset creation. Discussed with claudio and bluhm at k2k20. Feedback sashan OK sashan yasouka claudio | |||
| 2020-10-01 | Only count the proper node types. Avoid out of-bound access for large | Otto Moerbeek | |
| filesystems. From FreeBSD. ok millert@ | |||
| 2020-09-30 | Don't accept AUTH payloads with invalid auth_method 0. | tobhe | |
| Fixes duplicate AUTH payload detection. ok patrick@ | |||
| 2020-09-30 | Don't accept ID payloads with ID type IKEV2_ID_NONE. | tobhe | |
| 0 is not a valid type and triggers undesired edge cases. ok patrick@ | |||
| 2020-09-30 | Don't leak sa->sa_peerauth.id_buf. | tobhe | |
| ok patrick@ | |||
| 2020-09-29 | Check ibuf_seek() return value. | tobhe | |
| ok patrick@ | |||
| 2020-09-28 | Revert a wording change that was made in revision 1.05 | solene | |
| which was reverting a change made into 1.03 bioctl -d is "detaching" and not "deleting" a volume | |||
| 2020-09-26 | Cleanup msg_eap in ikev2_msg_cleanup(). | tobhe | |
| 2020-09-25 | Simplify RB_TREE cleanup loops. | tobhe | |
| ok markus@ | |||
| 2020-09-24 | Cleanup logging, print SPIs where it makes sense. | tobhe | |
| 2020-09-23 | Add new 'set cert_partial_chain' config option to allow verification of | tobhe | |
| partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/. ok patrick@ | |||
| 2020-09-21 | Fix reassembly of out-of-order fragments. Always take the nextpld field | tobhe | |
| from the IKE header of fragment #1, not the first received fragment. ok patrick@ | |||
| 2020-09-21 | Missing space for '-i interval' option error message. | Marcus Glocker | |
| From <piotr (at) durlej (dot) net>. Thanks! | |||
| 2020-09-19 | Add SHA2_384 and SHA2_512 to default proposals. | tobhe | |
| ok patrick@ | |||
| 2020-09-18 | Fix memory leak in 'n->name'. | tobhe | |
| 2020-09-17 | With the multi rdomain support, slaacd now sees all icmpv6 packets and | Sebastien Marie | |
| filters in userland. But the packet type check was placed at the wrong place so the hoplimit check was done against every icmpv6 packet but no all of them have a hoplimit constraint. tested and ok by me, committed on behalf of florian@ | |||
| 2020-09-17 | Fix the previous commit whose conditions were reversed. | YASUOKA Masahiko | |
| ok kn | |||
| 2020-09-17 | Set retransmit timeout for DELETE message on the replaced SA, not on | tobhe | |
| the replacement. ok markus@ | |||
| 2020-09-17 | Do not send DELETE messages for closing SAs. | tobhe | |
| ok markus@ | |||
| 2020-09-17 | Make pfctl(8) check if the rtable really exists when parsing the | YASUOKA Masahiko | |
| config. work with and diff from kn ok kn | |||
| 2020-09-17 | Merge IKEV2_EXCHANGE_CREATE_CHILD_SA and IKEV2_EXCHANGE_INFORMATIONAL | tobhe | |
| cases. | |||
| 2020-09-16 | Move all the EAP logic from a single branch in the message parsing code to | tobhe | |
| somewhere past successful message verification, closer to where the other exchanges are handled. EAP is stll special, but this fits a lot better into the overall architecture. Tested with iOS, Stronswan and Windows ok patrick@ sthen@ | |||
| 2020-09-16 | Fix EAP authentication if the initiator sends no certificate | tobhe | |
| request. The locally configured request is used as fallback to find a certificate or key to send. The local auth method for MSCHAP-V2 should be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of raw rsa keys. Tested with Strongswan, iPhone and Windows Found by and ok sthen@ ok patrick@ | |||
| 2020-09-15 | "Route show" and "netstat -r" provide formatting for routing tables with | pamela | |
| sufficient space to display v4 addresses cleanly, but which truncate v6 addresses. The -n flag on each already provides additional column width for IPv6 addresses. Make this formatting the default. OK phessler kn | |||
| 2020-09-15 | umb(4) shows the speed of the LTE connection but misses the b in Mbps. | Claudio Jeker | |
| OK kettenis@ | |||
| 2020-09-14 | We might race against removal of an rdomain we just want to handle. | Florian Obser | |
| Make setsockopt non-fatal in this case and just ignore the request. Spotted in a diff by reyk for rad(8); discussed with claudio | |||
| 2020-09-14 | Let slaacd handle all rdomains in a single daemon. | Florian Obser | |
| Suggested by claudio and matthieu Testing matthieu Putting it in now to get enough testing before release so that there is enough time to back it out, suggested by deraadt | |||
| 2020-09-12 | When an interface disapears we need to forget the learned autoconf | Florian Obser | |
| resolvers. OK kn | |||
| 2020-09-09 | Delete dead code. | tobhe | |
| 2020-09-08 | Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching | tobhe | |
| the CERTREQ is found, don't wait for more requests. Correctly set type if cert was found as fallback. ok patrick@ | |||
| 2020-09-06 | Drop redundant else for readability. | tobhe | |
| 2020-09-05 | Use peer from policy, not from the acquire message. | tobhe | |
| 2020-09-05 | Initialize flow_dir and flow_saproto so policy_test() can find the policy | tobhe | |
| on acquire. | |||
| 2020-09-04 | INFORMATIONAL and CREATE_CHILD_SA exchanges cannot be initiated at the | tobhe | |
| same time. | |||
| 2020-09-03 | Log OCSP url on connection failure. | tobhe | |
| 2020-09-02 | Add 30s timeout for OCSP requests. | tobhe | |
| ok patrick@ | |||
| 2020-09-01 | Log SPIs to make it easier to map OCSP messages to SAs. | tobhe | |
| 2020-09-01 | Make OCSP response status logging less verbose. | tobhe | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |