| Age | Commit message (Collapse) | Author |
|---|
|
Remove -Werror to give code a greater chance of building.
ok deraadt@ florian@
|
|
flow which the first SA matched by the flow type. This behaviour
was mostly undocumented and unexpected. Make SA bundles explicit
in ipsec.conf(5). Only group SAs that have the same src and dst
and also the same bundle identifier.
OK hshoexer@
|
|
|
|
See RFC 5996, section 2.23, NAT Traversal:
In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it
means that the system receiving the NAT_DETECTION_DESTINATION_IP
payload is behind a NAT and that system SHOULD start sending
keepalive packets as defined in [UDPENCAPS].
With markus@, ok reyk@
|
|
scanning the used inode map. The code as written assumes inosused
is signed but this is no longer the case. OK deraadt@
|
|
|
|
|
|
group related functions in kroute.c together and comment them a bit.
No intentional functional change.
|
|
priv_write_resolv_conf() and move the latter into kroute.c
with all its priv_ friends.
No intentional functional change.
|
|
i.e. open FILE during program set up and use the FILE created for
the rest of the program lifetime after dropping privilege and
pledge()'ing. No need for passing messages to the priv process.
Tweak lease file handling a bit in passing.
Monitoring the -L file with external programs like sysutils/entr
still works.
Looks good to sthen@.
|
|
ok mikeb
|
|
unsigned.
While there, fix a whitespace issue.
OK deraadt@
|
|
win.
No intentional functional change.
|
|
'int' -> 'unsigned int' (and visa versa) where obvious.
Steal a couple of 'unsigned' -> u_int32_t from reyk@'s dhcrelay
tweaks.
No intentional functional change.
|
|
strlcat(). Shorter, clearer, fewer signed vs unsigned questions.
Use an 8K static buffer for pretty_print_classless() and use it
rather scribbling intermediate values into the final destination.
No intentional functional change.
|
|
strlcat(). Shorter, clearer, fewer signed vs unsigned questions.
Shrink static buffer for the string version of an option value from
32K to 8K. Since the string version of the entire lease is constructed
in a 8K buffer, bigger option values are pointless.
Use 8K of the saved space for a static buffer for pretty_print_string()
and use it rather scribbling intermediate values into the final
destination.
No intentional functional change.
|
|
change.
|
|
changes needed (yet).
|
|
|
|
usage every time we think of a new way to use this;
-= bits from anton lindqvist
ok tb tom
|
|
|
|
i've omitted hunk 3 of his diff, as what's there now is correct;
ok mikeb
|
|
Replaces forcing interface link state down and up to generate
RTM_IFINFO messages.
|
|
are. Track and use the actual lengths and use memcpy()/memcmp()
instead of strcmp()/strdup().
|
|
OK deraadt@, millert@
|
|
be used to return the final size of the parsed (i.e. un-vis'ed)
string. Use same, plus memcpy() to ensure entire final string is
copied to intended destination even if there are embedded NULs.
|
|
Push the un-vising up to parse_string(). This allows both the actual
string and the un-vised version to be available as desired. Use
memcpy() instead of strdup() to copy un-vised string since it may
legitimately contain NUL.
|
|
some logic.
|
|
|
|
Started by, and ok, deraadt@
|
|
"expecting a string". Things other than filenames are parsed here.
|
|
to make sure we do not run ikev2_msg_cleanup() on an unitialized stack
variable.
ok deraadt@ reyk@
|
|
This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.
OK claudio@ deraadt@
|
|
This lets us configure explicit old-style RSA again.
OK mikeb@
|
|
iked starts sending keepalive messages after authentication and after
successfully completing the handshake. Other implementations, like
we've seen on Microsoft Azure, start sending keepalive messages right
after receiving the first SA_INIT message when they set up the key
material, even before we received the SA_INIT response to complete the
DH exchange. The solution is to ignore early keepalive messages
before we're ready to encrypt our response, in the transition between
SA_INIT and AUTH. The peer should still accept one or more missed
keepalives.
OK mikeb@
|
|
-1 means "I didn't handle or know this imsg", it should not be used to
indicate an application error in this context.
OK mikeb@
|
|
found by Klemens Nanni
|
|
When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.
With and OK reyk
|
|
|
|
We reach an imsg payload limit with just a few traffic selectors
so in order to load more we need to split them up and send separately.
Suggested and OK reyk
|
|
|
|
Diff from markus@
OK mikeb@ patrick@
|
|
This fixes connecting to Azure VPN and other implementations that
implement the IKEv2 COOKIE mechanism on the responder side. Azure
decides to send you a responder COOKIE after too many connection
attempts - we have to keep it and reflect it to establish a
connection. This implementation is only for the initiator (client)
side, we do not support sending COOKIEs on the responder (server) side
yet.
OK patrick@ mikeb@
|
|
These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.
Original diff from markus@ with patches from mikeb@ and me.
OK mikeb@ patrick@
|
|
Replaces incorrect manual emulation of vis() for single, double and
back quotes, dollar signs and back slashes. Just use vis() with
VIS_ALL for these characters.
Should fix problem reported by robert@ with ssid's containing back
slash.
|
|
consistent and easier to identify, as outlined here:
- FAT12: FAT12 (01h)
- FAT16: FAT16S (04h), FAT16B (06h), FAT16L (0Eh)
- FAT32: FAT32 (0Bh), FAT32L (0Ch)
nothing in our tree is looking to the strings being replaced for anything
but printing them out, only to the numerical ids taken from disklabel.h
ok krw@, jmc@
|
|
Pointed out by florian@.
ok bluhm@
|
|
ok mikeb@ reyk@
|
|
warn with the same severity. Switch log_warn() to LOG_ERR and keep
fatal() at LOG_CRIT.
OK reyk@ florian@
|
|
No functional change.
ok deraadt@ tb@
|
